diff options
Diffstat (limited to 'weed/s3api/auth_credentials.go')
| -rw-r--r-- | weed/s3api/auth_credentials.go | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/weed/s3api/auth_credentials.go b/weed/s3api/auth_credentials.go index 378788084..3f4670a7e 100644 --- a/weed/s3api/auth_credentials.go +++ b/weed/s3api/auth_credentials.go @@ -582,7 +582,9 @@ func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action) // - No policy or indeterminate → fall through to IAM checks if iam.policyEngine != nil && bucket != "" { principal := buildPrincipalARN(identity) - // Evaluate bucket policy (objectEntry nil - not yet fetched at auth time) + // Phase 1: Evaluate bucket policy without object entry. + // Tag-based conditions (s3:ExistingObjectTag) are re-checked by handlers + // after fetching the entry, which is the Phase 2 check. allowed, evaluated, err := iam.policyEngine.EvaluatePolicy(bucket, object, string(action), principal, r, nil) if err != nil { |