From ede2fa9d0b30970ad698540ac2ac859717dbc27e Mon Sep 17 00:00:00 2001
From: yxrxy <1532529704@qq.com>
Date: Thu, 11 Dec 2025 08:55:41 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20is-admin=20api=20(For=20STS/temporary=20?=
 =?UTF-8?q?credentials,=20we=20need=20to=20check=20the=E2=80=A6=20(#1101)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: loverustfs <hello@rustfs.com>
---
 rustfs/src/admin/handlers.rs | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/rustfs/src/admin/handlers.rs b/rustfs/src/admin/handlers.rs
index 878bb3b9..89b3ea88 100644
--- a/rustfs/src/admin/handlers.rs
+++ b/rustfs/src/admin/handlers.rs
@@ -158,14 +158,15 @@ impl Operation for IsAdminHandler {
             return Err(s3_error!(InvalidRequest, "get cred failed"));
         };
 
-        let (_cred, _owner) =
+        let (cred, _owner) =
             check_key_valid(get_session_token(&req.uri, &req.headers).unwrap_or_default(), &input_cred.access_key).await?;
 
         let access_key_to_check = input_cred.access_key.clone();
 
         // Check if the user is admin by comparing with global credentials
         let is_admin = if let Some(sys_cred) = get_global_action_cred() {
-            sys_cred.access_key == access_key_to_check
+            crate::auth::constant_time_eq(&access_key_to_check, &sys_cred.access_key)
+                || crate::auth::constant_time_eq(&cred.parent_user, &sys_cred.access_key)
         } else {
             false
         };