POST for creating an upload job for an existing object only works for object owner

informatics-isi-edu / hatrac

Simple object storage for collaborations

Apache License 2.0

3 stars 1 forks source link

POST for creating an upload job for an existing object only works for object owner #40

Closed mikedarcy closed 7 years ago

mikedarcy commented 7 years ago

When creating an upload job for an existing object, a 403 is returned unless the user is the object owner. Shouldn't this work for users that have write access to the object (or equivalent inherited permissions) as well?

karlcz commented 7 years ago

Yeah, I can see this difference in enforcement in the code. I agree it seems like upload jobs should have same privilege level as synchronous updates. I think we were too conservative when we added this code. I think they have the same trust level as far as eventual effect on the object and in terms of resource consumption.

karlcz commented 7 years ago

@mikedarcy I just pushed the small change to master. Please test and review.

mikedarcy commented 7 years ago

Works fine, thanks.