From 47c3a92711c70b142610974f819bec7f29cf5979 Mon Sep 17 00:00:00 2001
From: Jared Kirschner <jkirschner@hashicorp.com>
Date: Fri, 15 Jul 2022 16:05:53 -0700
Subject: [PATCH] Fix panic on acl token read with -self and -expanded

---
 .changelog/13787.txt                 | 3 +++
 command/acl/token/read/token_read.go | 7 +++++++
 2 files changed, 10 insertions(+)
 create mode 100644 .changelog/13787.txt

diff --git a/.changelog/13787.txt b/.changelog/13787.txt
new file mode 100644
index 000000000..0682d70c4
--- /dev/null
+++ b/.changelog/13787.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+cli: when `acl token read` is used with the `-self` and `-expanded` flags, return an error instead of panicking
+```
diff --git a/command/acl/token/read/token_read.go b/command/acl/token/read/token_read.go
index 4e66d9ea7..e5a3b87b0 100644
--- a/command/acl/token/read/token_read.go
+++ b/command/acl/token/read/token_read.go
@@ -92,6 +92,13 @@ func (c *cmd) Run(args []string) int {
 			return 1
 		}
 	} else {
+		// TODO: consider updating this CLI command and underlying HTTP API endpoint
+		// to support expanded read of a "self" token, which is a much better user workflow.
+		if c.expanded {
+			c.UI.Error("Cannot use both -expanded and -self. Instead, use -expanded and -id=<accessor id>.")
+			return 1
+		}
+
 		t, _, err = client.ACL().TokenReadSelf(nil)
 		if err != nil {
 			c.UI.Error(fmt.Sprintf("Error reading token: %v", err))