feat: usergrant (#489)

* fix: search usergrants only for allowed projects * fix: check permissions * fix: check permissions * fix: check permissions * Update internal/management/repository/eventsourcing/eventstore/project.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * fix: merge request changes * fix: variable name Co-authored-by: Silvan <silvan.reusser@gmail.com>
2025-08-12 01:37:31 +00:00 · 2020-07-22 14:00:29 +02:00
parent a9f0e15e65
commit 351aac22f8
24 changed files with 1522 additions and 1017 deletions
--- a/internal/api/authz/authorization.go
+++ b/internal/api/authz/authorization.go
@@ -98,7 +98,19 @@ func HasGlobalPermission(perms []string) bool {
 	return false
 }

-func GetPermissionCtxIDs(perms []string) []string {
+func HasGlobalExplicitPermission(perms []string, permToCheck string) bool {
+	for _, perm := range perms {
+		p, ctxID := SplitPermission(perm)
+		if p == permToCheck {
+			if ctxID == "" {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+func GetAllPermissionCtxIDs(perms []string) []string {
 	ctxIDs := make([]string, 0)
 	for _, perm := range perms {
 		_, ctxID := SplitPermission(perm)
@@ -108,3 +120,16 @@ func GetPermissionCtxIDs(perms []string) []string {
 	}
 	return ctxIDs
 }
+
+func GetExplicitPermissionCtxIDs(perms []string, searchPerm string) []string {
+	ctxIDs := make([]string, 0)
+	for _, perm := range perms {
+		p, ctxID := SplitPermission(perm)
+		if p == searchPerm {
+			if ctxID != "" {
+				ctxIDs = append(ctxIDs, ctxID)
+			}
+		}
+	}
+	return ctxIDs
+}
--- a/internal/api/authz/authorization_test.go
+++ b/internal/api/authz/authorization_test.go
@@ -269,7 +269,7 @@ func Test_GetPermissionCtxIDs(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			result := GetPermissionCtxIDs(tt.args.perms)
+			result := GetAllPermissionCtxIDs(tt.args.perms)
 			if !equalStringArray(result, tt.result) {
 				t.Errorf("got wrong result, expecting: %v, actual: %v ", tt.result, result)
 			}
--- a/internal/api/authz/context.go
+++ b/internal/api/authz/context.go
@@ -10,8 +10,9 @@ import (
 type key int

 const (
-	permissionsKey key = 1
-	dataKey        key = 2
+	requestPermissionsKey key = 1
+	dataKey               key = 2
+	allPermissionsKey     key = 3
 )

 type CtxData struct {
@@ -59,7 +60,12 @@ func GetCtxData(ctx context.Context) CtxData {
 	return ctxData
 }

-func GetPermissionsFromCtx(ctx context.Context) []string {
-	ctxPermission, _ := ctx.Value(permissionsKey).([]string)
+func GetRequestPermissionsFromCtx(ctx context.Context) []string {
+	ctxPermission, _ := ctx.Value(requestPermissionsKey).([]string)
+	return ctxPermission
+}
+
+func GetAllPermissionsFromCtx(ctx context.Context) []string {
+	ctxPermission, _ := ctx.Value(allPermissionsKey).([]string)
 	return ctxPermission
 }
--- a/internal/api/authz/permissions.go
+++ b/internal/api/authz/permissions.go
@@ -16,34 +16,40 @@ func getUserMethodPermissions(ctx context.Context, t *TokenVerifier, requiredPer
 		return nil, nil, err
 	}
 	if grant == nil {
-		return context.WithValue(ctx, permissionsKey, []string{}), []string{}, nil
+		return context.WithValue(ctx, requestPermissionsKey, []string{}), []string{}, nil
 	}
-	permissions := mapGrantToPermissions(requiredPerm, grant, authConfig)
-	return context.WithValue(ctx, permissionsKey, permissions), permissions, nil
+	requestPermissions, allPermissions := mapGrantToPermissions(requiredPerm, grant, authConfig)
+	ctx = context.WithValue(ctx, allPermissionsKey, allPermissions)
+	return context.WithValue(ctx, requestPermissionsKey, requestPermissions), requestPermissions, nil
 }

