[sda-download] Returns ListAllMyBucketsResult when user does not have access to a dataset #2223
Description
Describe the bug
If a user does not have access to a dataset when using the "/s3" paths sda-download returns a ListAllMyBucketsResult(ListBuckets) response containing all datasets the user has access to as buckets.
Steps to reproduce
curl -H "Authorization: Bearer $token" https://download.bp.nbis.se/s3/not_dataset_exists/file_no.exists
=>
<?xml version="1.0" encoding="UTF-8"?>
<ListAllMyBucketsResult><Buckets></Buckets><Owner></Owner></ListAllMyBucketsResult>
(The given token used in example does not have access to any datasets)
Expected behavior
- If a user attempts to download a file which he does not have access to, or which do not exists, a 403 error code should be returned (not exposing information if file was found or user lacks permissions, to reduce amount of information exposed)
- Tests verifying the fix are added
Additional context
Cause parseParams only populate the "dataset" param in the gin context if requested path starts with a dataset the user has access to, meaning if user does not have access to the requested dataset in the path, the ListBuckets func is called
Estimation of size
small
Estimation of priority
medium