bugfix/ISSUE-5934-fix-rbac-kv-value-render

CHANGELOG.rst

@@ -34,9 +34,10 @@ Fixed
 
 * Update orquesta to v1.6.0 to fix outdated dependencies (security). #6050
 
+* Fix KV value lookup in actions when RBAC is enabled #5934
+
 Added
 ~~~~~
-
 * Move `git clone` to `user_home/.st2packs` #5845
 
 * Error on `st2ctl status` when running in Kubernetes. #5851

st2common/st2common/services/keyvalues.py

@@ -191,17 +191,17 @@ def _get_kv(self, key):
         if kvp:
             LOG.debug("Got value %s from datastore.", kvp.value)
 
-        # Check that user has permission to the key value pair.
-        # If RBAC is enabled, this check will verify if user has system role with all access.
-        # If RBAC is enabled, this check guards against a user accessing another user's kvp.
-        # If RBAC is enabled, user needs to be explicitly granted permission to view a system kvp.
-        # The check is sufficient to allow decryption of the system kvp.
-        rbac_utils = get_rbac_backend().get_utils_class()
-        rbac_utils.assert_user_has_resource_db_permission(
-            user_db=UserDB(name=self._user),
-            resource_db=kvp,
-            permission_type=PermissionType.KEY_VALUE_PAIR_VIEW,
-        )
+            # Check that user has permission to the key value pair.
+            # If RBAC is enabled, this check will verify if user has system role with all access.
+            # If RBAC is enabled, this check guards against a user accessing another user's kvp.
+            # If RBAC is enabled, user needs to be explicitly granted permission to view a system kvp.
+            # The check is sufficient to allow decryption of the system kvp.
+            rbac_utils = get_rbac_backend().get_utils_class()
+            rbac_utils.assert_user_has_resource_db_permission(
+                user_db=UserDB(name=self._user),
+                resource_db=kvp,
+                permission_type=PermissionType.KEY_VALUE_PAIR_VIEW,
+            )
 
         return kvp.value if kvp else ""