-func mapGrantToPermissions(requiredPerm string, grant *Grant, authConfig Config) []string {
-	resolvedPermissions := make([]string, 0)
+func mapGrantToPermissions(requiredPerm string, grant *Grant, authConfig Config) ([]string, []string) {
+	requestPermissions := make([]string, 0)
+	allPermissions := make([]string, 0)
 	for _, role := range grant.Roles {
-		resolvedPermissions = mapRoleToPerm(requiredPerm, role, authConfig, resolvedPermissions)
+		requestPermissions, allPermissions = mapRoleToPerm(requiredPerm, role, authConfig, requestPermissions, allPermissions)
 	}

-	return resolvedPermissions
+	return requestPermissions, allPermissions
 }

-func mapRoleToPerm(requiredPerm, actualRole string, authConfig Config, resolvedPermissions []string) []string {
+func mapRoleToPerm(requiredPerm, actualRole string, authConfig Config, requestPermissions, allPermissions []string) ([]string, []string) {
 	roleName, roleContextID := SplitPermission(actualRole)
 	perms := authConfig.getPermissionsFromRole(roleName)

 	for _, p := range perms {
+		permWithCtx := addRoleContextIDToPerm(p, roleContextID)
+		if !ExistsPerm(allPermissions, permWithCtx) {
+			allPermissions = append(allPermissions, permWithCtx)
+		}
+
 		if p == requiredPerm {
-			p = addRoleContextIDToPerm(p, roleContextID)
-			if !ExistsPerm(resolvedPermissions, p) {
-				resolvedPermissions = append(resolvedPermissions, p)
+			if !ExistsPerm(requestPermissions, permWithCtx) {
+				requestPermissions = append(requestPermissions, permWithCtx)
 			}
 		}
 	}
-	return resolvedPermissions
+	return requestPermissions, allPermissions
 }

 func addRoleContextIDToPerm(perm, roleContextID string) string {
--- a/internal/api/authz/permissions_test.go
+++ b/internal/api/authz/permissions_test.go
@@ -157,9 +157,10 @@ func Test_MapGrantsToPermissions(t *testing.T) {
 		authConfig   Config
 	}
 	tests := []struct {
-		name   string
-		args   args
-		result []string
+		name         string
+		args         args
+		requestPerms []string
+		allPerms     []string
 	}{
 		{
 			name: "One Role existing perm",
@@ -179,7 +180,8 @@ func Test_MapGrantsToPermissions(t *testing.T) {
 					},
 				},
 			},
-			result: []string{"project.read"},
+			requestPerms: []string{"project.read"},
+			allPerms:     []string{"org.read", "project.read"},
 		},
 		{
 			name: "One Role not existing perm",
@@ -199,7 +201,8 @@ func Test_MapGrantsToPermissions(t *testing.T) {
 					},
 				},
 			},
-			result: []string{},
+			requestPerms: []string{},
+			allPerms:     []string{"org.read", "project.read"},
 		},
 		{
 			name: "Multiple Roles one existing",
@@ -219,7 +222,8 @@ func Test_MapGrantsToPermissions(t *testing.T) {
 					},
 				},
 			},
-			result: []string{"project.read"},
+			requestPerms: []string{"project.read"},
+			allPerms:     []string{"org.read", "project.read"},
 		},
 		{
 			name: "Multiple Roles, global and specific",
@@ -239,14 +243,18 @@ func Test_MapGrantsToPermissions(t *testing.T) {
 					},
 				},
 			},
-			result: []string{"project.read", "project.read:1"},
+			requestPerms: []string{"project.read", "project.read:1"},
+			allPerms:     []string{"org.read", "project.read", "project.read:1"},
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			result := mapGrantToPermissions(tt.args.requiredPerm, tt.args.grant, tt.args.authConfig)
-			if !equalStringArray(result, tt.result) {
-				t.Errorf("got wrong result, expecting: %v, actual: %v ", tt.result, result)
+			requestPerms, allPerms := mapGrantToPermissions(tt.args.requiredPerm, tt.args.grant, tt.args.authConfig)
+			if !equalStringArray(requestPerms, tt.requestPerms) {
+				t.Errorf("got wrong requestPerms, expecting: %v, actual: %v ", tt.requestPerms, requestPerms)
+			}
+			if !equalStringArray(allPerms, tt.allPerms) {
+				t.Errorf("got wrong allPerms, expecting: %v, actual: %v ", tt.allPerms, allPerms)
 			}
 		})
 	}
@@ -254,15 +262,17 @@ func Test_MapGrantsToPermissions(t *testing.T) {

