From d3efe5dde9efeec2955f58c4ee4f5f227d35c60a Mon Sep 17 00:00:00 2001
From: Chris Lu <chris.lu@gmail.com>
Date: Mon, 9 Mar 2026 00:32:19 -0700
Subject: [PATCH] fix: add name collision check in embedded IAM UpdateUser

The embedded IAM handler renamed users without checking if the
target name already existed, unlike the standalone handler.
---
 weed/s3api/s3api_embedded_iam.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/weed/s3api/s3api_embedded_iam.go b/weed/s3api/s3api_embedded_iam.go
index 671de5853..941cc7cfd 100644
--- a/weed/s3api/s3api_embedded_iam.go
+++ b/weed/s3api/s3api_embedded_iam.go
@@ -349,6 +349,14 @@ func (e *EmbeddedIamApi) UpdateUser(s3cfg *iam_pb.S3ApiConfiguration, values url
 	userName := values.Get("UserName")
 	newUserName := values.Get("NewUserName")
 	if newUserName != "" {
+		// Check for name collision before renaming
+		if newUserName != userName {
+			for _, ident := range s3cfg.Identities {
+				if ident.Name == newUserName {
+					return resp, &iamError{Code: iam.ErrCodeEntityAlreadyExistsException, Error: fmt.Errorf("user %s already exists", newUserName)}
+				}
+			}
+		}
 		for _, ident := range s3cfg.Identities {
 			if userName == ident.Name {
 				ident.Name = newUserName