fix: set correct owner on project grants (#9089)

# Which Problems Are Solved In versions previous to v2.66 it was possible to set a different resource owner on project grants. This was introduced with the new resource based API. The resource owner was possible to overwrite using the x-zitadel-org header. Because of this issue project grants got the wrong resource owner, instead of the owner of the project it got the granted org which is wrong because a resource owner of an aggregate is not allowed to change. # How the Problems Are Solved - The wrong owners of the events are set to the original owner of the project. - A new event is pushed to these aggregates `project.owner.corrected` - The projection updates the owners of the user grants if that event was written # Additional Changes The eventstore push function (replaced in version 2.66) writes the correct resource owner. # Additional Context closes https://github.com/zitadel/zitadel/issues/9072
2025-08-11 21:37:32 +00:00 · 2025-01-15 11:22:16 +01:00
parent b664ffe993
commit 1949d1546a
11 changed files with 308 additions and 1 deletions
--- a/internal/eventstore/handler/v2/statement.go
+++ b/internal/eventstore/handler/v2/statement.go
@@ -601,6 +601,12 @@ func NewCond(name string, value interface{}) Condition {
 	}
 }

+func NewUnequalCond(name string, value any) Condition {
+	return func(param string) (string, []any) {
+		return name + " <> " + param, []any{value}
+	}
+}
+
 func NewNamespacedCondition(name string, value interface{}) NamespacedCondition {
 	return func(namespace string) Condition {
 		return NewCond(namespace+"."+name, value)
--- a/internal/eventstore/v3/sequence.go
+++ b/internal/eventstore/v3/sequence.go
@@ -125,7 +125,18 @@ func scanToSequence(rows *sql.Rows, sequences []*latestSequence) error {
 		return nil
 	}
 	sequence.sequence = currentSequence
-	if sequence.aggregate.ResourceOwner == "" {
+	if resourceOwner != "" && sequence.aggregate.ResourceOwner != "" && sequence.aggregate.ResourceOwner != resourceOwner {
+		logging.WithFields(
+			"current_sequence", sequence.sequence,
+			"instance_id", sequence.aggregate.InstanceID,
+			"agg_type", sequence.aggregate.Type,
+			"agg_id", sequence.aggregate.ID,
+			"current_owner", resourceOwner,
+			"provided_owner", sequence.aggregate.ResourceOwner,
+		).Info("would have set wrong resource owner")
+	}
+	// set resource owner from previous events
+	if resourceOwner != "" {
 		sequence.aggregate.ResourceOwner = resourceOwner
 	}

--- a/internal/query/projection/project_grant.go
+++ b/internal/query/projection/project_grant.go
@@ -93,6 +93,10 @@ func (p *projectGrantProjection) Reducers() []handler.AggregateReducer {
 					Event:  project.ProjectRemovedType,
 					Reduce: p.reduceProjectRemoved,
 				},
+				{
+					Event:  project.ProjectOwnerCorrected,
+					Reduce: p.reduceOwnerCorrected,
+				},
 			},
 		},
 		{
@@ -269,3 +273,17 @@ func (p *projectGrantProjection) reduceOwnerRemoved(event eventstore.Event) (*ha
 		),
 	), nil
 }
+
+func (p *projectGrantProjection) reduceOwnerCorrected(event eventstore.Event) (*handler.Statement, error) {
+	return handler.NewUpdateStatement(
+		event,
+		[]handler.Column{
+			handler.NewCol(ProjectGrantColumnResourceOwner, event.Aggregate().ResourceOwner),
+		},
+		[]handler.Condition{
+			handler.NewCond(ProjectGrantColumnInstanceID, event.Aggregate().InstanceID),
+			handler.NewCond(ProjectGrantColumnProjectID, event.Aggregate().ID),
+			handler.NewUnequalCond(ProjectGrantColumnResourceOwner, event.Aggregate().ResourceOwner),
+		},
+	), nil
+}
--- a/internal/repository/owner/owner_corrected.go
+++ b/internal/repository/owner/owner_corrected.go
@@ -0,0 +1,40 @@
+package owner
+
+import (
+	"context"
+
+	"github.com/zitadel/zitadel/internal/eventstore"
+)
+
+const OwnerCorrectedType = ".owner.corrected"
+
+type Corrected struct {
+	eventstore.BaseEvent `json:"-"`
+
+	PreviousOwners map[uint32]string `json:"previousOwners,omitempty"`
+}
+
+var _ eventstore.Command = (*Corrected)(nil)
+
+func (e *Corrected) Payload() interface{} {
+	return e
+}
+
+func (e *Corrected) UniqueConstraints() []*eventstore.UniqueConstraint {
+	return nil
+}
+
+func NewCorrected(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	previousOwners map[uint32]string,
+) *Corrected {
+	return &Corrected{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			eventstore.EventType(aggregate.Type+OwnerCorrectedType),
+		),
+		PreviousOwners: previousOwners,
+	}
+}
--- a/internal/repository/project/project.go
+++ b/internal/repository/project/project.go
@@ -16,6 +16,7 @@ const (
 	ProjectDeactivatedType = projectEventTypePrefix + "deactivated"
 	ProjectReactivatedType = projectEventTypePrefix + "reactivated"
 	ProjectRemovedType     = projectEventTypePrefix + "removed"
+	ProjectOwnerCorrected  = projectEventTypePrefix + "owner.corrected"

 	ProjectSearchType       = "project"
 	ProjectObjectRevision   = uint8(1)