 func Test_MapRoleToPerm(t *testing.T) {
 	type args struct {
-		requiredPerm        string
-		actualRole          string
-		authConfig          Config
-		resolvedPermissions []string
+		requiredPerm string
+		actualRole   string
+		authConfig   Config
+		requestPerms []string
+		allPerms     []string
 	}
 	tests := []struct {
-		name   string
-		args   args
-		result []string
+		name         string
+		args         args
+		requestPerms []string
+		allPerms     []string
 	}{
 		{
 			name: "first perm without context id",
@@ -281,9 +291,11 @@ func Test_MapRoleToPerm(t *testing.T) {
 						},
 					},
 				},
-				resolvedPermissions: []string{},
+				requestPerms: []string{},
+				allPerms:     []string{},
 			},
-			result: []string{"project.read"},
+			requestPerms: []string{"project.read"},
+			allPerms:     []string{"org.read", "project.read"},
 		},
 		{
 			name: "existing perm without context id",
@@ -302,9 +314,11 @@ func Test_MapRoleToPerm(t *testing.T) {
 						},
 					},
 				},
-				resolvedPermissions: []string{"project.read"},
+				requestPerms: []string{"project.read"},
+				allPerms:     []string{"org.read", "project.read"},
 			},
-			result: []string{"project.read"},
+			requestPerms: []string{"project.read"},
+			allPerms:     []string{"org.read", "project.read"},
 		},
 		{
 			name: "first perm with context id",
@@ -323,9 +337,11 @@ func Test_MapRoleToPerm(t *testing.T) {
 						},
 					},
 				},
-				resolvedPermissions: []string{},
+				requestPerms: []string{},
+				allPerms:     []string{},
 			},
-			result: []string{"project.read:1"},
+			requestPerms: []string{"project.read:1"},
+			allPerms:     []string{"project.read:1"},
 		},
 		{
 			name: "perm with context id, existing global",
@@ -344,16 +360,21 @@ func Test_MapRoleToPerm(t *testing.T) {
 						},
 					},
 				},
-				resolvedPermissions: []string{"project.read"},
+				requestPerms: []string{"project.read"},
+				allPerms:     []string{"org.read", "project.read"},
 			},
-			result: []string{"project.read", "project.read:1"},
+			requestPerms: []string{"project.read", "project.read:1"},
+			allPerms:     []string{"org.read", "project.read", "project.read:1"},
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			result := mapRoleToPerm(tt.args.requiredPerm, tt.args.actualRole, tt.args.authConfig, tt.args.resolvedPermissions)
-			if !equalStringArray(result, tt.result) {
-				t.Errorf("got wrong result, expecting: %v, actual: %v ", tt.result, result)
+			requestPerms, allPerms := mapRoleToPerm(tt.args.requiredPerm, tt.args.actualRole, tt.args.authConfig, tt.args.requestPerms, tt.args.allPerms)
+			if !equalStringArray(requestPerms, tt.requestPerms) {
+				t.Errorf("got wrong requestPerms, expecting: %v, actual: %v ", tt.requestPerms, requestPerms)
+			}
+			if !equalStringArray(allPerms, tt.allPerms) {
+				t.Errorf("got wrong allPerms, expecting: %v, actual: %v ", tt.allPerms, allPerms)
 			}
 		})
 	}
--- a/internal/api/grpc/management/project.go
+++ b/internal/api/grpc/management/project.go
@@ -61,7 +61,7 @@ func (s *Server) ProjectByID(ctx context.Context, id *management.ProjectID) (*ma
 func (s *Server) SearchGrantedProjects(ctx context.Context, in *management.GrantedProjectSearchRequest) (*management.ProjectGrantSearchResponse, error) {
 	request := grantedProjectSearchRequestsToModel(in)
 	request.AppendMyOrgQuery(grpc_util.GetHeader(ctx, http.ZitadelOrgID))
-	response, err := s.project.SearchProjectGrants(ctx, request)
+	response, err := s.project.SearchGrantedProjects(ctx, request)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/management/user_grant.go
+++ b/internal/api/grpc/management/user_grant.go
@@ -27,6 +27,22 @@ func (s *Server) UserGrantByID(ctx context.Context, request *management.UserGran
 	return userGrantViewFromModel(user), nil
 }

