* fix: ListBuckets returns empty for users with bucket-specific permissions (#7796)
The ListBucketsHandler was using sequential AND logic where ownership check
happened before permission check. If a user had 'List:bucketname' permission
but didn't own the bucket (different AmzIdentityId or missing owner metadata),
the bucket was filtered out before the permission check could run.
Changed to OR logic: a bucket is now visible if the user owns it OR has
explicit permission to list it. This allows users with bucket-specific
permissions like 'List:geoserver' to see buckets they have access to,
even if they don't own them.
Changes:
- Modified ListBucketsHandler to check both ownership and permission,
including bucket if either check passes
- Renamed isBucketVisibleToIdentity to isBucketOwnedByIdentity for clarity
- Added comprehensive tests in TestListBucketsIssue7796
Fixes#7796
* address review comments: optimize permission check and add integration test
- Skip permission check if user is already the owner (performance optimization)
- Add integration test that simulates the complete handler filtering logic
to verify the combination of ownership OR permission check works correctly
* add visibility assertions to each sub-test for self-contained verification
Each sub-test now verifies the final outcome using isOwner || canList logic,
making tests more robust and independently verifiable.
see https://blog.aqwari.net/xml-schema-go/
1. go get aqwari.net/xml/cmd/xsdgen
2. Add EncodingType element for ListBucketResult in AmazonS3.xsd
3. xsdgen -o s3api_xsd_generated.go -pkg s3api AmazonS3.xsd
4. Remove empty Grantee struct in s3api_xsd_generated.go
5. Remove xmlns: sed s'/http:\/\/s3.amazonaws.com\/doc\/2006-03-01\/\ //' s3api_xsd_generated.go
a77b145590