fix: generalise permission check for query user information (#8458)

# Which Problems Are Solved IDPLinks list and other list endpoints can provide you with empty results if the used user has no permission for the information. # How the Problems Are Solved List endpoints with subelements to users, and provided userIDQuery, will return a PermissionDenied error if no permission for the user exsists. # Additional Changes Function to check for permission is re-used from the GetUserByID. # Additional Context Closes #8451
2025-08-11 21:07:31 +00:00 · 2024-08-23 08:44:18 +02:00
parent 8051a63147
commit 2847806531
27 changed files with 552 additions and 111 deletions
--- a/internal/query/user.go
+++ b/internal/query/user.go
@@ -125,15 +125,9 @@ type NotifyUser struct {
 }

 func usersCheckPermission(ctx context.Context, users *Users, permissionCheck domain.PermissionCheck) {
-	ctxData := authz.GetCtxData(ctx)
 	users.Users = slices.DeleteFunc(users.Users,
 		func(user *User) bool {
-			if ctxData.UserID != user.ID {
-				if err := permissionCheck(ctx, domain.PermissionUserRead, user.ResourceOwner, user.ID); err != nil {
-					return true
-				}
-			}
-			return false
+			return userCheckPermission(ctx, user.ResourceOwner, user.ID, permissionCheck) != nil
 		},
 	)
 }
@@ -347,6 +341,27 @@ var (
 //go:embed user_by_id.sql
 var userByIDQuery string

+func userCheckPermission(ctx context.Context, resourceOwner string, userID string, permissionCheck domain.PermissionCheck) error {
+	ctxData := authz.GetCtxData(ctx)
+	if ctxData.UserID != userID {
+		if err := permissionCheck(ctx, domain.PermissionUserRead, resourceOwner, userID); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (q *Queries) GetUserByIDWithPermission(ctx context.Context, shouldTriggerBulk bool, userID string, permissionCheck domain.PermissionCheck) (*User, error) {
+	user, err := q.GetUserByID(ctx, shouldTriggerBulk, userID)
+	if err != nil {
+		return nil, err
+	}
+	if err := userCheckPermission(ctx, user.ResourceOwner, user.ID, permissionCheck); err != nil {
+		return nil, err
+	}
+	return user, nil
+}
+
 func (q *Queries) GetUserByID(ctx context.Context, shouldTriggerBulk bool, userID string) (user *User, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()