fix: enforce deny if present for implicit permissions (#11680)

Implicit permissions for any user is to be allowed to change their own password, we need to restrict this further even if there is an implicit allow for this scenario - we have to honor Deny statements if they are specified.
2025-11-07 04:42:56 -05:00 · 2021-03-02 15:35:50 -08:00
parent b1bb3f7016
commit 879599b0cf
6 changed files with 37 additions and 73 deletions
--- a/cmd/web-handlers.go
+++ b/cmd/web-handlers.go
@@ -78,7 +78,7 @@ func extractBucketObject(args reflect.Value) (bucketName, objectName string) {
 }

 // WebGenericArgs - empty struct for calls that don't accept arguments
-// for ex. ServerInfo, GenerateAuth
+// for ex. ServerInfo
 type WebGenericArgs struct{}

 // WebGenericRep - reply structure for calls for which reply is success/failure
@@ -981,32 +981,6 @@ func (web *webAPIHandlers) Login(r *http.Request, args *LoginArgs, reply *LoginR
 	return nil
 }

-// GenerateAuthReply - reply for GenerateAuth
-type GenerateAuthReply struct {
-	AccessKey string `json:"accessKey"`
-	SecretKey string `json:"secretKey"`
-	UIVersion string `json:"uiVersion"`
-}
-
-func (web webAPIHandlers) GenerateAuth(r *http.Request, args *WebGenericArgs, reply *GenerateAuthReply) error {
-	ctx := newWebContext(r, args, "WebGenerateAuth")
-	_, owner, authErr := webRequestAuthenticate(r)
-	if authErr != nil {
-		return toJSONError(ctx, authErr)
-	}
-	if !owner {
-		return toJSONError(ctx, errAccessDenied)
-	}
-	cred, err := auth.GetNewCredentials()
-	if err != nil {
-		return toJSONError(ctx, err)
-	}
-	reply.AccessKey = cred.AccessKey
-	reply.SecretKey = cred.SecretKey
-	reply.UIVersion = browser.UIVersion
-	return nil
-}
-
 // SetAuthArgs - argument for SetAuth
 type SetAuthArgs struct {
 	CurrentAccessKey string `json:"currentAccessKey"`
@@ -1035,6 +1009,17 @@ func (web *webAPIHandlers) SetAuth(r *http.Request, args *SetAuthArgs, reply *Se
 		return toJSONError(ctx, errChangeCredNotAllowed)
 	}

+	if !globalIAMSys.IsAllowed(iampolicy.Args{
+		AccountName:     claims.AccessKey,
+		Action:          iampolicy.CreateUserAdminAction,
+		IsOwner:         false,
+		ConditionValues: getConditionValues(r, "", claims.AccessKey, claims.Map()),
+		Claims:          claims.Map(),
+		DenyOnly:        true,
+	}) {
+		return toJSONError(ctx, errChangeCredNotAllowed)
+	}
+
 	// for IAM users, access key cannot be updated
 	// claims.AccessKey is used instead of accesskey from args
 	prevCred, ok := globalIAMSys.GetUser(claims.AccessKey)