fix: user metadata check if already existing

internal/command/org.go

@@ -321,7 +321,7 @@ func (c *Commands) addOrgWithIDAndMember(ctx context.Context, name, userID, reso
 	if err != nil {
 		return nil, err
 	}
-	err = c.checkUserExists(ctx, userID, resourceOwner)
+	_, err = c.checkUserExists(ctx, userID, resourceOwner)
 	if err != nil {
 		return nil, err
 	}

internal/command/project_grant_member.go

@@ -21,7 +21,7 @@ func (c *Commands) AddProjectGrantMember(ctx context.Context, member *domain.Pro
 	if len(domain.CheckForInvalidRoles(member.Roles, domain.ProjectGrantRolePrefix, c.zitadelRoles)) > 0 {
 		return nil, zerrors.ThrowInvalidArgument(nil, "PROJECT-m9gKK", "Errors.Project.Grant.Member.Invalid")
 	}
-	err = c.checkUserExists(ctx, member.UserID, "")
+	_, err = c.checkUserExists(ctx, member.UserID, "")
 	if err != nil {
 		return nil, err
 	}

internal/command/project_member.go

@@ -45,7 +45,7 @@ func (c *Commands) addProjectMember(ctx context.Context, projectAgg *eventstore.
 		return nil, zerrors.ThrowInvalidArgument(nil, "PROJECT-3m9ds", "Errors.Project.Member.Invalid")
 	}
 
-	err = c.checkUserExists(ctx, addedMember.UserID, "")
+	_, err = c.checkUserExists(ctx, addedMember.UserID, "")
 	if err != nil {
 		return nil, err
 	}

internal/command/user.go

@@ -327,18 +327,18 @@ func (c *Commands) UserDomainClaimedSent(ctx context.Context, orgID, userID stri
 	return err
 }
 
-func (c *Commands) checkUserExists(ctx context.Context, userID, resourceOwner string) (err error) {
+func (c *Commands) checkUserExists(ctx context.Context, userID, resourceOwner string) (_ string, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
 
 	existingUser, err := c.userWriteModelByID(ctx, userID, resourceOwner)
 	if err != nil {
-		return err
+		return "", err
 	}
 	if !isUserStateExists(existingUser.UserState) {
-		return zerrors.ThrowPreconditionFailed(nil, "COMMAND-uXHNj", "Errors.User.NotFound")
+		return "", zerrors.ThrowPreconditionFailed(nil, "COMMAND-uXHNj", "Errors.User.NotFound")
 	}
-	return nil
+	return existingUser.ResourceOwner, nil
 }
 
 func (c *Commands) userWriteModelByID(ctx context.Context, userID, resourceOwner string) (writeModel *UserWriteModel, err error) {

internal/command/user_grant.go

@@ -299,7 +299,7 @@ func (c *Commands) checkUserGrantPreCondition(ctx context.Context, usergrant *do
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
 
-	if err := c.checkUserExists(ctx, usergrant.UserID, ""); err != nil {
+	if _, err := c.checkUserExists(ctx, usergrant.UserID, ""); err != nil {
 		return err
 	}
 	existingRoleKeys, err := c.searchUserGrantPreConditionState(ctx, usergrant, resourceOwner)

internal/command/user_human_otp.go

@@ -26,7 +26,7 @@ func (c *Commands) ImportHumanTOTP(ctx context.Context, userID, userAgentID, res
 	if err != nil {
 		return err
 	}
-	if err = c.checkUserExists(ctx, userID, resourceOwner); err != nil {
+	if _, err = c.checkUserExists(ctx, userID, resourceOwner); err != nil {
 		return err
 	}
 

internal/command/user_idp_link.go

@@ -56,7 +56,7 @@ func (c *Commands) BulkAddedUserIDPLinks(ctx context.Context, userID, resourceOw
 		return zerrors.ThrowInvalidArgument(nil, "COMMAND-Ek9s", "Errors.User.ExternalIDP.MinimumExternalIDPNeeded")
 	}
 
-	if err := c.checkUserExists(ctx, userID, resourceOwner); err != nil {
+	if _, err := c.checkUserExists(ctx, userID, resourceOwner); err != nil {
 		return err
 	}
 

internal/command/user_metadata.go

@@ -1,6 +1,7 @@
 package command
 
 import (
+	"bytes"
 	"context"
 
 	"github.com/zitadel/zitadel/internal/domain"
@@ -14,12 +15,21 @@ func (c *Commands) SetUserMetadata(ctx context.Context, metadata *domain.Metadat
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
 