+func (s *Server) CreateUserGrant(ctx context.Context, in *management.UserGrantCreate) (*management.UserGrant, error) {
+	user, err := s.usergrant.AddUserGrant(ctx, userGrantCreateToModel(in))
+	if err != nil {
+		return nil, err
+	}
+	return usergrantFromModel(user), nil
+}
+
+func (s *Server) UpdateUserGrant(ctx context.Context, in *management.UserGrantUpdate) (*management.UserGrant, error) {
+	user, err := s.usergrant.ChangeUserGrant(ctx, userGrantUpdateToModel(in))
+	if err != nil {
+		return nil, err
+	}
+	return usergrantFromModel(user), nil
+}
+
 func (s *Server) DeactivateUserGrant(ctx context.Context, in *management.UserGrantID) (*management.UserGrant, error) {
 	user, err := s.usergrant.DeactivateUserGrant(ctx, in.Id)
 	if err != nil {
--- a/internal/auth/repository/eventsourcing/handler/user_grant.go
+++ b/internal/auth/repository/eventsourcing/handler/user_grant.go
@@ -231,7 +231,7 @@ func (u *UserGrant) processMember(event *models.Event, rolePrefix, roleSuffix st
 			return err
 		}
 		if roleSuffix != "" {
-			roleKeys = suffixRoles(event.AggregateID, roleKeys)
+			roleKeys = suffixRoles(roleSuffix, roleKeys)
 		}
 		if errors.IsNotFound(err) {
 			grant = &view_model.UserGrantView{
--- a/internal/authz/repository/eventsourcing/handler/user_grant.go
+++ b/internal/authz/repository/eventsourcing/handler/user_grant.go
@@ -150,7 +150,7 @@ func (u *UserGrant) processMember(event *models.Event, rolePrefix, roleSuffix st
 			return err
 		}
 		if roleSuffix != "" {
-			roleKeys = suffixRoles(event.AggregateID, roleKeys)
+			roleKeys = suffixRoles(roleSuffix, roleKeys)
 		}
 		if errors.IsNotFound(err) {
 			grant = &view_model.UserGrantView{
--- a/internal/management/repository/eventsourcing/eventstore/project.go
+++ b/internal/management/repository/eventsourcing/eventstore/project.go
@@ -82,15 +82,38 @@ func (repo *ProjectRepo) ReactivateProject(ctx context.Context, id string) (*pro

 func (repo *ProjectRepo) SearchProjects(ctx context.Context, request *proj_model.ProjectViewSearchRequest) (*proj_model.ProjectViewSearchResponse, error) {
 	request.EnsureLimit(repo.SearchLimit)
-
-	permissions := authz.GetPermissionsFromCtx(ctx)
-	if !authz.HasGlobalPermission(permissions) {
-		ids := authz.GetPermissionCtxIDs(permissions)
-		request.Queries = append(request.Queries, &proj_model.ProjectViewSearchQuery{Key: proj_model.ProjectViewSearchKeyProjectID, Method: global_model.SearchMethodIsOneOf, Value: ids})
-	}
-
 	sequence, err := repo.View.GetLatestProjectSequence()
 	logging.Log("EVENT-Edc56").OnError(err).Warn("could not read latest project sequence")
+
+	permissions := authz.GetRequestPermissionsFromCtx(ctx)
+	if !authz.HasGlobalPermission(permissions) {
+		ids := authz.GetAllPermissionCtxIDs(permissions)
+		if _, q := request.GetSearchQuery(proj_model.ProjectViewSearchKeyProjectID); q != nil {
+			containsID := false
+			for _, id := range ids {
+				if id == q.Value {
+					containsID = true
+					break
+				}
+			}
+			if !containsID {
+				result := &proj_model.ProjectViewSearchResponse{
+					Offset:      request.Offset,
+					Limit:       request.Limit,
+					TotalResult: uint64(0),
+					Result:      []*proj_model.ProjectView{},
+				}
+				if err == nil {
+					result.Sequence = sequence.CurrentSequence
+					result.Timestamp = sequence.CurrentTimestamp
+				}
+				return result, nil
+			}
+		} else {
+			request.Queries = append(request.Queries, &proj_model.ProjectViewSearchQuery{Key: proj_model.ProjectViewSearchKeyProjectID, Method: global_model.SearchMethodIsOneOf, Value: ids})
+		}
+	}
+
 	projects, count, err := repo.View.SearchProjects(request)
 	if err != nil {
 		return nil, err
@@ -348,6 +371,57 @@ func (repo *ProjectRepo) SearchProjectGrants(ctx context.Context, request *proj_
 	return result, nil
 }

