fix: permission check for actions v1 post creation user grants (#10638)

# Which Problems Are Solved Unnecessary default permission check in creating an authorization fails even if the functionality was called internally. # How the Problems Are Solved Move permission check to the proper implementation, so that necessary permission checks are provided by the responsible API. # Additional Changes None # Additional Context Closes #10624 Co-authored-by: Livio Spring <livio.a@gmail.com> (cherry picked from commit bdefd9147f)
2025-11-03 12:14:20 +00:00 · 2025-09-03 16:39:18 +02:00
parent d5066237f9
commit 2dba5fa7fc
4 changed files with 18 additions and 15 deletions
--- a/internal/api/grpc/management/auth_checks.go
+++ b/internal/api/grpc/management/auth_checks.go
@@ -4,22 +4,27 @@ import (
 	"context"

 	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/command"
 	"github.com/zitadel/zitadel/internal/zerrors"
 )

-func checkExplicitProjectPermission(ctx context.Context, grantID, projectID string) error {
+func checkExplicitProjectPermission(ctx context.Context) command.UserGrantPermissionCheck {
 	permissions := authz.GetRequestPermissionsFromCtx(ctx)
 	if authz.HasGlobalPermission(permissions) {
 		return nil
 	}
 	ids := authz.GetAllPermissionCtxIDs(permissions)
-	if grantID != "" && listContainsID(ids, grantID) {
-		return nil
+	return func(projectID, grantID string) command.PermissionCheck {
+		return func(resourceOwner, aggregateID string) error {
+			if grantID != "" && listContainsID(ids, grantID) {
+				return nil
+			}
+			if listContainsID(ids, projectID) {
+				return nil
+			}
+			return zerrors.ThrowPermissionDenied(nil, "EVENT-Shu7e", "Errors.UserGrant.NoPermissionForProject")
+		}
 	}
-	if listContainsID(ids, projectID) {
-		return nil
-	}
-	return zerrors.ThrowPermissionDenied(nil, "EVENT-Shu7e", "Errors.UserGrant.NoPermissionForProject")
 }

 func listContainsID(ids []string, id string) bool {
--- a/internal/api/grpc/management/user_grant.go
+++ b/internal/api/grpc/management/user_grant.go
@@ -45,10 +45,7 @@ func (s *Server) ListUserGrants(ctx context.Context, req *mgmt_pb.ListUserGrantR

 func (s *Server) AddUserGrant(ctx context.Context, req *mgmt_pb.AddUserGrantRequest) (*mgmt_pb.AddUserGrantResponse, error) {
 	grant := AddUserGrantRequestToDomain(req, authz.GetCtxData(ctx).OrgID)
-	if err := checkExplicitProjectPermission(ctx, grant.ProjectGrantID, grant.ProjectID); err != nil {
-		return nil, err
-	}
-	grant, err := s.command.AddUserGrant(ctx, grant, nil)
+	grant, err := s.command.AddUserGrant(ctx, grant, checkExplicitProjectPermission(ctx))
 	if err != nil {
 		return nil, err
 	}
@@ -63,7 +60,7 @@ func (s *Server) AddUserGrant(ctx context.Context, req *mgmt_pb.AddUserGrantRequ
 }

 func (s *Server) UpdateUserGrant(ctx context.Context, req *mgmt_pb.UpdateUserGrantRequest) (*mgmt_pb.UpdateUserGrantResponse, error) {
-	grant, err := s.command.ChangeUserGrant(ctx, UpdateUserGrantRequestToDomain(req, authz.GetCtxData(ctx).OrgID), false, false, nil)
+	grant, err := s.command.ChangeUserGrant(ctx, UpdateUserGrantRequestToDomain(req, authz.GetCtxData(ctx).OrgID), false, false, checkExplicitProjectPermission(ctx))
 	if err != nil {
 		return nil, err
 	}