-	err = c.checkUserExists(ctx, userID, resourceOwner)
+	userResourceOwner, err := c.checkUserExists(ctx, userID, resourceOwner)
+	if err != nil {
+		return nil, err
+	}
+
+	setMetadata, err := c.getUserMetadataModelByID(ctx, userID, userResourceOwner, metadata.Key)
 	if err != nil {
 		return nil, err
 	}
-	setMetadata := NewUserMetadataWriteModel(userID, resourceOwner, metadata.Key)
 	userAgg := UserAggregateFromWriteModel(&setMetadata.WriteModel)
+	// return if no change in the metadata
+	if bytes.Equal(setMetadata.Value, metadata.Value) {
+		return writeModelToUserMetadata(setMetadata), nil
+	}
+
 	event, err := c.setUserMetadata(ctx, userAgg, metadata)
 	if err != nil {
 		return nil, err
@@ -40,20 +50,31 @@ func (c *Commands) BulkSetUserMetadata(ctx context.Context, userID, resourceOwne
 	if len(metadatas) == 0 {
 		return nil, zerrors.ThrowPreconditionFailed(nil, "META-9mm2d", "Errors.Metadata.NoData")
 	}
-	err = c.checkUserExists(ctx, userID, resourceOwner)
+	userResourceOwner, err := c.checkUserExists(ctx, userID, resourceOwner)
 	if err != nil {
 		return nil, err
 	}
 
-	events := make([]eventstore.Command, len(metadatas))
+	events := make([]eventstore.Command, 0)
-	setMetadata := NewUserMetadataListWriteModel(userID, resourceOwner)
+	setMetadata, err := c.getUserMetadataListModelByID(ctx, userID, userResourceOwner)
+	if err != nil {
+		return nil, err
+	}
 	userAgg := UserAggregateFromWriteModel(&setMetadata.WriteModel)
-	for i, data := range metadatas {
+	for _, data := range metadatas {
+		// if no change to metadata no event has to be pushed
+		if existingValue, ok := setMetadata.metadataList[data.Key]; ok && bytes.Equal(existingValue, data.Value) {
+			continue
+		}
 		event, err := c.setUserMetadata(ctx, userAgg, data)
 		if err != nil {
 			return nil, err
 		}
-		events[i] = event
+		events = append(events, event)
+	}
+	// no changes for the metadata
+	if len(events) == 0 {
+		return writeModelToObjectDetails(&setMetadata.WriteModel), nil
 	}
 
 	pushedEvents, err := c.eventstore.Push(ctx, events...)
@@ -84,11 +105,12 @@ func (c *Commands) RemoveUserMetadata(ctx context.Context, metadataKey, userID,
 	if metadataKey == "" {
 		return nil, zerrors.ThrowInvalidArgument(nil, "META-2n0fs", "Errors.Metadata.Invalid")
 	}
-	err = c.checkUserExists(ctx, userID, resourceOwner)
+	userResourceOwner, err := c.checkUserExists(ctx, userID, resourceOwner)
 	if err != nil {
 		return nil, err
 	}
-	removeMetadata, err := c.getUserMetadataModelByID(ctx, userID, resourceOwner, metadataKey)
+
+	removeMetadata, err := c.getUserMetadataModelByID(ctx, userID, userResourceOwner, metadataKey)
 	if err != nil {
 		return nil, err
 	}
@@ -116,13 +138,13 @@ func (c *Commands) BulkRemoveUserMetadata(ctx context.Context, userID, resourceO
 	if len(metadataKeys) == 0 {
 		return nil, zerrors.ThrowPreconditionFailed(nil, "META-9mm2d", "Errors.Metadata.NoData")
 	}
-	err = c.checkUserExists(ctx, userID, resourceOwner)
+	userResourceOwner, err := c.checkUserExists(ctx, userID, resourceOwner)
 	if err != nil {
 		return nil, err
 	}
 
 	events := make([]eventstore.Command, len(metadataKeys))
-	removeMetadata, err := c.getUserMetadataListModelByID(ctx, userID, resourceOwner)
+	removeMetadata, err := c.getUserMetadataListModelByID(ctx, userID, userResourceOwner)
 	if err != nil {
 		return nil, err
 	}
@@ -153,24 +175,6 @@ func (c *Commands) BulkRemoveUserMetadata(ctx context.Context, userID, resourceO
 	return writeModelToObjectDetails(&removeMetadata.WriteModel), nil
 }
 