+func (repo *ProjectRepo) SearchGrantedProjects(ctx context.Context, request *proj_model.ProjectGrantViewSearchRequest) (*proj_model.ProjectGrantViewSearchResponse, error) {
+	request.EnsureLimit(repo.SearchLimit)
+	sequence, err := repo.View.GetLatestProjectGrantSequence()
+	logging.Log("EVENT-Skw9f").OnError(err).Warn("could not read latest project grant sequence")
+
+	permissions := authz.GetRequestPermissionsFromCtx(ctx)
+	if !authz.HasGlobalPermission(permissions) {
+		ids := authz.GetAllPermissionCtxIDs(permissions)
+		if _, q := request.GetSearchQuery(proj_model.GrantedProjectSearchKeyGrantID); q != nil {
+			containsID := false
+			for _, id := range ids {
+				if id == q.Value {
+					containsID = true
+					break
+				}
+			}
+			if !containsID {
+				result := &proj_model.ProjectGrantViewSearchResponse{
+					Offset:      request.Offset,
+					Limit:       request.Limit,
+					TotalResult: uint64(0),
+					Result:      []*proj_model.ProjectGrantView{},
+				}
+				if err == nil {
+					result.Sequence = sequence.CurrentSequence
+					result.Timestamp = sequence.CurrentTimestamp
+				}
+				return result, nil
+			}
+		} else {
+			request.Queries = append(request.Queries, &proj_model.ProjectGrantViewSearchQuery{Key: proj_model.GrantedProjectSearchKeyGrantID, Method: global_model.SearchMethodIsOneOf, Value: ids})
+		}
+	}
+
+	projects, count, err := repo.View.SearchProjectGrants(request)
+	if err != nil {
+		return nil, err
+	}
+	result := &proj_model.ProjectGrantViewSearchResponse{
+		Offset:      request.Offset,
+		Limit:       request.Limit,
+		TotalResult: uint64(count),
+		Result:      model.ProjectGrantsToModel(projects),
+	}
+	if err == nil {
+		result.Sequence = sequence.CurrentSequence
+		result.Timestamp = sequence.CurrentTimestamp
+	}
+	return result, nil
+}
+
 func (repo *ProjectRepo) AddProjectGrant(ctx context.Context, grant *proj_model.ProjectGrant) (*proj_model.ProjectGrant, error) {
 	return repo.ProjectEvents.AddProjectGrant(ctx, grant)
 }
--- a/internal/management/repository/eventsourcing/eventstore/user_grant.go
+++ b/internal/management/repository/eventsourcing/eventstore/user_grant.go
@@ -3,10 +3,18 @@ package eventstore
 import (
 	"context"
 	"github.com/caos/logging"
+	"github.com/caos/zitadel/internal/api/authz"
+	caos_errors "github.com/caos/zitadel/internal/errors"
 	"github.com/caos/zitadel/internal/management/repository/eventsourcing/view"
+	global_model "github.com/caos/zitadel/internal/model"
 	grant_model "github.com/caos/zitadel/internal/usergrant/model"
 	grant_event "github.com/caos/zitadel/internal/usergrant/repository/eventsourcing"
 	"github.com/caos/zitadel/internal/usergrant/repository/view/model"
+	"github.com/caos/zitadel/internal/view/repository"
+)
+
+const (
+	projectReadPerm = "project.read"
 )

