Check if user or group is disabled when evaluating policy (#8078)

2025-01-11 15:03:22 -05:00 · 2019-08-14 16:59:16 -07:00 · 2019-08-14 16:59:16 -07:00 · 825e29f301
commit 825e29f301
parent cebeca3075
1 changed files with 13 additions and 1 deletions
--- a/cmd/iam.go
+++ b/cmd/iam.go
@ -945,8 +945,14 @@ func (sys *IAMSys) policyDBGet(name string, isGroup bool) ([]string, error) {
 		return []string{policy.Policy}, nil
 	}

-	if _, ok := sys.iamUsersMap[name]; !ok {
+	// When looking for a user's policies, we also check if the
+	// user and the groups they are member of are enabled.
+	if u, ok := sys.iamUsersMap[name]; !ok {
 		return nil, errNoSuchUser
+	} else if u.Status == statusDisabled {
+		// User is disabled, so we return no policy - this
+		// ensures the request is denied.
+		return nil, nil
 	}

 	result := []string{}
@ -956,6 +962,12 @@ func (sys *IAMSys) policyDBGet(name string, isGroup bool) ([]string, error) {
 		result = append(result, policy.Policy)
 	}
 	for _, group := range sys.iamUserGroupMemberships[name].ToSlice() {
+		// Skip missing or disabled groups
+		gi, ok := sys.iamGroupsMap[group]
+		if !ok || gi.Status == statusDisabled {
+			continue
+		}
+
 		p, ok := sys.iamGroupPolicyMap[group]
 		if ok && p.Policy != "" {
 			result = append(result, p.Policy)