From d7a6996bed331a8b66fae6e9719d51143af0eadf Mon Sep 17 00:00:00 2001
From: bcmmbaga <bethuelmbaga12@gmail.com>
Date: Thu, 17 Oct 2024 11:59:46 +0300
Subject: [PATCH] check user accounts for setup keys

Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
---
 management/server/setupkey.go | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/management/server/setupkey.go b/management/server/setupkey.go
index 838a70ff6..956a97f1c 100644
--- a/management/server/setupkey.go
+++ b/management/server/setupkey.go
@@ -217,7 +217,7 @@ func (am *DefaultAccountManager) CreateSetupKey(ctx context.Context, accountID s
 	}
 
 	if user.AccountID != accountID {
-		return nil, status.Errorf(status.PermissionDenied, "only users with admin power can update setup keys")
+		return nil, status.Errorf(status.PermissionDenied, errUserNotPartOfAccountMsg)
 	}
 
 	keyDuration := DefaultSetupKeyDuration
@@ -275,7 +275,7 @@ func (am *DefaultAccountManager) SaveSetupKey(ctx context.Context, accountID str
 	}
 
 	if user.AccountID != accountID {
-		return nil, status.Errorf(status.PermissionDenied, "only users with admin power can update setup keys")
+		return nil, status.Errorf(status.PermissionDenied, errUserNotPartOfAccountMsg)
 	}
 
 	groups, err := am.Store.GetAccountGroups(ctx, LockingStrengthShare, accountID)
@@ -348,10 +348,14 @@ func (am *DefaultAccountManager) ListSetupKeys(ctx context.Context, accountID, u
 		return nil, err
 	}
 
-	if !user.IsAdminOrServiceUser() || user.AccountID != accountID {
+	if !user.IsAdminOrServiceUser() {
 		return nil, status.Errorf(status.Unauthorized, "only users with admin power can view setup keys")
 	}
 
+	if user.AccountID != accountID {
+		return nil, status.Errorf(status.PermissionDenied, errUserNotPartOfAccountMsg)
+	}
+
 	setupKeys, err := am.Store.GetAccountSetupKeys(ctx, LockingStrengthShare, accountID)
 	if err != nil {
 		return nil, err
@@ -378,10 +382,14 @@ func (am *DefaultAccountManager) GetSetupKey(ctx context.Context, accountID, use
 		return nil, err
 	}
 
-	if !user.IsAdminOrServiceUser() || user.AccountID != accountID {
+	if !user.IsAdminOrServiceUser() {
 		return nil, status.Errorf(status.Unauthorized, "only users with admin power can view setup keys")
 	}
 
+	if user.AccountID != accountID {
+		return nil, status.Errorf(status.PermissionDenied, errUserNotPartOfAccountMsg)
+	}
+
 	setupKey, err := am.Store.GetSetupKeyByID(ctx, LockingStrengthShare, accountID, keyID)
 	if err != nil {
 		return nil, err