 type UserGrantRepo struct {
@@ -24,34 +32,88 @@ func (repo *UserGrantRepo) UserGrantByID(ctx context.Context, grantID string) (*
 }

 func (repo *UserGrantRepo) AddUserGrant(ctx context.Context, grant *grant_model.UserGrant) (*grant_model.UserGrant, error) {
+	err := checkExplicitPermission(ctx, grant.GrantID, grant.ProjectID)
+	if err != nil {
+		return nil, err
+	}
 	return repo.UserGrantEvents.AddUserGrant(ctx, grant)
 }

 func (repo *UserGrantRepo) ChangeUserGrant(ctx context.Context, grant *grant_model.UserGrant) (*grant_model.UserGrant, error) {
+	err := checkExplicitPermission(ctx, grant.GrantID, grant.ProjectID)
+	if err != nil {
+		return nil, err
+	}
 	return repo.UserGrantEvents.ChangeUserGrant(ctx, grant)
 }

 func (repo *UserGrantRepo) DeactivateUserGrant(ctx context.Context, grantID string) (*grant_model.UserGrant, error) {
+	grant, err := repo.UserGrantByID(ctx, grantID)
+	if err != nil {
+		return nil, err
+	}
+	err = checkExplicitPermission(ctx, grant.GrantID, grant.ProjectID)
+	if err != nil {
+		return nil, err
+	}
 	return repo.UserGrantEvents.DeactivateUserGrant(ctx, grantID)
 }

 func (repo *UserGrantRepo) ReactivateUserGrant(ctx context.Context, grantID string) (*grant_model.UserGrant, error) {
+	grant, err := repo.UserGrantByID(ctx, grantID)
+	if err != nil {
+		return nil, err
+	}
+	err = checkExplicitPermission(ctx, grant.GrantID, grant.ProjectID)
+	if err != nil {
+		return nil, err
+	}
 	return repo.UserGrantEvents.ReactivateUserGrant(ctx, grantID)
 }

 func (repo *UserGrantRepo) RemoveUserGrant(ctx context.Context, grantID string) error {
+	grant, err := repo.UserGrantByID(ctx, grantID)
+	if err != nil {
+		return err
+	}
+	err = checkExplicitPermission(ctx, grant.GrantID, grant.ProjectID)
+	if err != nil {
+		return err
+	}
 	return repo.UserGrantEvents.RemoveUserGrant(ctx, grantID)
 }

 func (repo *UserGrantRepo) BulkAddUserGrant(ctx context.Context, grants ...*grant_model.UserGrant) error {
+	for _, grant := range grants {
+		err := checkExplicitPermission(ctx, grant.GrantID, grant.ProjectID)
+		if err != nil {
+			return err
+		}
+	}
 	return repo.UserGrantEvents.AddUserGrants(ctx, grants...)
 }

 func (repo *UserGrantRepo) BulkChangeUserGrant(ctx context.Context, grants ...*grant_model.UserGrant) error {
+	for _, grant := range grants {
+		err := checkExplicitPermission(ctx, grant.GrantID, grant.ProjectID)
+		if err != nil {
+			return err
+		}
+	}
 	return repo.UserGrantEvents.ChangeUserGrants(ctx, grants...)
 }

 func (repo *UserGrantRepo) BulkRemoveUserGrant(ctx context.Context, grantIDs ...string) error {
+	for _, grantID := range grantIDs {
+		grant, err := repo.UserGrantByID(ctx, grantID)
+		if err != nil {
+			return err
+		}
+		err = checkExplicitPermission(ctx, grant.GrantID, grant.ProjectID)
+		if err != nil {
+			return err
+		}
+	}
 	return repo.UserGrantEvents.RemoveUserGrants(ctx, grantIDs...)
 }

