From de234b888c26cc191f3062a625af82640c966795 Mon Sep 17 00:00:00 2001
From: Burkov Egor <eburkov@rvision.ru>
Date: Tue, 1 Jul 2025 19:00:17 +0300
Subject: [PATCH] fix: admin api - SetPolicyForUserOrGroup avoid nil deref
 (#21400)

---
 cmd/admin-handlers-users.go | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/cmd/admin-handlers-users.go b/cmd/admin-handlers-users.go
index 43345fe1d..629c7b446 100644
--- a/cmd/admin-handlers-users.go
+++ b/cmd/admin-handlers-users.go
@@ -1827,16 +1827,18 @@ func (a adminAPIHandlers) SetPolicyForUserOrGroup(w http.ResponseWriter, r *http
 				iamLogIf(ctx, err)
 			} else if foundGroupDN == nil || !underBaseDN {
 				err = errNoSuchGroup
+			} else {
+				entityName = foundGroupDN.NormDN
 			}
-			entityName = foundGroupDN.NormDN
 		} else {
 			var foundUserDN *xldap.DNSearchResult
 			if foundUserDN, err = globalIAMSys.LDAPConfig.GetValidatedDNForUsername(entityName); err != nil {
 				iamLogIf(ctx, err)
 			} else if foundUserDN == nil {
 				err = errNoSuchUser
+			} else {
+				entityName = foundUserDN.NormDN
 			}
-			entityName = foundUserDN.NormDN
 		}
 		if err != nil {
 			writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)