-func (c *Commands) removeUserMetadataFromOrg(ctx context.Context, resourceOwner string) ([]eventstore.Command, error) {
-	existingUserMetadata, err := c.getUserMetadataByOrgListModelByID(ctx, resourceOwner)
-	if err != nil {
-		return nil, err
-	}
-	if len(existingUserMetadata.UserMetadata) == 0 {
-		return nil, nil
-	}
-	events := make([]eventstore.Command, 0)
-	for key, value := range existingUserMetadata.UserMetadata {
-		if len(value) == 0 {
-			continue
-		}
-		events = append(events, user.NewMetadataRemovedAllEvent(ctx, &user.NewAggregate(key, resourceOwner).Aggregate))
-	}
-	return events, nil
-}
-
 func (c *Commands) removeUserMetadata(ctx context.Context, userAgg *eventstore.Aggregate, metadataKey string) (command eventstore.Command, err error) {
 	command = user.NewMetadataRemovedEvent(
 		ctx,
@@ -197,12 +201,3 @@ func (c *Commands) getUserMetadataListModelByID(ctx context.Context, userID, res
 	}
 	return userMetadataWriteModel, nil
 }
-
-func (c *Commands) getUserMetadataByOrgListModelByID(ctx context.Context, resourceOwner string) (*UserMetadataByOrgListWriteModel, error) {
-	userMetadataWriteModel := NewUserMetadataByOrgListWriteModel(resourceOwner)
-	err := c.eventstore.FilterToQueryReducer(ctx, userMetadataWriteModel)
-	if err != nil {
-		return nil, err
-	}
-	return userMetadataWriteModel, nil
-}

