diff --git a/cmd/admin-handlers-users.go b/cmd/admin-handlers-users.go index 7a48ec505..8fa0f77d3 100644 --- a/cmd/admin-handlers-users.go +++ b/cmd/admin-handlers-users.go @@ -164,31 +164,24 @@ func (a adminAPIHandlers) GetUserInfo(w http.ResponseWriter, r *http.Request) { return } - accessKey := cred.ParentUser - if accessKey == "" { - accessKey = cred.AccessKey + checkDenyOnly := false + if name == cred.AccessKey { + // Check that there is no explicit deny - otherwise it's allowed + // to view one's own info. + checkDenyOnly = true } - // For temporary credentials always - // the temporary credentials to check - // policy without implicit permissions. - if cred.IsTemp() && cred.ParentUser == globalActiveCred.AccessKey { - accessKey = cred.AccessKey - } - - implicitPerm := name == accessKey - if !implicitPerm { - if !globalIAMSys.IsAllowed(iampolicy.Args{ - AccountName: accessKey, - Groups: cred.Groups, - Action: iampolicy.GetUserAdminAction, - ConditionValues: getConditionValues(r, "", accessKey, claims), - IsOwner: owner, - Claims: claims, - }) { - writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAccessDenied), r.URL) - return - } + if !globalIAMSys.IsAllowed(iampolicy.Args{ + AccountName: cred.AccessKey, + Groups: cred.Groups, + Action: iampolicy.GetUserAdminAction, + ConditionValues: getConditionValues(r, "", cred.AccessKey, claims), + IsOwner: owner, + Claims: claims, + DenyOnly: checkDenyOnly, + }) { + writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAccessDenied), r.URL) + return } userInfo, err := globalIAMSys.GetUserInfo(ctx, name) diff --git a/cmd/admin-handlers-users_test.go b/cmd/admin-handlers-users_test.go index 1b216ca18..6ec2fd78c 100644 --- a/cmd/admin-handlers-users_test.go +++ b/cmd/admin-handlers-users_test.go @@ -844,6 +844,14 @@ func (c *check) mustCreateIAMUser(ctx context.Context, admClnt *madmin.AdminClie } } +func (c *check) mustGetIAMUserInfo(ctx context.Context, admClnt *madmin.AdminClient, accessKey string) madmin.UserInfo { + ui, err := admClnt.GetUserInfo(ctx, accessKey) + if err != nil { + c.Fatalf("should be able to get user info: %v", err) + } + return ui +} + func (c *check) mustNotCreateIAMUser(ctx context.Context, admClnt *madmin.AdminClient) { randUser := mustGetUUID() randPass := mustGetUUID() diff --git a/cmd/sts-handlers_test.go b/cmd/sts-handlers_test.go index 5cc0595a2..9790623e5 100644 --- a/cmd/sts-handlers_test.go +++ b/cmd/sts-handlers_test.go @@ -712,7 +712,10 @@ func (s *TestSuiteIAM) TestOpenIDSTSAddUser(c *check) { c.Fatalf("policy add error: %v", err) } - c.mustCreateIAMUser(ctx, userAdmClient) + cr := c.mustCreateIAMUser(ctx, userAdmClient) + + userInfo := c.mustGetIAMUserInfo(ctx, userAdmClient, cr.AccessKey) + c.Assert(userInfo.Status, madmin.AccountEnabled) } func (s *TestSuiteIAM) TestOpenIDServiceAcc(c *check) {