Static object session with search verb allows to search all objects in container

[abereziny]

1. Have 3 objects in container (oid1, oid2, oid3)
2. Create static session with search verb for 2 objects in container

{
    "body": {
        "id": "GA38eKGHSxK6dCrrIcNOCA==",
        "ownerID": {
            "value": "<owner_id>"
        },
        "lifetime": {
            "exp": "100000000",
            "nbf": "0",
            "iat": "0"
        },
        "sessionKey": "<session_key_of_user_wallet>",
        "object": {
            "verb": "SEARCH",
            "target": {
                "container": {
                    "value": "<container_id>"
                },
                "objects": [
                    {
                        "value": "<oid1>"
                    },
                    {
                        "value": "<oid2>"
                    }
                ]
            }
        }
    }
}

3. Sign token
4. Using signed token as static session make search request

Expected Behavior

Search should return only objects allowed in static session: oid1 and oid2

Current Behavior

Search returns all objects in container: oid1, oid2, oid3

Which makes user with limited rights to scan whole container.

Autotest

in feature branch
https://github.com/abereziny/neofs-testcases/tree/feature/abereziny-add-object-static-session-tests
testsuites.session_token.test_object_session_token#test_static_session_search

[fyrchik]

I see no value in this restriction:

1. SEARCH command is used to find all objects with some property. If the set of objects is known beforehand, this can trivially be done with GET.
2. Even more than that, SEARCH will probably visit all container nodes but with GET we likely know the precise location of all objects.
3. We usually use target field for restricting input operations, here we restrict the result, because search has no parameters.

[roman-khimov]

Should be documented somewhere.