From 496cde87b20e6f36c8ab6c5c6416daa42eb11e1e Mon Sep 17 00:00:00 2001
From: Athurg Gooth <athurg@gooth.org>
Date: Tue, 24 Oct 2023 18:51:01 +0800
Subject: [PATCH] feat: list access tokens by admin (#2434)

* Allow admin user list access_tokens of anyone

* fix undefined variable

* Update api/v2/user_service.go

---------

Co-authored-by: boojack <stevenlgtm@gmail.com>
---
 api/v2/user_service.go | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/api/v2/user_service.go b/api/v2/user_service.go
index 3d0a2f1a..40a589a5 100644
--- a/api/v2/user_service.go
+++ b/api/v2/user_service.go
@@ -156,7 +156,12 @@ func (s *UserService) ListUserAccessTokens(ctx context.Context, request *apiv2pb
 	if err != nil {
 		return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err)
 	}
-	if user == nil || user.Username != request.Username {
+	if user == nil {
+		return nil, status.Errorf(codes.PermissionDenied, "permission denied")
+	}
+
+	// Normal users can only list their access tokens.
+	if user.Role == store.RoleUser && user.Username != request.Username {
 		return nil, status.Errorf(codes.PermissionDenied, "permission denied")
 	}