Conversation
|
This eliminates the ability to enable or disable files entirely, or makes it only pretend to do those things, which would not meet the need. A better approach would be to look at what's done in the local and azure storage backends, both of which handle disabling access by hashing the filename in a secure way. Ideally that approach should be made available globally with reusable logic. |
boutell
left a comment
boutell
left a comment
There was a problem hiding this comment.
Thanks for contributing!
Unfortunately this eliminates the ability to enable or disable files entirely, or makes it only pretend to do those things, which would not meet the need.
A better approach would be to look at what's done in the local and azure storage backends, both of which handle disabling access by hashing the filename in a secure way.
Ideally that approach should be made available globally with reusable logic.
|
(Submissions must also pass the test suite.) |
|
Hi @boutell — I've refactored the approach based on your feedback: disable() and enable() now use filename hashing via utils.getDisabledPath() when disabledFileKey is set — same pattern as the local and azure backends Please let me know if this approach looks good and I'll update the changelog and tests too! |
|
Sounds promising. We'll check it out in a week and a half or so, I am on
vacation.
Thank you!
THOMAS BOUTELL | CHIEF EXECUTIVE OFFICER
APOSTROPHECMS | apostrophecms.com | he/him/his
…On Sun, May 17, 2026, 3:48 AM Anjali ray ***@***.***> wrote:
*anjali-rayy* left a comment (apostrophecms/apostrophe#5411)
<#5411 (comment)>
Hi @boutell <https://github.com/boutell> — I've refactored the approach
based on your feedback:
disable() and enable() now use filename hashing via
utils.getDisabledPath() when disabledFileKey is set — same pattern as the
local and azure backends
Old ACL-based path kept as fallback for backward compatibility
copyIn now also skips ACL param when bucketObjectsACL: false
Please let me know if this approach looks good and I'll update the
changelog and tests too!
—
Reply to this email directly, view it on GitHub
<#5411 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAH27NPCJEDA36KFJTLRL343CZWJAVCNFSM6AAAAACY4ZDHDOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DINRXG44TKNZXGA>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
ghost
force-pushed
the
fix/s3-skip-acl-when-disabled
branch
from
7d318cf to
c6ea971
Compare
|
Hi @boutell — I've updated the PR with the filename hashing approach using utils.getDisabledPath() for disable/enable, same as the local and azure backends, with ACL fallback for backward compatibility. |
boutell
left a comment
boutell
left a comment
There was a problem hiding this comment.
We'll need test coverage showing the tests work with or without this option. Also a minor nitpick about code formatting.
We're also going to need to think about a migration path, but this is fine for new projects as written, so I won't hold you up for that.
| if (self.options.disabledFileKey) { | ||
| const dPath = utils.getDisabledPath(path, self.options.disabledFileKey); | ||
| return self._copyObject(dPath, path, function(err) { | ||
| if (err) return callback(err); |
There was a problem hiding this comment.
Please follow the convention (no single-line statements in if, use {})
ghost
closed this by deleting the head repository
1 participant
Summary
Fixes uploads failing with
AccessControlListNotSupportedon S3 bucketswith
BucketOwnerEnforcedpolicy. Since April 2023, AWS S3 creates all newbuckets with ACLs disabled by default, but
lib/storage/s3.jsalways sentACL headers in every request with no way to disable them.
When
bucketObjectsACL: falseis passed, ACL headers are now skippedentirely in
copyIn,enable, anddisablecalls.Closes #5366
What are the specific steps to test this change?
ObjectOwnership: BucketOwnerEnforced(default since April 2023)bucketObjectsACL: falseanddisabledBucketObjectsACL: falsepublic-readdefault behaviorWhat kind of change does this PR introduce?
Make sure the PR fulfills these requirements:
Other information:
Note: I have not updated the changelog or tests yet —
happy to do so if the maintainers approve this approach first.