fix: change password is implicit (#861)

Also only match actions do not need to match dynamic values in resources. fixes https://github.com/minio/console/issues/857 fixes https://github.com/minio/console/issues/858
2021-07-10 12:11:11 -07:00
parent 373d576e54
commit 445c0be5b1
4 changed files with 14 additions and 16 deletions
--- a/restapi/user_account.go
+++ b/restapi/user_account.go
@@ -123,8 +123,7 @@ func getUserHasPermissionsResponse(session *models.Principal, params user_api.Ha

 	for _, p := range params.Body.Actions {
 		canPerform := userCanDo(iampolicy.Args{
-			Action:     iampolicy.Action(p.Action),
-			BucketName: p.BucketName,
+			Action: iampolicy.Action(p.Action),
 		}, userPolicy)
 		perms = append(perms, &models.PermissionAction{
 			Can: canPerform,
@@ -140,7 +139,10 @@ func getUserHasPermissionsResponse(session *models.Principal, params user_api.Ha
 func userCanDo(arg iampolicy.Args, userPolicy *iampolicy.Policy) bool {
 	// check in all the statements if any allows the passed action
 	for _, stmt := range userPolicy.Statements {
-		if stmt.IsAllowed(arg) {
+		// We only care about actions to match -
+		// if resources match or not we do not
+		// care since those are dynamic entities.
+		if stmt.Actions.Match(arg.Action) {
 			return true
 		}
 	}
--- a/restapi/user_account_test.go
+++ b/restapi/user_account_test.go
@@ -193,7 +193,7 @@ func Test_useCanDo(t *testing.T) {
 							 ]
 							}`,
 			},
-			want: false,
+			want: true,
 		},
 		{
 			name: "Create Bucket, With Bucket Name",
@@ -217,7 +217,7 @@ func Test_useCanDo(t *testing.T) {
 							 ]
 							}`,
 			},
-			want: false,
+			want: true,
 		},
 		{
 			name: "Can't Create Bucket",