fix: allow accountInfo with creds with parentUsers (#11568)

4 years ago · 95e0acbb26
parent 55037e6e54
commit 95e0acbb26
2 changed files with 20 additions and 10 deletions
--- a/cmd/admin-handlers-users.go
+++ b/cmd/admin-handlers-users.go
@ -725,10 +725,6 @@ func (a adminAPIHandlers) AccountInfoHandler(w http.ResponseWriter, r *http.Requ
 	}

 	accountName := cred.AccessKey
-	if cred.ParentUser != "" {
-		accountName = cred.ParentUser
-	}
-
 	policies, err := globalIAMSys.PolicyDBGet(accountName, false)
 	if err != nil {
 		logger.LogIf(ctx, err)
--- a/cmd/iam.go
+++ b/cmd/iam.go
@ -1703,27 +1703,41 @@ func (sys *IAMSys) PolicyDBGet(name string, isGroup bool) ([]string, error) {
 // This call assumes that caller has the sys.RLock()
 func (sys *IAMSys) policyDBGet(name string, isGroup bool) ([]string, error) {
 	if isGroup {
-		if _, ok := sys.iamGroupsMap[name]; !ok {
+		g, ok := sys.iamGroupsMap[name]
+		if !ok {
 			return nil, errNoSuchGroup
 		}

+		// Group is disabled, so we return no policy - this
+		// ensures the request is denied.
+		if g.Status == statusDisabled {
+			return nil, nil
+		}
+
 		mp := sys.iamGroupPolicyMap[name]
 		return mp.toSlice(), nil
 	}

 	// When looking for a user's policies, we also check if the
 	// user and the groups they are member of are enabled.
-	if u, ok := sys.iamUsersMap[name]; !ok {
+	u, ok := sys.iamUsersMap[name]
+	if !ok {
 		return nil, errNoSuchUser
-	} else if u.Status == statusDisabled {
-		// User is disabled, so we return no policy - this
-		// ensures the request is denied.
+	}
+
+	if !u.IsValid() {
 		return nil, nil
 	}

 	var policies []string

-	mp := sys.iamUserPolicyMap[name]
+	mp, ok := sys.iamUserPolicyMap[name]
+	if !ok {
+		if u.ParentUser != "" {
+			mp = sys.iamUserPolicyMap[u.ParentUser]
+		}
+	}
+
 	// returned policy could be empty
 	policies = append(policies, mp.toSlice()...)