Fix - list_buckets allowing unauthorized bucket access

Signed-off-by: Aayush Chouhan <achouhan@redhat.com>

Author: aayushchouhan09

src/server/system_services/bucket_server.js

@@ -1057,8 +1057,13 @@ async function list_buckets(req) {
     let continuation_token = req.rpc_params?.continuation_token;
     const max_buckets = req.rpc_params?.max_buckets;
 
-    const accessible_bucket_list = system_store.data.buckets.filter(
-        async bucket => await req.has_s3_bucket_permission(bucket, "s3:ListBucket", req) && !bucket.deleting
+    const accessible_bucket_list = [];
+    await Promise.all(
+        system_store.data.buckets.map(async bucket => {
+            if (bucket.deleting) return;
+            const has_permission = await req.has_s3_bucket_permission(bucket, "s3:ListBucket", req);
+            if (has_permission) accessible_bucket_list.push(bucket);
+        })
     );
 
     accessible_bucket_list.sort((a, b) => a.name.unwrap().localeCompare(b.name.unwrap()));