diff --git a/CHANGELOG.rst b/CHANGELOG.rst index c11665880a..42a7791357 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -34,9 +34,10 @@ Fixed * Update orquesta to v1.6.0 to fix outdated dependencies (security). #6050 +* Fix KV value lookup in actions when RBAC is enabled #5934 + Added ~~~~~ - * Move `git clone` to `user_home/.st2packs` #5845 * Error on `st2ctl status` when running in Kubernetes. #5851 diff --git a/st2common/st2common/services/keyvalues.py b/st2common/st2common/services/keyvalues.py index 824f4bf048..9b41b9e29d 100644 --- a/st2common/st2common/services/keyvalues.py +++ b/st2common/st2common/services/keyvalues.py @@ -191,17 +191,17 @@ def _get_kv(self, key): if kvp: LOG.debug("Got value %s from datastore.", kvp.value) - # Check that user has permission to the key value pair. - # If RBAC is enabled, this check will verify if user has system role with all access. - # If RBAC is enabled, this check guards against a user accessing another user's kvp. - # If RBAC is enabled, user needs to be explicitly granted permission to view a system kvp. - # The check is sufficient to allow decryption of the system kvp. - rbac_utils = get_rbac_backend().get_utils_class() - rbac_utils.assert_user_has_resource_db_permission( - user_db=UserDB(name=self._user), - resource_db=kvp, - permission_type=PermissionType.KEY_VALUE_PAIR_VIEW, - ) + # Check that user has permission to the key value pair. + # If RBAC is enabled, this check will verify if user has system role with all access. + # If RBAC is enabled, this check guards against a user accessing another user's kvp. + # If RBAC is enabled, user needs to be explicitly granted permission to view a system kvp. + # The check is sufficient to allow decryption of the system kvp. + rbac_utils = get_rbac_backend().get_utils_class() + rbac_utils.assert_user_has_resource_db_permission( + user_db=UserDB(name=self._user), + resource_db=kvp, + permission_type=PermissionType.KEY_VALUE_PAIR_VIEW, + ) return kvp.value if kvp else ""