@@ -59,11 +121,18 @@ func (repo *UserGrantRepo) SearchUserGrants(ctx context.Context, request *grant_
 	request.EnsureLimit(repo.SearchLimit)
 	sequence, err := repo.View.GetLatestUserGrantSequence()
 	logging.Log("EVENT-5Viwf").OnError(err).Warn("could not read latest user grant sequence")
+
+	result := handleSearchUserGrantPermissions(ctx, request, sequence)
+	if result != nil {
+		return result, nil
+	}
+
 	grants, count, err := repo.View.SearchUserGrants(request)
 	if err != nil {
 		return nil, err
 	}
-	result := &grant_model.UserGrantSearchResponse{
+
+	result = &grant_model.UserGrantSearchResponse{
 		Offset:      request.Offset,
 		Limit:       request.Limit,
 		TotalResult: uint64(count),
@@ -75,3 +144,67 @@ func (repo *UserGrantRepo) SearchUserGrants(ctx context.Context, request *grant_
 	}
 	return result, nil
 }
+
+func handleSearchUserGrantPermissions(ctx context.Context, request *grant_model.UserGrantSearchRequest, sequence *repository.CurrentSequence) *grant_model.UserGrantSearchResponse {
+	permissions := authz.GetAllPermissionsFromCtx(ctx)
+	if authz.HasGlobalExplicitPermission(permissions, projectReadPerm) {
+		return nil
+	}
+
+	ids := authz.GetExplicitPermissionCtxIDs(permissions, projectReadPerm)
+	if _, q := request.GetSearchQuery(grant_model.UserGrantSearchKeyProjectID); q != nil {
+		containsID := false
+		for _, id := range ids {
+			if id == q.Value {
+				containsID = true
+				break
+			}
+		}
+		if !containsID {
+			result := &grant_model.UserGrantSearchResponse{
+				Offset:      request.Offset,
+				Limit:       request.Limit,
+				TotalResult: uint64(0),
+				Result:      []*grant_model.UserGrantView{},
+			}
+			if sequence != nil {
+				result.Sequence = sequence.CurrentSequence
+				result.Timestamp = sequence.CurrentTimestamp
+			}
+			return result
+		}
+	}
+	request.Queries = append(request.Queries, &grant_model.UserGrantSearchQuery{Key: grant_model.UserGrantSearchKeyProjectID, Method: global_model.SearchMethodIsOneOf, Value: ids})
+	return nil
+}
+
+func checkExplicitPermission(ctx context.Context, grantID, projectID string) error {
+	permissions := authz.GetRequestPermissionsFromCtx(ctx)
+	if authz.HasGlobalPermission(permissions) {
+		return nil
+	}
+	ids := authz.GetAllPermissionCtxIDs(permissions)
+	containsID := false
+	if grantID != "" {
+		containsID = listContainsID(ids, grantID)
+		if containsID {
+			return nil
+		}
+	}
+	containsID = listContainsID(ids, projectID)
+	if !containsID {
+		return caos_errors.ThrowPermissionDenied(nil, "EVENT-Shu7e", "Errors.UserGrant.NoPermissionForProject")
+	}
+	return nil
+}
+
+func listContainsID(ids []string, id string) bool {
+	containsID := false
+	for _, i := range ids {
+		if i == id {
+			containsID = true
+			break
+		}
+	}
+	return containsID
+}
--- a/internal/management/repository/project.go
+++ b/internal/management/repository/project.go
@@ -14,6 +14,7 @@ type ProjectRepository interface {
 	ReactivateProject(ctx context.Context, id string) (*model.Project, error)
 	SearchProjects(ctx context.Context, request *model.ProjectViewSearchRequest) (*model.ProjectViewSearchResponse, error)
 	SearchProjectGrants(ctx context.Context, request *model.ProjectGrantViewSearchRequest) (*model.ProjectGrantViewSearchResponse, error)
+	SearchGrantedProjects(ctx context.Context, request *model.ProjectGrantViewSearchRequest) (*model.ProjectGrantViewSearchResponse, error)
 	ProjectGrantViewByID(ctx context.Context, grantID string) (*model.ProjectGrantView, error)