internal/command/user_metadata_test.go

@@ -16,7 +16,8 @@ import (
 
 func TestCommandSide_SetUserMetadata(t *testing.T) {
 	type fields struct {
-		eventstore *eventstore.Eventstore
+		eventstore      func(t *testing.T) *eventstore.Eventstore
+		checkPermission domain.PermissionCheck
 	}
 	type (
 		args struct {
@@ -39,10 +40,10 @@ func TestCommandSide_SetUserMetadata(t *testing.T) {
 		{
 			name: "user not existing, pre condition error",
 			fields: fields{
-				eventstore: eventstoreExpect(
+				eventstore: expectEventstore(
-					t,
 					expectFilter(),
 				),
+				checkPermission: newMockPermissionCheckAllowed(),
 			},
 			args: args{
 				ctx:    context.Background(),
@@ -60,8 +61,7 @@ func TestCommandSide_SetUserMetadata(t *testing.T) {
 		{
 			name: "invalid metadata, pre condition error",
 			fields: fields{
-				eventstore: eventstoreExpect(
+				eventstore: expectEventstore(
-					t,
 					expectFilter(
 						eventFromEventPusher(
 							user.NewHumanAddedEvent(context.Background(),
@@ -78,7 +78,17 @@ func TestCommandSide_SetUserMetadata(t *testing.T) {
 							),
 						),
 					),
+					expectFilter(
+						eventFromEventPusher(
+							user.NewMetadataSetEvent(context.Background(),
+								&user.NewAggregate("user1", "org1").Aggregate,
+								"key",
+								[]byte("value"),
 							),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
 			},
 			args: args{
 				ctx:    context.Background(),
@@ -95,8 +105,7 @@ func TestCommandSide_SetUserMetadata(t *testing.T) {
 		{
 			name: "add metadata, ok",
 			fields: fields{
-				eventstore: eventstoreExpect(
+				eventstore: expectEventstore(
-					t,
 					expectFilter(
 						eventFromEventPusher(
 							user.NewHumanAddedEvent(context.Background(),
@@ -113,6 +122,7 @@ func TestCommandSide_SetUserMetadata(t *testing.T) {
 							),
 						),
 					),
+					expectFilter(),
 					expectPush(
 						user.NewMetadataSetEvent(context.Background(),
 							&user.NewAggregate("user1", "org1").Aggregate,
@@ -121,6 +131,164 @@ func TestCommandSide_SetUserMetadata(t *testing.T) {
 						),
 					),
 				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args: args{
+				ctx:    context.Background(),
+				orgID:  "org1",
+				userID: "user1",
+				metadata: &domain.Metadata{
+					Key:   "key",
+					Value: []byte("value"),
+				},
+			},
+			res: res{
+				want: &domain.Metadata{
+					ObjectRoot: models.ObjectRoot{
+						AggregateID:   "user1",
+						ResourceOwner: "org1",
+					},
+					Key:   "key",
+					Value: []byte("value"),
+					State: domain.MetadataStateActive,
+				},
+			},
+		},
+		{
+			name: "add metadata, reset, invalid",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							user.NewHumanAddedEvent(context.Background(),
+								&user.NewAggregate("user1", "org1").Aggregate,
+								"username",
+								"firstname",
+								"lastname",
+								"",
+								"firstname lastname",
+								language.Und,
+								domain.GenderUnspecified,
+								"email@test.ch",
+								true,
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							user.NewMetadataSetEvent(context.Background(),
+								&user.NewAggregate("user1", "org1").Aggregate,
+								"key",
+								[]byte("value"),
+							),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args: args{
+				ctx:    context.Background(),
+				orgID:  "org1",
+				userID: "user1",
+				metadata: &domain.Metadata{
+					Key: "key",
+				},
+			},
+			res: res{
+				err: zerrors.IsErrorInvalidArgument,
+			},
+		},
+		{
+			name: "add metadata, reset, ok",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							user.NewHumanAddedEvent(context.Background(),
+								&user.NewAggregate("user1", "org1").Aggregate,
+								"username",
+								"firstname",
+								"lastname",
+								"",
+								"firstname lastname",
+								language.Und,
+								domain.GenderUnspecified,
+								"email@test.ch",
+								true,
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							user.NewMetadataSetEvent(context.Background(),
+								&user.NewAggregate("user1", "org1").Aggregate,
+								"key",
+								[]byte("value"),
+							),
+						),
+					),
+					expectPush(
+						user.NewMetadataSetEvent(context.Background(),
+							&user.NewAggregate("user1", "org1").Aggregate,
+							"key",
+							[]byte("value2"),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args: args{
+				ctx:    context.Background(),
+				orgID:  "org1",
+				userID: "user1",
+				metadata: &domain.Metadata{
+					Key:   "key",
+					Value: []byte("value2"),
+				},
+			},
+			res: res{
+				want: &domain.Metadata{
+					ObjectRoot: models.ObjectRoot{
+						AggregateID:   "user1",
+						ResourceOwner: "org1",
+					},
+					Key:   "key",
+					Value: []byte("value2"),
+					State: domain.MetadataStateActive,
+				},
+			},
+		},
+		{
+			name: "add metadata, reset, no change",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							user.NewHumanAddedEvent(context.Background(),
+								&user.NewAggregate("user1", "org1").Aggregate,
+								"username",
+								"firstname",
+								"lastname",
+								"",
+								"firstname lastname",
+								language.Und,
+								domain.GenderUnspecified,
+								"email@test.ch",
+								true,
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							user.NewMetadataSetEvent(context.Background(),
+								&user.NewAggregate("user1", "org1").Aggregate,
+								"key",
+								[]byte("value"),
+							),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
 			},
 			args: args{
 				ctx:    context.Background(),
@@ -147,7 +315,8 @@ func TestCommandSide_SetUserMetadata(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			r := &Commands{
-				eventstore: tt.fields.eventstore,
+				eventstore:      tt.fields.eventstore(t),
+				checkPermission: tt.fields.checkPermission,
 			}
 			got, err := r.SetUserMetadata(tt.args.ctx, tt.args.metadata, tt.args.userID, tt.args.orgID)
 			if tt.res.err == nil {
@@ -165,7 +334,8 @@ func TestCommandSide_SetUserMetadata(t *testing.T) {
 
