diff options
Diffstat (limited to 'weed/s3api/auth_credentials.go')
| -rw-r--r-- | weed/s3api/auth_credentials.go | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/weed/s3api/auth_credentials.go b/weed/s3api/auth_credentials.go index b5824f2d1..ec9edb6a0 100644 --- a/weed/s3api/auth_credentials.go +++ b/weed/s3api/auth_credentials.go @@ -582,8 +582,10 @@ func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action) // - No policy or indeterminate → fall through to IAM checks if iam.policyEngine != nil && bucket != "" { principal := buildPrincipalARN(identity) - // Use context-aware policy evaluation to get the correct S3 action - allowed, evaluated, err := iam.policyEngine.EvaluatePolicyWithContext(bucket, object, string(action), principal, r) + // Evaluate bucket policy with request context for accurate action resolution + // Note: objectEntry is nil here as we don't have the entry at auth time + // For tag-based conditions to work, the caller should re-evaluate with entry after fetching it + allowed, evaluated, err := iam.policyEngine.EvaluatePolicy(bucket, object, string(action), principal, r, nil) if err != nil { // SECURITY: Fail-close on policy evaluation errors |