Skip to content

Commit

Permalink
fix: evaluate BypassGov policy action in deletion correctly (#16635)
Browse files Browse the repository at this point in the history
  • Loading branch information
@vadmeste
vadmeste committed Feb 17, 2023
1 parent e1e9ddd commit a7188bc
Showing 1 changed file with 2 additions and 5 deletions.
7 changes: 2 additions & 5 deletions cmd/bucket-object-lock.go
View file
Expand Up @@ -156,11 +156,8 @@ func enforceRetentionBypassForDelete(ctx context.Context, r *http.Request, bucke
return ErrNone
}
// https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lock-overview.html#object-lock-retention-modes
// If you try to delete objects protected by governance mode and have s3:BypassGovernanceRetention
// or s3:GetBucketObjectLockConfiguration permissions, the operation will succeed.
govBypassPerms1 := checkRequestAuthType(ctx, r, policy.BypassGovernanceRetentionAction, bucket, object.ObjectName)
govBypassPerms2 := checkRequestAuthType(ctx, r, policy.GetBucketObjectLockConfigurationAction, bucket, object.ObjectName)
if govBypassPerms1 != ErrNone && govBypassPerms2 != ErrNone {
// If you try to delete objects protected by governance mode and have s3:BypassGovernanceRetention, the operation will succeed.
if checkRequestAuthType(ctx, r, policy.BypassGovernanceRetentionAction, bucket, object.ObjectName) != ErrNone {
return ErrAccessDenied
}
}
Expand Down

0 comments on commit a7188bc

Please sign in to comment.