From 558762bdf6bbec54693013439f4b4ee376188ef7 Mon Sep 17 00:00:00 2001
From: Anis Elleuch <vadmeste@users.noreply.github.com>
Date: Sat, 6 Mar 2021 18:27:06 +0100
Subject: [PATCH] iam: Return a slice of policies for a group (#11722)

A group can have multiple policies, a user subscribed to readwrite &
diagnostics can perform S3 operations & admin operations as well.
However, the current code only returns one policy for one group.
---
 cmd/iam.go | 19 ++-----------------
 1 file changed, 2 insertions(+), 17 deletions(-)

diff --git a/cmd/iam.go b/cmd/iam.go
index 9af4f810a..253c30727 100644
--- a/cmd/iam.go
+++ b/cmd/iam.go
@@ -1563,11 +1563,7 @@ func (sys *IAMSys) GetGroupDescription(group string) (gd madmin.GroupDesc, err e
 		return gd, err
 	}
 
-	// A group may be mapped to at most one policy.
-	policy := ""
-	if len(ps) > 0 {
-		policy = ps[0]
-	}
+	policy := strings.Join(ps, ",")
 
 	if sys.usersSysType != MinIOUsersSysType {
 		return madmin.GroupDesc{
@@ -1681,7 +1677,7 @@ func (sys *IAMSys) policyDBSet(name, policyName string, userType IAMUserType, is
 
 // PolicyDBGet - gets policy set on a user or group. Since a user may
 // be a member of multiple groups, this function returns an array of
-// applicable policies (each group is mapped to at most one policy).
+// applicable policies
 func (sys *IAMSys) PolicyDBGet(name string, isGroup bool) ([]string, error) {
 	if !sys.Initialized() {
 		return nil, errServerNotInitialized
@@ -1749,17 +1745,6 @@ func (sys *IAMSys) policyDBGet(name string, isGroup bool) ([]string, error) {
 		policies = append(policies, p.toSlice()...)
 	}
 
-	for _, group := range u.Groups {
-		// Skip missing or disabled groups
-		gi, ok := sys.iamGroupsMap[group]
-		if !ok || gi.Status == statusDisabled {
-			continue
-		}
-
-		p := sys.iamGroupPolicyMap[group]
-		policies = append(policies, p.toSlice()...)
-	}
-
 	return policies, nil
 }