fix: permission check for actions v1 post creation user grants (#10638)

# Which Problems Are Solved

Unnecessary default permission check in creating an authorization fails
even if the functionality was called internally.

# How the Problems Are Solved

Move permission check to the proper implementation, so that necessary
permission checks are provided by the responsible API.

# Additional Changes

None

# Additional Context

Closes #10624

Co-authored-by: Livio Spring <livio.a@gmail.com>
(cherry picked from commit bdefd9147f)

internal/api/grpc/management/auth_checks.go

@@ -4,22 +4,27 @@ import (
 	"context"
 
 	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/command"
 	"github.com/zitadel/zitadel/internal/zerrors"
 )
 
-func checkExplicitProjectPermission(ctx context.Context, grantID, projectID string) error {
+func checkExplicitProjectPermission(ctx context.Context) command.UserGrantPermissionCheck {
 	permissions := authz.GetRequestPermissionsFromCtx(ctx)
 	if authz.HasGlobalPermission(permissions) {
 		return nil
 	}
 	ids := authz.GetAllPermissionCtxIDs(permissions)
-	if grantID != "" && listContainsID(ids, grantID) {
-		return nil
+	return func(projectID, grantID string) command.PermissionCheck {
+		return func(resourceOwner, aggregateID string) error {
+			if grantID != "" && listContainsID(ids, grantID) {
+				return nil
+			}
+			if listContainsID(ids, projectID) {
+				return nil
+			}
+			return zerrors.ThrowPermissionDenied(nil, "EVENT-Shu7e", "Errors.UserGrant.NoPermissionForProject")
+		}
 	}
-	if listContainsID(ids, projectID) {
-		return nil
-	}
-	return zerrors.ThrowPermissionDenied(nil, "EVENT-Shu7e", "Errors.UserGrant.NoPermissionForProject")
 }
 
 func listContainsID(ids []string, id string) bool {