Manage legacy public ACL's

Sync Bucket and Object public status
Tidy code

Author: TimCsaky

app/src/components/utils.js

@@ -98,7 +98,6 @@ const utils = {
         data.bucket = bucketData.bucket;
         data.endpoint = bucketData.endpoint;
         data.key = bucketData.key;
-        // data.public = bucketData.public;
         data.secretAccessKey = bucketData.secretAccessKey;
         if (bucketData.region) data.region = bucketData.region;
       } else if (utils.getConfigBoolean('objectStorage.enabled')) {
@@ -496,7 +495,7 @@ const utils = {
 
   /**
    * @function stripDelimit
-   * Yields a string `s` that will never have a trailing delimiter. Returns an empty string if falsy.
+   * Yields a string `s` that will never have a trailing delimiter.
    * @param {string} s The input string
    * @returns {string} The string `s` without the trailing delimiter, or an empty string.
    */
@@ -505,6 +504,23 @@ const utils = {
     else return '';
   },
 
+  /**
+   * @function trimResourcePath
+   * Yields a string `s` without trailing delimiters or asterixes.
+   * @param {string} s The input string
+   * @returns {string} The string `s` without trailing delimiters or asterix, or an empty string.
+   */
+  trimResourcePath(s) {
+    switch (true) {
+      case s.endsWith(DELIMITER):
+        return utils.stripDelimit(s.slice(0, -1));
+      case s.endsWith(DELIMITER + '*'):
+        return utils.stripDelimit(s.slice(0, -2));
+      default:
+        return s;
+    }
+  },
+
   /**
    * @function toLowerKeys
    * Converts all key names for all objects in an array to lowercase

app/src/controllers/bucket.js

@@ -361,7 +361,7 @@ const controller = {
       };
       // Update S3 Policy
       await storageService.updatePublic(data).catch((e) => {
-        log.warn('Failed to apply permission changes to S3' + e, { function: 'togglePublic', ...data });
+        log.warn('Failed to apply permission changes to S3 ' + e, { function: 'togglePublic', ...data });
       });
 
       // Child bucket cannot be non-public when parent is public

app/src/controllers/object.js

@@ -1034,8 +1034,6 @@ const controller = {
    * @returns {function} Express middleware function
    */
   async searchObjects(req, res, next) {
-    // TODO: Consider support for filtering by set of permissions?
-    // TODO: handle additional parameters. Eg: deleteMarker, latest
     try {
       const bucketIds = mixedQueryToArray(req.query.bucketId);
       const objIds = mixedQueryToArray(req.query.objectId);

app/src/db/migrations/20250812000000_017-bucket-public.js

@@ -1,16 +1,5 @@
 exports.up = function (knex) {
   return Promise.resolve()
-    // // allow null for object.public
-    // .then(() => knex.schema.alterTable('object', table => {
-    //   table.boolean('public').nullable().alter();
-    // }))
-    // // where object.public is false, set to null
-    // .then(() => knex('object')
-    //   .where({ 'public': false })
-    //   .update({ 'public': null }))
-    // .then(() => knex.schema.alterTable('object', table => {
-    //   table.boolean('public').nullable().alter();
-    // }))
     // add public column to bucket table
     .then(() => knex.schema.alterTable('bucket', table => {
       table.boolean('public').notNullable().defaultTo(false);
@@ -23,13 +12,4 @@ exports.down = function (knex) {
     .then(() => knex.schema.alterTable('bucket', table => {
       table.dropColumn('public');
     }));
-  // // where object.public is null, set to false
-  // .then(() => knex('object')
-  //   .where({ 'public': null })
-  //   .update({ 'public': false }))
-
-  // disallow null for object.public
-  // .then(() => knex.schema.alterTable('object', table => {
-  //   table.boolean('public').notNullable().defaultTo(false).alter();
-  // }));
 };

app/src/middleware/authorization.js

@@ -298,38 +298,11 @@ const isBucketPublic = async (bucketId) => {
   return false;
 };
 
-// alternative approach
-// Route middleware to check if requested bucket is public
-// const isBucketPublic = async (req, _res, next) => {
-//   // if an unauthenticated request
-//   if (!req.currentUser || req.currentUser.authType === AuthType.NONE) {
-//     // if providing a single bucketId in query
-//     if (mixedQueryToArray(req.query.bucketId).length === 1) {
-//       const bucket = await bucketService.read(req.query.bucketId);
-//       // and bucket public is truthy
-//       if (!bucket.public) {
-//         return next(new Problem(403, {
-//           detail: 'Bucket is not public',
-//           instance: req.originalUrl
-//         }));
-//       }
-//     }
-//   }
-//   else {
-//     return next(new Problem(403, {
-//       detail: 'User lacks permission to complete this action',
-//       instance: req.originalUrl
-//     }));
-//   }
-//   next();
-// };
-
 module.exports = {
   _checkPermission,
   checkAppMode,
   checkElevatedUser,
   checkS3BasicAccess,
-  // checkGrantingPermittedPermissions
   currentObject,
   hasPermission,
   isBucketPublic,

app/src/services/bucket.js

@@ -272,7 +272,6 @@ const service = {
    * @throws If there are no records found
    */
   searchParentBuckets: async (bucket, returnPermissions = false, userId, etrx = undefined) => {
-
     let trx;
     try {
       trx = etrx ? etrx : await Bucket.startTransaction();