always evaluate policies in backbeat routes

Kerkesni · Kerkesni · commit 7fd90d115acb · 2025-08-26T12:58:31.000+02:00
Issue: CLDSRV-731
diff --git a/lib/routes/routeBackbeat.js b/lib/routes/routeBackbeat.js
@@ -1596,17 +1596,8 @@ function routeBackbeat(clientIP, request, response, log) {
                 request.accountQuotas = infos?.accountQuota;
                 return next(err, userInfo, authorizationResults);
             }, 's3', requestContexts),
-        (userInfo, authorizationResults, next) => {
-            // Using the same flag used to bypass user bucket policies
-            // for internal mode, so that we can bypass policy evaluation
-            // on backbeat routes. This ensures we don't break operations
-            // coming from internal services like backbeat
-            if (request.bypassUserBucketPolicies) {
-                return next(null, userInfo);
-            }
-            return handleAuthorizationResults(
-                request, authorizationResults, apiMethods[0], undefined, log, err => next(err, userInfo));
-        },
+        (userInfo, authorizationResults, next) => handleAuthorizationResults(
+                request, authorizationResults, apiMethods[0], undefined, log, err => next(err, userInfo)),
         (userInfo, next) => {
             // TODO: understand why non-object requests (batchdelete) were not authenticated
             if (!isObjectRequest) {
diff --git a/tests/unit/routes/routeBackbeat.js b/tests/unit/routes/routeBackbeat.js
@@ -1012,28 +1012,6 @@ describe('routeBackbeat authorization', () => {
                 const err = JSON.parse(response.end.getCall(0).args[0]);
                 assert.strictEqual(err.code, 'AccessDenied');
             });
-
-            it('should bypass policy evaluation', async () => {
-                sinon.stub(auth.server, 'doAuth').yields(null, new AuthInfo({
-                    canonicalID: 'abcdef/lifecycle',
-                    accountDisplayName: 'Lifecycle Service Account',
-                }), [{
-                    isAllowed: false,
-                    implicitDeny: true,
-                    action: 'objectReplicate',
-                }], undefined, undefined);
-
-                request.bypassUserBucketPolicies = true;
-
-                routeBackbeat('127.0.0.1', request, response, log);
-
-                void await endPromise;
-
-                if (testCase.expect) {
-                    const errCode = response.writeHead.getCall(0).args[0];
-                    assert.strictEqual(errCode, testCase.expect.code);
-                }
-            });
         });
     });
 });
