changes to put and get permissions on folders

Author: TimCsaky

app/src/components/constants.js

@@ -57,7 +57,7 @@ module.exports = Object.freeze({
   /** Maximum Content Length supported by S3 CopyObjectCommand */
   MAXCOPYOBJECTLENGTH: 5 * 1024 * 1024 * 1024, // 5 GB
 
-  /** Maximum Content Length supported by S3 CopyObjectCommand */
+  /** Maximum Content Length (file size) supported by S3 */
   MAXFILEOBJECTLENGTH: 5 * 1024 * 1024 * 1024 * 1024, // 5 TB
 
   /** Allowable values for the Metadata Directive parameter */

app/src/components/queueManager.js

@@ -58,6 +58,7 @@ class QueueManager {
     if (!this.isBusy && !this.toClose) {
       objectQueueService.queueSize().then(size => {
         if (size > 0) this.processNextJob();
+        // if (size > 0);
       }).catch((err) => {
         log.error(`Error encountered while checking queue: ${err.message}`, { function: 'checkQueue', error: err });
       });

app/src/controllers/bucket.js

@@ -9,6 +9,7 @@ const log = require('../components/log')(module.filename);
 const {
   addDashesToUuid,
   getCurrentIdentity,
+  getBucket,
   isTruthy,
   joinPath,
   mixedQueryToArray,
@@ -323,6 +324,42 @@ const controller = {
     }
   },
 
+
+  /**
+   * @function togglePublic
+   * Sets the public flag of a bucket (or folder)
+   * @param {object} req Express request object
+   * @param {object} res Express response object
+   * @param {function} next The next callback function
+   * @returns {function} Express middleware function
+   */
+  async togglePublic(req, res, next) {
+    try {
+      const bucketId = addDashesToUuid(req.params.bucketId);
+      const publicFlag = isTruthy(req.query.public) ?? false;
+      const userId = await userService.getCurrentUserId(getCurrentIdentity(req.currentUser, SYSTEM_USER), SYSTEM_USER);
+
+      const bucket = await getBucket(bucketId);
+      const data = {
+        bucketId: bucketId,
+        path: bucket.key + '/',
+        public: publicFlag,
+        userId: userId
+      };
+      await storageService.updatePublic(data).catch(() => {
+        log.warn('Failed to apply permission changes to S3', { function: 'togglePublic', ...data });
+      });
+      s3Public = await storageService.getPublic({ path: data.path, bucketId: bucketId });
+
+      const response = await bucketService.update(data);
+
+      res.status(200).json(response);
+    } catch (e) {
+      next(errorToProblem(SERVICE, e));
+    }
+  },
+
+
   /**
    * @function updateBucket
    * Updates a bucket

app/src/controllers/object.js

@@ -1076,19 +1076,17 @@ const controller = {
       const data = {
         id: objId,
         bucketId: req.currentObject?.bucketId,
-        filePath: req.currentObject?.path,
+        path: req.currentObject?.path,
         public: publicFlag,
         userId: userId,
-        // TODO: Implement if/when we proceed with version-scoped public permission management
-        // s3VersionId: await getS3VersionId(
-        //   req.query.s3VersionId, addDashesToUuid(req.query.versionId), objId
-        // )
       };
 
-      storageService.updatePublicPermissions(data).catch(() => {
-        // Gracefully continue even when S3 ACL management operation fails
+      await storageService.updatePublic(data).catch(() => {
         log.warn('Failed to apply permission changes to S3', { function: 'togglePublic', ...data });
       });
+
+      s3Public = await storageService.getPublic({ path: data.path, bucketId: req.currentObject?.bucketId });
+
       const response = await objectService.update(data);
 
       res.status(200).json(response);

app/src/db/migrations/20250422000000_016-bucket-public.js

@@ -0,0 +1,15 @@
+exports.up = function (knex) {
+  return Promise.resolve()
+    // add public column to bucket table
+    .then(() => knex.schema.alterTable('bucket', table => {
+      table.boolean('public').notNullable().defaultTo(false);
+    }));
+};
+
+exports.down = function (knex) {
+  return Promise.resolve()
+    // drop public column in bucket table
+    .then(() => knex.schema.alterTable('bucket', table => {
+      table.dropColumn('public');
+    }));
+};

app/src/db/models/tables/bucket.js

@@ -99,6 +99,7 @@ class Bucket extends mixin(Model, [
         region: { type: 'string', maxLength: 255 },
         active: { type: 'boolean' },
         lastSyncRequestedDate: { type: ['string', 'null'], format: 'date-time' },
+        public: { type: 'boolean' },
         ...stamps
       },
       additionalProperties: false

app/src/middleware/authorization.js

@@ -4,6 +4,7 @@ const log = require('../components/log')(module.filename);
 const { AuthMode, AuthType, Permissions } = require('../components/constants');
 const {
   getAppAuthMode,
+  getBucket,
   getCurrentIdentity,
   getConfigBoolean,
   mixedQueryToArray, stripDelimit } = require('../components/utils');
@@ -106,6 +107,12 @@ const checkS3BasicAccess = async (req, _res, next) => {
   next();
 };
 
+// get public boolean from COMS object or parent bucket record
+const _checkPublic = async (currentObject) => {
+  const bucket = await getBucket(currentObject.bucketId);
+  return currentObject.public || bucket.public;
+};
+
 /**
  * @function checkAppMode
  * Rejects the request if the incoming authentication mode does not match the application mode
@@ -190,7 +197,7 @@ const hasPermission = (permission) => {
         throw new Error('Missing object record');
       } else if (authType === AuthType.BASIC && canBasicMode(authMode)) {
         log.debug('Basic authTypes are always permitted', { function: 'hasPermission' });
-      } else if (req.params.objectId && req.currentObject.public && permission === Permissions.READ) {
+      } else if (req.params.objectId && await _checkPublic(req.currentObject) && permission === Permissions.READ) {
         log.debug('Read requests on public objects are always permitted', { function: 'hasPermission' });
       } else if (!await _checkPermission(req, permission)) {
         throw new Error(`User lacks required permission ${permission}`);

app/src/routes/v1/bucket.js

@@ -61,6 +61,18 @@ router.patch('/:bucketId',
   }
 );
 
+/** Sets the public flag of a bucket (or folder) */
+router.patch('/:bucketId/public',
+  requireSomeAuth,
+  bucketValidator.togglePublic,
+  hasPermission(Permissions.MANAGE),
+  (req, res, next) => {
+    bucketController.togglePublic(req, res, next);
+  }
+);
+
+
+
 /** Deletes the bucket */
 router.delete('/:bucketId',
   bucketValidator.deleteBucket,

app/src/services/bucket.js

@@ -294,7 +294,8 @@ const service = {
         region: data.region,
         active: data.active,
         updatedBy: data.userId,
-        lastSyncRequestedDate: data.lastSyncRequestedDate
+        lastSyncRequestedDate: data.lastSyncRequestedDate,
+        public: data.public
       });
 
       if (!etrx) await trx.commit();