'ACL' statement on default in ObjectUploader, not supported anymore by AWS S3.

[JortJacobs]

Describe the bug

Creating a folder via OctoberCMS results in ACL complaints since it is not being supported anymore.
This is related to the following file + line-item, containing 'ACL' statements:

aws-sdk-php/src/S3/ObjectUploader.php

Line 89 in 058611b

'ACL' => $this->acl,

.

Please remove that.

Regression Issue

• Select this option if this issue appears to be a regression.

Expected Behavior

ObjectUploader to work.

Current Behavior

It does not work.

Reproduction Steps

Call the function.

Possible Solution

No response

Additional Information/Context

No response

SDK version used

Latest.

Environment details (Version of PHP (php -v)? OS name and version, etc.)

8.3.6

[RanVaknin]

Hi @JortJacobs ,

ACLs being disabled by default is the expected and documented behavior and is controlled via the S3 service, not the SDK.

Please refer to:
Blogpost
S3 Notice
S3 docs

Thanks,
Ran~

[stobrien89]

Just wanted to chime in: the above only applies to buckets created on or after April 2023. Newly created buckets can be configured to enable ACLs, but ACLs no longer fall into S3's recommended security best practices. The SDK still sets a default ACL of private in the ObjectUploader class, which is legacy behavior that still works. We left this in place for backward compatibility reasons. S3 still allows private ACLs.

It sounds like OctoberCMS has a high-level filesystem abstraction over the SDK/S3 that relies on ACLs. If they are defaulting to anything other than private, they'll need to change that.

[github-actions]

This issue has not recieved a response in 1 week. If you want to keep this issue open, please just leave a comment below and auto-close will be canceled.