From c0681c0b90d789a4e2a811e73f8bf9843df4e71a Mon Sep 17 00:00:00 2001
From: schererleander <leander@schererleander.de>
Date: Fri, 24 Oct 2025 20:17:59 +0200
Subject: fix profile avatar policy

---
 docker-compose.yml         |  9 ++++++---
 profile-avatar-policy.json | 15 +++++++++++++++
 2 files changed, 21 insertions(+), 3 deletions(-)
 create mode 100644 profile-avatar-policy.json

diff --git a/docker-compose.yml b/docker-compose.yml
index f0c716d..c9bd126 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -45,13 +45,16 @@ services:
     environment:
       MINIO_ROOT_USER: ${MINIO_ROOT_USER}
       MINIO_ROOT_PASSWORD: ${MINIO_ROOT_PASSWORD}
+    volumes:
+      - ./profile-avatar-policy.json:/config/profile-avatar-policy.json:ro
     entrypoint: >
       /bin/sh -c "
-        mc alias set myminio http://minio:9000 \$MINIO_ROOT_USER \$MINIO_ROOT_PASSWORD &&
+        mc alias set myminio http://minio:9000 $MINIO_ROOT_USER $MINIO_ROOT_PASSWORD &&
         mc mb --ignore-existing myminio/storage &&
         echo 'Created storage bucket' &&
-        mc anonymous set myminio/storage/users/*/profile/avatar_*.webp download &&
-        echo 'Applied custom profile-image policy' &&
+        # Set the JSON policy directly on the bucket
+        mc anonymous set-json /config/profile-avatar-policy.json myminio/storage &&
+        echo 'Applied anonymous bucket policy' &&
         echo 'MinIO initialization complete'
       "
     restart: "no"
diff --git a/profile-avatar-policy.json b/profile-avatar-policy.json
new file mode 100644
index 0000000..7f2ec04
--- /dev/null
+++ b/profile-avatar-policy.json
@@ -0,0 +1,15 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:GetObject"
+      ],
+      "Resource": [
+        "arn:aws:s3:::storage/users/*/profile/avatar_*.webp"
+      ],
+			"Principal": "*"
+    }
+  ]
+}
-- 
cgit v1.3.1