From: Enming.Zhang <zvampirem77@gmail.com>
Date: Tue, 27 Nov 2018 11:41:56 +0000 (-0500)
Subject: rgw: cleanup for RGWDeleteObj::verify_permission()
X-Git-Tag: v14.1.0~216^2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=86334645cf96c03515d30804e2df0bdf22916fb5;p=ceph.git

rgw: cleanup for RGWDeleteObj::verify_permission()

- if the 'Effect' field of user policy and bucket policy
  is set to 'Allow', RGWDeleteObj::verify_permission()
  should return 0 instead of true;

- as the same with bucket policy, if the 'Effect' field
  of user policy is set to 'Deny', RGWDeleteObj::verify_permission()
  should return -EACCES instead of false;

Signed-off-by: Enming.Zhang <zvampirem77@gmail.com>
---

diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index d5d0211fa6396..37e45ec0374d7 100644
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -4275,7 +4275,7 @@ int RGWDeleteObj::verify_permission()
                                               rgw::IAM::s3DeleteObjectVersion,
                                               ARN(s->bucket, s->object.name));
     if (usr_policy_res == Effect::Deny) {
-      return false;
+      return -EACCES;
     }
     auto r = s->iam_policy->eval(s->env, *s->auth.identity,
 				 s->object.instance.empty() ?
@@ -4283,11 +4283,11 @@ int RGWDeleteObj::verify_permission()
 				 rgw::IAM::s3DeleteObjectVersion,
 				 ARN(s->bucket, s->object.name));
     if (r == Effect::Allow)
-      return true;
+      return 0;
     else if (r == Effect::Deny)
       return -EACCES;
     else if (usr_policy_res == Effect::Allow)
-      return true;
+      return 0;
   }
 
   if (!verify_bucket_permission_no_policy(this, s, RGW_PERM_WRITE)) {