 func TestCommandSide_BulkSetUserMetadata(t *testing.T) {
 	type fields struct {
-		eventstore *eventstore.Eventstore
+		eventstore      func(t *testing.T) *eventstore.Eventstore
+		checkPermission domain.PermissionCheck
 	}
 	type (
 		args struct {
@@ -188,9 +358,7 @@ func TestCommandSide_BulkSetUserMetadata(t *testing.T) {
 		{
 			name: "empty meta data list, pre condition error",
 			fields: fields{
-				eventstore: eventstoreExpect(
+				eventstore: expectEventstore(),
-					t,
-				),
 			},
 			args: args{
 				ctx:    context.Background(),
@@ -204,8 +372,7 @@ func TestCommandSide_BulkSetUserMetadata(t *testing.T) {
 		{
 			name: "user not existing, pre condition error",
 			fields: fields{
-				eventstore: eventstoreExpect(
+				eventstore: expectEventstore(
-					t,
 					expectFilter(),
 				),
 			},
@@ -225,8 +392,7 @@ func TestCommandSide_BulkSetUserMetadata(t *testing.T) {
 		{
 			name: "invalid metadata, pre condition error",
 			fields: fields{
-				eventstore: eventstoreExpect(
+				eventstore: expectEventstore(
-					t,
 					expectFilter(
 						eventFromEventPusher(
 							user.NewHumanAddedEvent(context.Background(),
@@ -243,7 +409,9 @@ func TestCommandSide_BulkSetUserMetadata(t *testing.T) {
 							),
 						),
 					),
+					expectFilter(),
 				),
+				checkPermission: newMockPermissionCheckAllowed(),
 			},
 			args: args{
 				ctx:    context.Background(),
@@ -261,8 +429,7 @@ func TestCommandSide_BulkSetUserMetadata(t *testing.T) {
 		{
 			name: "add metadata, ok",
 			fields: fields{
-				eventstore: eventstoreExpect(
+				eventstore: expectEventstore(
-					t,
 					expectFilter(
 						eventFromEventPusher(
 							user.NewHumanAddedEvent(context.Background(),
@@ -279,6 +446,7 @@ func TestCommandSide_BulkSetUserMetadata(t *testing.T) {
 							),
 						),
 					),
+					expectFilter(),
 					expectPush(
 						user.NewMetadataSetEvent(context.Background(),
 							&user.NewAggregate("user1", "org1").Aggregate,
@@ -292,6 +460,7 @@ func TestCommandSide_BulkSetUserMetadata(t *testing.T) {
 						),
 					),
 				),
+				checkPermission: newMockPermissionCheckAllowed(),
 			},
 			args: args{
 				ctx:    context.Background(),
@@ -312,7 +481,8 @@ func TestCommandSide_BulkSetUserMetadata(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			r := &Commands{
-				eventstore: tt.fields.eventstore,
+				eventstore:      tt.fields.eventstore(t),
+				checkPermission: tt.fields.checkPermission,
 			}
 			got, err := r.BulkSetUserMetadata(tt.args.ctx, tt.args.userID, tt.args.orgID, tt.args.metadataList...)
 			if tt.res.err == nil {
@@ -330,7 +500,8 @@ func TestCommandSide_BulkSetUserMetadata(t *testing.T) {
 
 func TestCommandSide_UserRemoveMetadata(t *testing.T) {
 	type fields struct {
-		eventstore *eventstore.Eventstore
+		eventstore      func(t *testing.T) *eventstore.Eventstore
+		checkPermission domain.PermissionCheck
 	}
 	type (
 		args struct {
@@ -353,8 +524,7 @@ func TestCommandSide_UserRemoveMetadata(t *testing.T) {
 		{
 			name: "user not existing, pre condition error",
 			fields: fields{
-				eventstore: eventstoreExpect(
+				eventstore: expectEventstore(
-					t,
 					expectFilter(),
 				),
 			},
@@ -371,9 +541,7 @@ func TestCommandSide_UserRemoveMetadata(t *testing.T) {
 		{
 			name: "invalid metadata, pre condition error",
 			fields: fields{
-				eventstore: eventstoreExpect(
+				eventstore: expectEventstore(),
-					t,
-				),
 			},
 			args: args{
 				ctx:         context.Background(),
@@ -388,8 +556,7 @@ func TestCommandSide_UserRemoveMetadata(t *testing.T) {
 		{
 			name: "meta data not existing, not found error",
 			fields: fields{
-				eventstore: eventstoreExpect(
+				eventstore: expectEventstore(
-					t,
 					expectFilter(
 						eventFromEventPusher(
 							user.NewHumanAddedEvent(context.Background(),
@@ -408,6 +575,7 @@ func TestCommandSide_UserRemoveMetadata(t *testing.T) {
 					),
 					expectFilter(),
 				),
+				checkPermission: newMockPermissionCheckAllowed(),
 			},
 			args: args{
 				ctx:         context.Background(),
@@ -422,8 +590,7 @@ func TestCommandSide_UserRemoveMetadata(t *testing.T) {
 		{
 			name: "remove metadata, ok",
 			fields: fields{
-				eventstore: eventstoreExpect(
+				eventstore: expectEventstore(
-					t,
 					expectFilter(
 						eventFromEventPusher(
 							user.NewHumanAddedEvent(context.Background(),
@@ -456,6 +623,7 @@ func TestCommandSide_UserRemoveMetadata(t *testing.T) {
 						),
 					),
 				),
+				checkPermission: newMockPermissionCheckAllowed(),
 			},
 			args: args{
 				ctx:         context.Background(),
@@ -473,7 +641,8 @@ func TestCommandSide_UserRemoveMetadata(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			r := &Commands{
-				eventstore: tt.fields.eventstore,
+				eventstore:      tt.fields.eventstore(t),
+				checkPermission: tt.fields.checkPermission,
 			}
 			got, err := r.RemoveUserMetadata(tt.args.ctx, tt.args.metadataKey, tt.args.userID, tt.args.orgID)
 			if tt.res.err == nil {
@@ -491,7 +660,8 @@ func TestCommandSide_UserRemoveMetadata(t *testing.T) {
 
