StackStorm · fdrab · Jul 13, 2025
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -36,6 +36,10 @@ Fixed
 
 Changed
 ~~~~~~~
+* Fixed #6335 by changing how system-scoped keys are retrieved from the datastore if called by non-admin user.
+  Instead of getting a list of keys user has access to and fetching them one by one, we now fetch all
+  system-scoped keys and only add those to the output that the user has access to. This makes sure that 'prefix'
+  and 'name' filters are honored for system-scoped keys, which is the expected behavior.
 * Removed code in all dist_utils.py that was sanitizing the `python_version` environment marker that limited packages in the requirements.txt only being installed on lower python versions. (by @skiedude)
 * Bumped `jsonschema` 2.6.0 -> 3.2.0 now that python3.6 is not supported. #6118
 * Bumped many deps based on the lockfiles generated by pants+pex. #6181 #6227 #6200 #6252 #6268 #6329 (by @cognifloyd and @nzlosh)

diff --git a/st2api/st2api/controllers/v1/keyvalue.py b/st2api/st2api/controllers/v1/keyvalue.py
@@ -231,42 +231,39 @@ def get_all(
 
         if scope in [ALL_SCOPE, SYSTEM_SCOPE, FULL_SYSTEM_SCOPE]:
             decrypted_keys = []
-            # If user has system role, then retrieve all system scoped items
-            if has_system_role:
-                raw_filters["scope"] = FULL_SYSTEM_SCOPE
-                raw_filters["prefix"] = prefix
-
-                items = self._get_all(
-                    from_model_kwargs=from_model_kwargs,
-                    sort=sort,
-                    offset=offset,
-                    limit=limit,
-                    raw_filters=raw_filters,
-                    requester_user=requester_user,
-                )
 
+            raw_filters["scope"] = FULL_SYSTEM_SCOPE
+            raw_filters["prefix"] = prefix
+
+            items = self._get_all(
+                from_model_kwargs=from_model_kwargs,
+                sort=sort,
+                offset=offset,
+                limit=limit,
+                raw_filters=raw_filters,
+                requester_user=requester_user,
+            )
+
+            # If user has system role, add all the retrieved keys
+            if has_system_role:
                 kvp_apis_system.extend(items.json or [])
                 if decrypt and items.json:
                     decrypted_keys.extend(
                         kv_api["name"] for kv_api in items.json if kv_api["secret"]
                     )
             else:
-                # Otherwise if user is not an admin, then get the list of
-                # system scoped items that user is granted permission to.
-                for key in get_all_system_kvp_names_for_user(current_user):
-                    try:
-                        item = self._get_one_by_scope_and_name(
-                            from_model_kwargs=from_model_kwargs,
-                            scope=FULL_SYSTEM_SCOPE,
-                            name=key,
-                        )
+                # Otherwise, if user is not an admin, only add the keys that
+                # they have the permissions to
+                allowed_kvp_names_for_user = get_all_system_kvp_names_for_user(
+                    current_user
+                )
 
+                for item in items.json or []:
+                    if item["name"] in allowed_kvp_names_for_user:
                         kvp_apis_system.append(item)
-                    except Exception as e:
-                        LOG.error("Unable to get key %s: %s", key, str(e))
-                        continue
-                    if decrypt and item.secret:
-                        decrypted_keys.append(key)
+                        if decrypt and item["secret"]:
+                            decrypted_keys.append(item["name"])
+
             if decrypted_keys:
                 LOG.audit(
                     "User %s decrypted the values %s ",