fix: enforce deny if present for implicit permissions (#11680)

Implicit permissions for any user is to be allowed to change their own password, we need to restrict this further even if there is an implicit allow for this scenario - we have to honor Deny statements if they are specified.
2025-11-09 13:39:46 -05:00 · 2021-03-02 15:35:50 -08:00
parent b1bb3f7016
commit 879599b0cf
6 changed files with 37 additions and 73 deletions
--- a/pkg/iam/policy/policy.go
+++ b/pkg/iam/policy/policy.go
@@ -37,6 +37,7 @@ type Args struct {
 	IsOwner         bool                   `json:"owner"`
 	ObjectName      string                 `json:"object"`
 	Claims          map[string]interface{} `json:"claims"`
+	DenyOnly        bool                   `json:"denyOnly"` // only applies deny
 }

 // GetPoliciesFromClaims returns the list of policies to be applied for this
@@ -105,6 +106,15 @@ func (iamp Policy) IsAllowed(args Args) bool {
 		}
 	}

+	// Applied any 'Deny' only policies, if we have
+	// reached here it means that there were no 'Deny'
+	// policies - this function mainly used for
+	// specific scenarios where we only want to validate
+	// 'Deny' only policies.
+	if args.DenyOnly {
+		return true
+	}
+
 	// For owner, its allowed by default.
 	if args.IsOwner {
 		return true