fix: allow accountInfo with creds with parentUsers (#11568)

4 years ago · 95e0acbb26
parent 55037e6e54
commit 95e0acbb26
2 changed files with 20 additions and 10 deletions
--- a/cmd/admin-handlers-users.go
+++ b/cmd/admin-handlers-users.go
@ -725,10 +725,6 @@ func (a adminAPIHandlers) AccountInfoHandler(w http.ResponseWriter, r *http.Requ
 	}
 	accountName := cred.AccessKey
 	if cred.ParentUser != "" {
 		accountName = cred.ParentUser
 	}
 	policies, err := globalIAMSys.PolicyDBGet(accountName, false)
 	if err != nil {
 		logger.LogIf(ctx, err)
--- a/cmd/iam.go
+++ b/cmd/iam.go
@ -1703,27 +1703,41 @@ func (sys *IAMSys) PolicyDBGet(name string, isGroup bool) ([]string, error) {
 // This call assumes that caller has the sys.RLock()
 func (sys *IAMSys) policyDBGet(name string, isGroup bool) ([]string, error) {
 	if isGroup {
-		if _, ok := sys.iamGroupsMap[name]; !ok {
+		g, ok := sys.iamGroupsMap[name]
 		if !ok {
 			return nil, errNoSuchGroup
 		}
 		// Group is disabled, so we return no policy - this
 		// ensures the request is denied.
 		if g.Status == statusDisabled {
 			return nil, nil
 		}
 		mp := sys.iamGroupPolicyMap[name]
 		return mp.toSlice(), nil
 	}
 	// When looking for a user's policies, we also check if the
 	// user and the groups they are member of are enabled.
-	if u, ok := sys.iamUsersMap[name]; !ok {
+	u, ok := sys.iamUsersMap[name]
 	if !ok {
 		return nil, errNoSuchUser
-	} else if u.Status == statusDisabled {
+	}
-		// User is disabled, so we return no policy - this
+
-		// ensures the request is denied.
+	if !u.IsValid() {
 		return nil, nil
 	}
 	var policies []string
-	mp := sys.iamUserPolicyMap[name]
+	mp, ok := sys.iamUserPolicyMap[name]
 	if !ok {
 		if u.ParentUser != "" {
 			mp = sys.iamUserPolicyMap[u.ParentUser]
 		}
 	}
 	// returned policy could be empty
 	policies = append(policies, mp.toSlice()...)