From adf727ba52b4f3ffb911f0d0df85db858412ff83 Mon Sep 17 00:00:00 2001 From: Chris Lu Date: Mon, 26 Jan 2026 12:32:51 -0800 Subject: [PATCH] s3api: enforce UserName in embedded IAM ListAccessKeys --- weed/s3api/s3api_embedded_iam.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/weed/s3api/s3api_embedded_iam.go b/weed/s3api/s3api_embedded_iam.go index 3c33369fb..e5648b9bd 100644 --- a/weed/s3api/s3api_embedded_iam.go +++ b/weed/s3api/s3api_embedded_iam.go @@ -1047,6 +1047,9 @@ func (e *EmbeddedIamApi) ExecuteAction(values url.Values) (interface{}, *iamErro case "ListAccessKeys": // Note: handleImplicitUsername requires request context which we don't have here for gRPC // gRPC callers must provide UserName explicitly + if values.Get("UserName") == "" { + return nil, &iamError{Code: s3err.GetAPIError(s3err.ErrInvalidRequest).Code, Error: fmt.Errorf("UserName is required")} + } response = e.ListAccessKeys(s3cfg, values) changed = false case "CreateUser":