 	ProjectMemberByID(ctx context.Context, projectID, userID string) (*model.ProjectMemberView, error)
--- a/internal/project/model/project_grant_view.go
+++ b/internal/project/model/project_grant_view.go
@@ -56,6 +56,15 @@ type ProjectGrantViewSearchResponse struct {
 	Timestamp   time.Time
 }

+func (r *ProjectGrantViewSearchRequest) GetSearchQuery(key ProjectGrantViewSearchKey) (int, *ProjectGrantViewSearchQuery) {
+	for i, q := range r.Queries {
+		if q.Key == key {
+			return i, q
+		}
+	}
+	return -1, nil
+}
+
 func (r *ProjectGrantViewSearchRequest) AppendMyOrgQuery(orgID string) {
 	r.Queries = append(r.Queries, &ProjectGrantViewSearchQuery{Key: GrantedProjectSearchKeyOrgID, Method: model.SearchMethodEquals, Value: orgID})
 }
--- a/internal/project/model/project_view.go
+++ b/internal/project/model/project_view.go
@@ -47,6 +47,15 @@ type ProjectViewSearchResponse struct {
 	Timestamp   time.Time
 }

+func (r *ProjectViewSearchRequest) GetSearchQuery(key ProjectViewSearchKey) (int, *ProjectViewSearchQuery) {
+	for i, q := range r.Queries {
+		if q.Key == key {
+			return i, q
+		}
+	}
+	return -1, nil
+}
+
 func (r *ProjectViewSearchRequest) AppendMyResourceOwnerQuery(orgID string) {
 	r.Queries = append(r.Queries, &ProjectViewSearchQuery{Key: ProjectViewSearchKeyResourceOwner, Method: model.SearchMethodEquals, Value: orgID})
 }
--- a/internal/static/i18n/de.yaml
+++ b/internal/static/i18n/de.yaml
@@ -109,6 +109,7 @@ Errors:
    IDMissing: Id fehlt
    NotActive: Benutzer Berechtigung ist nicht aktiv
    NotInactive: Benutzer Berechtigung ist nicht deaktiviert
+    NoPermissionForProject: Benutzer hat keine Rechte auf diesem Projekt
  Changes:
    NotFound: Es konnte kein Änderungsverlauf gefunden werden
  Token:
--- a/internal/static/i18n/en.yaml
+++ b/internal/static/i18n/en.yaml
@@ -109,6 +109,7 @@ Errors:
    IDMissing: Id missing
    NotActive: User grant is not active
    NotInactive: User grant is not deactivated
+    NoPermissionForProject: User has no permissions on this project
  Changes:
    NotFound: No history found
  Token:
--- a/internal/usergrant/model/user_grant_view.go
+++ b/internal/usergrant/model/user_grant_view.go
@@ -71,6 +71,15 @@ func (r *UserGrantSearchRequest) EnsureLimit(limit uint64) {
 	}
 }

+func (r *UserGrantSearchRequest) GetSearchQuery(key UserGrantSearchKey) (int, *UserGrantSearchQuery) {
+	for i, q := range r.Queries {
+		if q.Key == key {
+			return i, q
+		}
+	}
+	return -1, nil
+}
+
 func (r *UserGrantSearchRequest) AppendMyOrgQuery(orgID string) {
 	r.Queries = append(r.Queries, &UserGrantSearchQuery{Key: UserGrantSearchKeyResourceOwner, Method: model.SearchMethodEquals, Value: orgID})
 }
--- a/internal/view/repository/query.go
+++ b/internal/view/repository/query.go
@@ -76,7 +76,7 @@ func SetQuery(query *gorm.DB, key ColumnKey, value interface{}, method model.Sea
 	case model.SearchMethodStartsWith:
 		valueText, ok := value.(string)
 		if !ok {
-			return nil, caos_errs.ThrowInvalidArgument(nil, "VIEW-idu8e", "Starts with only possible for strings")
+			return nil, caos_errs.ThrowInvalidArgument(nil, "VIEW-SLj7s", "Starts with only possible for strings")
 		}
 		query = query.Where(column+" LIKE ?", valueText+"%")
 	case model.SearchMethodStartsWithIgnoreCase: