From 043357d7dc4fd224e9c0735531e8f54608e2c1b8 Mon Sep 17 00:00:00 2001
From: Athurg Gooth <athurg@gooth.org>
Date: Wed, 25 Oct 2023 12:05:30 +0800
Subject: [PATCH] fix: list token for others failed (#2440)

Fix list token for others failed
---
 api/v2/user_service.go | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/api/v2/user_service.go b/api/v2/user_service.go
index 40a589a5..9d2cda26 100644
--- a/api/v2/user_service.go
+++ b/api/v2/user_service.go
@@ -160,12 +160,23 @@ func (s *UserService) ListUserAccessTokens(ctx context.Context, request *apiv2pb
 		return nil, status.Errorf(codes.PermissionDenied, "permission denied")
 	}
 
-	// Normal users can only list their access tokens.
-	if user.Role == store.RoleUser && user.Username != request.Username {
-		return nil, status.Errorf(codes.PermissionDenied, "permission denied")
+	userID := user.ID
+	// List access token for other users need to be verified.
+	if user.Username != request.Username {
+		// Normal users can only list their access tokens.
+		if user.Role == store.RoleUser {
+			return nil, status.Errorf(codes.PermissionDenied, "permission denied")
+		}
+
+		// The request user must be exist.
+		requestUser, err := s.Store.GetUser(ctx, &store.FindUser{Username: &request.Username})
+		if requestUser == nil || err != nil {
+			return nil, status.Errorf(codes.NotFound, "fail to find user %s", request.Username)
+		}
+		userID = requestUser.ID
 	}
 
-	userAccessTokens, err := s.Store.GetUserAccessTokens(ctx, user.ID)
+	userAccessTokens, err := s.Store.GetUserAccessTokens(ctx, userID)
 	if err != nil {
 		return nil, status.Errorf(codes.Internal, "failed to list access tokens: %v", err)
 	}