locked
Delete blob content without 'Delete' permissions using shared access signature RRS feed

  • Question

  • Hi,

    i'm using Azure blob storage for storing data from clients.

    Clients are given with shared access signature with NO 'Delete' permission.

    Nevertheless, i can delete a blob content without 'Delete' permission with the following code:

    // sharedKey doesn't contain 'Delete' permission
    var credentials = new StorageCredentials(sharedKey);
    var blob = new CloudBlockBlob(blobPath, credentials);
    var blockIds = new List<string>();
    
    // If not getting all current blocks ids, all current data will be lost.
    // if (blob.Exists())
    // {
    // 	blockIds.AddRange(blob.DownloadBlockList().Select(b => b.Name));
    // }
    
    var blockId =
    	Convert.ToBase64String(
    		Encoding.Default.GetBytes(blockIds.Count.ToString("d6", CultureInfo.InvariantCulture)));
    blockIds.Add(blockId);
    
    byte[] eventInBytes = Encoding.Default.GetBytes(string.Format(CultureInfo.InvariantCulture, "{0}\n", formattedEvent));
    
    using (var eventStream = new MemoryStream(eventInBytes))
    {
    	blob.PutBlock(blockId, eventStream, null);
    }
    
    blob.PutBlockList(blockIds);

    I assume this is a defect, any way to overcome this issue?

    thanks,

    yoni.

    Thursday, January 23, 2014 7:10 AM

Answers

  • This is by design.  Can you share the scenario you are trying to implement? The permissions are on API and “delete” here does not imply to contents but to the blob’s existence. The blob contents can always be overwritten if the user has write permissions. You would need to prevent “writes” too if you do not want it to be overwritten.

    Thanks,

    Jai

    Thursday, January 23, 2014 10:25 PM

All replies

  • This is by design.  Can you share the scenario you are trying to implement? The permissions are on API and “delete” here does not imply to contents but to the blob’s existence. The blob contents can always be overwritten if the user has write permissions. You would need to prevent “writes” too if you do not want it to be overwritten.

    Thanks,

    Jai

    Thursday, January 23, 2014 10:25 PM
  • This is very strange behavior - if the user overwrites the blob content with an empty string it is equals to deleting the blob (empty blob == no blob at all).

    The scenario is that i have PS client that write to the blob.
    I don't want it to be able to delete content, but only to append.

    The expected behavior is that if the client doesn't have delete permission - it can only append and not overwrite...

    Thursday, January 30, 2014 1:37 PM