From b8833c2947e5c3d16538beb753df7dc3b2a0f725 Mon Sep 17 00:00:00 2001
From: Harshavardhana <harsha@minio.io>
Date: Wed, 5 May 2021 16:13:45 -0700
Subject: [PATCH] do not change targetUser after permission validation

for service accounts make sure that targetUser is
always the one that is presented/validated from
the incoming request, not the parentUser.
---
 cmd/admin-handlers-users.go | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/cmd/admin-handlers-users.go b/cmd/admin-handlers-users.go
index 37c3907ad..c1c9f6d21 100644
--- a/cmd/admin-handlers-users.go
+++ b/cmd/admin-handlers-users.go
@@ -525,12 +525,10 @@ func (a adminAPIHandlers) AddServiceAccount(w http.ResponseWriter, r *http.Reque
 	} else {
 		if cred.IsServiceAccount() || cred.IsTemp() {
 			if cred.ParentUser == "" {
-				writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, errors.New("service accounts cannot be generated for temporary credentials without parent")), r.URL)
+				writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx,
+					errors.New("service accounts cannot be generated for temporary credentials without parent")), r.URL)
 				return
 			}
-			targetUser = cred.ParentUser
-		} else {
-			targetUser = cred.AccessKey
 		}
 		targetGroups = cred.Groups
 	}