From 63fa4f945fbc7a7dcb442a7185aa9d9675ccf5c0 Mon Sep 17 00:00:00 2001
From: John Schoewe <john.schoewe@encore.tech>
Date: Tue, 14 Mar 2023 09:21:23 -0400
Subject: [PATCH 1/2] Moved permission checks into if statement because we dont
 need to run checks if no key was found

---
 st2common/st2common/services/keyvalues.py | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/st2common/st2common/services/keyvalues.py b/st2common/st2common/services/keyvalues.py
index 824f4bf048..9b41b9e29d 100644
--- a/st2common/st2common/services/keyvalues.py
+++ b/st2common/st2common/services/keyvalues.py
@@ -191,17 +191,17 @@ def _get_kv(self, key):
         if kvp:
             LOG.debug("Got value %s from datastore.", kvp.value)
 
-        # Check that user has permission to the key value pair.
-        # If RBAC is enabled, this check will verify if user has system role with all access.
-        # If RBAC is enabled, this check guards against a user accessing another user's kvp.
-        # If RBAC is enabled, user needs to be explicitly granted permission to view a system kvp.
-        # The check is sufficient to allow decryption of the system kvp.
-        rbac_utils = get_rbac_backend().get_utils_class()
-        rbac_utils.assert_user_has_resource_db_permission(
-            user_db=UserDB(name=self._user),
-            resource_db=kvp,
-            permission_type=PermissionType.KEY_VALUE_PAIR_VIEW,
-        )
+            # Check that user has permission to the key value pair.
+            # If RBAC is enabled, this check will verify if user has system role with all access.
+            # If RBAC is enabled, this check guards against a user accessing another user's kvp.
+            # If RBAC is enabled, user needs to be explicitly granted permission to view a system kvp.
+            # The check is sufficient to allow decryption of the system kvp.
+            rbac_utils = get_rbac_backend().get_utils_class()
+            rbac_utils.assert_user_has_resource_db_permission(
+                user_db=UserDB(name=self._user),
+                resource_db=kvp,
+                permission_type=PermissionType.KEY_VALUE_PAIR_VIEW,
+            )
 
         return kvp.value if kvp else ""
 

From b8948d7b42f77ba7aa86ba326b670e32d9212dca Mon Sep 17 00:00:00 2001
From: John Schoewe <john.schoewe@encore.tech>
Date: Tue, 14 Mar 2023 09:29:57 -0400
Subject: [PATCH 2/2] Added CHANGLOG message

---
 CHANGELOG.rst | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index b3720a22e0..0ac7f3640d 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -6,6 +6,8 @@ in development
 
 Added
 ~~~~~
+* Fix KV value lookup in actions when RBAC is enabled #5934
+
 * Move `git clone` to `user_home/.st2packs` #5845
 
 * Error on `st2ctl status` when running in Kubernetes. #5851