ST469 - apps/augmentedreality - improve minio config, use allowed_buckets for configuration (#33)

shn-liqd · web-flow · commit 89d9c713feea · 2025-07-29T06:19:17.000-07:00
diff --git a/adhocracy-plus/config/settings/local.py.template b/adhocracy-plus/config/settings/local.py.template
@@ -8,7 +8,7 @@ GEOS_LIBRARY_PATH = "/opt/homebrew/Cellar/geos/3.13.1/lib/libgeos_c.dylib"
 MINIO_DATA = {
     "endpoint": "",
     "region": "eu-central-1",
-    "bucket": "",
+    "allowed_buckets": [""],
     "accessKey": "",
     "secretKey": ""
 }
diff --git a/changelog/469.md b/changelog/469.md
@@ -0,0 +1,3 @@
+### Changed
+
+- Replace `bucket_name` with `allowed_buckets` in minio config, verifies bucket_name requested by frontend
diff --git a/util/minio_client.py b/util/minio_client.py
@@ -13,7 +13,7 @@ class MinIOClient:
     def client(self):
         if all(
             attr in settings.MINIO_DATA
-            for attr in ["endpoint", "accessKey", "secretKey"]
+            for attr in ["endpoint", "accessKey", "secretKey", "allowed_buckets"]
         ):
             return Minio(
                 settings.MINIO_DATA.get("endpoint"),
@@ -30,10 +30,16 @@ def client(self):
     def get_presigned_url(self, mesh_id, expires=timedelta(hours=1)):
         try:
             parts = mesh_id.split("/", 1)
-            object_name = parts[1]
-            return self.client.presigned_get_object(
-                settings.MINIO_DATA.get("bucket"), object_name, expires=expires
-            )
+            bucket_name = parts[0]
+            allowed_buckets = settings.MINIO_DATA.get("allowed_buckets")
+            if bucket_name in allowed_buckets:
+                object_name = parts[1]
+                return self.client.presigned_get_object(
+                    bucket_name, object_name, expires=expires
+                )
+            else:
+                logger.error(f"Access to bucket {bucket_name} is not allowed.")
+                return None
         except Exception as e:
             logger.error(f"Failed to generate presigned URL for {mesh_id}: {str(e)}")
             return None

Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,7 @@ GEOS_LIBRARY_PATH = "/opt/homebrew/Cellar/geos/3.13.1/lib/libgeos_c.dylib"`
`8`	`8`	`MINIO_DATA = {`
`9`	`9`	`"endpoint": "",`
`10`	`10`	`"region": "eu-central-1",`
`11`		`- "bucket": "",`
	`11`	`+ "allowed_buckets": [""],`
`12`	`12`	`"accessKey": "",`
`13`	`13`	`"secretKey": ""`
`14`	`14`	`}`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+### Changed`
	`2`	`+`
	`3`	+- Replace `bucket_name` with `allowed_buckets` in minio config, verifies bucket_name requested by frontend