 func TestCommandSide_BulkRemoveUserMetadata(t *testing.T) {
 	type fields struct {
-		eventstore *eventstore.Eventstore
+		eventstore      func(t *testing.T) *eventstore.Eventstore
+		checkPermission domain.PermissionCheck
 	}
 	type (
 		args struct {
@@ -514,9 +684,7 @@ func TestCommandSide_BulkRemoveUserMetadata(t *testing.T) {
 		{
 			name: "empty meta data list, pre condition error",
 			fields: fields{
-				eventstore: eventstoreExpect(
+				eventstore: expectEventstore(),
-					t,
-				),
 			},
 			args: args{
 				ctx:    context.Background(),
@@ -530,8 +698,7 @@ func TestCommandSide_BulkRemoveUserMetadata(t *testing.T) {
 		{
 			name: "user not existing, pre condition error",
 			fields: fields{
-				eventstore: eventstoreExpect(
+				eventstore: expectEventstore(
-					t,
 					expectFilter(),
 				),
 			},
@@ -548,8 +715,7 @@ func TestCommandSide_BulkRemoveUserMetadata(t *testing.T) {
 		{
 			name: "remove metadata keys not existing, precondition error",
 			fields: fields{
-				eventstore: eventstoreExpect(
+				eventstore: expectEventstore(
-					t,
 					expectFilter(
 						eventFromEventPusher(
 							user.NewHumanAddedEvent(context.Background(),
@@ -576,6 +742,7 @@ func TestCommandSide_BulkRemoveUserMetadata(t *testing.T) {
 						),
 					),
 				),
+				checkPermission: newMockPermissionCheckAllowed(),
 			},
 			args: args{
 				ctx:          context.Background(),
@@ -590,8 +757,7 @@ func TestCommandSide_BulkRemoveUserMetadata(t *testing.T) {
 		{
 			name: "invalid metadata, pre condition error",
 			fields: fields{
-				eventstore: eventstoreExpect(
+				eventstore: expectEventstore(
-					t,
 					expectFilter(
 						eventFromEventPusher(
 							user.NewHumanAddedEvent(context.Background(),
@@ -625,6 +791,7 @@ func TestCommandSide_BulkRemoveUserMetadata(t *testing.T) {
 						),
 					),
 				),
+				checkPermission: newMockPermissionCheckAllowed(),
 			},
 			args: args{
 				ctx:          context.Background(),
@@ -639,8 +806,7 @@ func TestCommandSide_BulkRemoveUserMetadata(t *testing.T) {
 		{
 			name: "remove metadata, ok",
 			fields: fields{
-				eventstore: eventstoreExpect(
+				eventstore: expectEventstore(
-					t,
 					expectFilter(
 						eventFromEventPusher(
 							user.NewHumanAddedEvent(context.Background(),
@@ -684,6 +850,7 @@ func TestCommandSide_BulkRemoveUserMetadata(t *testing.T) {
 						),
 					),
 				),
+				checkPermission: newMockPermissionCheckAllowed(),
 			},
 			args: args{
 				ctx:          context.Background(),
@@ -701,7 +868,8 @@ func TestCommandSide_BulkRemoveUserMetadata(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			r := &Commands{
-				eventstore: tt.fields.eventstore,
+				eventstore:      tt.fields.eventstore(t),
+				checkPermission: tt.fields.checkPermission,
 			}
 			got, err := r.BulkRemoveUserMetadata(tt.args.ctx, tt.args.userID, tt.args.orgID, tt.args.metadataList...)
 			if tt.res.err == nil {