projects / arvados.git / blobdiff
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
2328: restrict all /index requests to superuser
[arvados.git] / services / keep / src / keep / keep.go
diff --git a/services/keep/src/keep/keep.go b/services/keep/src/keep/keep.go
index 143d290e2937298a958a7561003c9bb0d067eaad..0fdf6603c40207029d31080cf9511112682c0183 100644 (file)
--- a/services/keep/src/keep/keep.go
+++ b/services/keep/src/keep/keep.go
@@ -335,18 +335,15 @@ func PutBlockHandler(w http.ResponseWriter, req *http.Request) {
 func IndexHandler(w http.ResponseWriter, req *http.Request) {
        prefix := mux.Vars(req)["prefix"]
 
-       // Only the data manager may issue unqualified "GET /index" requests,
+       // Only the data manager may issue /index requests,
        // and only if enforce_permissions is enabled.
-       // If the request is unauthenticated, or does not match the data manager's
-       // API token, return 403 Permission denied.
-       if prefix == "" {
-               api_token := GetApiToken(req)
-               if !enforce_permissions ||
-                       api_token == "" ||
-                       data_manager_token != GetApiToken(req) {
-                       http.Error(w, PermissionError.Error(), PermissionError.HTTPCode)
-                       return
-               }
+       // All other requests return 403 Permission denied.
+       api_token := GetApiToken(req)
+       if !enforce_permissions ||
+               api_token == "" ||
+               data_manager_token != GetApiToken(req) {
+               http.Error(w, PermissionError.Error(), PermissionError.HTTPCode)
+               return
        }
        var index string
        for _, vol := range KeepVM.Volumes() {