From 9ed7edaaf7a94f21ac84df91bceb3576ba8b784b Mon Sep 17 00:00:00 2001
From: Radoslaw Zarzynski <rzarzynski@mirantis.com>
Date: Wed, 30 Nov 2016 17:49:25 +0100
Subject: [PATCH] rgw: implement the basic security check for BulkUpload of
 Swift API.

Signed-off-by: Radoslaw Zarzynski <rzarzynski@mirantis.com>
---
 src/rgw/rgw_op.cc | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index 9db697a5ac89a..9cb6910598321 100644
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -5500,6 +5500,26 @@ void RGWBulkDelete::execute()
 
 int RGWBulkUploadOp::verify_permission()
 {
+  if (s->auth.identity->is_anonymous()) {
+    return -EACCES;
+  }
+
+  if (! verify_user_permission(s, RGW_PERM_WRITE)) {
+    return -EACCES;
+  }
+
+  if (s->user->user_id.tenant != s->bucket_tenant) {
+    ldout(s->cct, 10) << "user cannot create a bucket in a different tenant"
+                      << " (user_id.tenant=" << s->user->user_id.tenant
+                      << " requested=" << s->bucket_tenant << ")"
+                      << dendl;
+    return -EACCES;
+  }
+
+  if (s->user->max_buckets < 0) {
+    return -EPERM;
+  }
+
   return 0;
 }
 
-- 
2.39.5