feat: usergrant (#489)

* fix: search usergrants only for allowed projects * fix: check permissions * fix: check permissions * fix: check permissions * Update internal/management/repository/eventsourcing/eventstore/project.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * fix: merge request changes * fix: variable name Co-authored-by: Silvan <silvan.reusser@gmail.com>
2025-10-19 05:42:35 +00:00 · 2020-07-22 14:00:29 +02:00
parent a9f0e15e65
commit 351aac22f8
24 changed files with 1522 additions and 1017 deletions
--- a/pkg/grpc/management/proto/management.proto
+++ b/pkg/grpc/management/proto/management.proto
@@ -722,7 +722,6 @@ service ManagementService {

        option (caos.zitadel.utils.v1.auth_option) = {
            permission: "project.read"
-            check_field_name: "ProjectId"
        };
    }

@@ -1112,6 +1111,28 @@ service ManagementService {
        };
    }

+    rpc CreateUserGrant(UserGrantCreate) returns (UserGrant) {
+        option (google.api.http) = {
+            post: "/users/{user_id}/grants"
+            body: "*"
+        };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+            permission: "user.grant.write"
+        };
+    }
+
+    rpc UpdateUserGrant(UserGrantUpdate) returns (UserGrant) {
+        option (google.api.http) = {
+            put: "/users/{user_id}/grants/{id}"
+            body: "*"
+        };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+            permission: "user.grant.write"
+        };
+    }
+
    rpc DeactivateUserGrant(UserGrantID) returns (UserGrant) {
        option (google.api.http) = {
            put: "/users/{user_id}/grants/{id}/_deactivate"
@@ -1159,6 +1180,7 @@ service ManagementService {
    // search user grants based on a project
    // This request is required that the user authorizations of zitadel can be differentiated
    rpc SearchProjectUserGrants(ProjectUserGrantSearchRequest) returns (UserGrantSearchResponse) {
+        option deprecated = true;
        option (google.api.http) = {
            post: "/projects/{project_id}/users/grants/_search"
            body: "*"
@@ -1173,6 +1195,7 @@ service ManagementService {
    // get user grant based on a project
    // This request is required that the user authorizations of zitadel can be differentiated
    rpc ProjectUserGrantByID(ProjectUserGrantID) returns (UserGrantView) {
+        option deprecated = true;
        option (google.api.http) = {
            get: "/projects/{project_id}/users/{user_id}/grants/{id}"
        };
@@ -1186,6 +1209,7 @@ service ManagementService {
    // create user grant based on a project
    // This request is required that the user authorizations of zitadel can be differentiated
    rpc CreateProjectUserGrant(UserGrantCreate) returns (UserGrant) {
+        option deprecated = true;
        option (google.api.http) = {
            post: "/projects/{project_id}/users/{user_id}/grants"
            body: "*"
@@ -1200,6 +1224,7 @@ service ManagementService {
    // update user grant based on a project
    // This request is required that the user authorizations of zitadel can be differentiated
    rpc UpdateProjectUserGrant(ProjectUserGrantUpdate) returns (UserGrant) {
+        option deprecated = true;
        option (google.api.http) = {
            put: "/projects/{project_id}/users/{user_id}/grants/{id}"
            body: "*"
@@ -1214,6 +1239,7 @@ service ManagementService {
    // deactivate user grant based on a project
    // This request is required that the user authorizations of zitadel can be differentiated
    rpc DeactivateProjectUserGrant(ProjectUserGrantID) returns (UserGrant) {
+        option deprecated = true;
        option (google.api.http) = {
            put: "/projects/{project_id}/users/{user_id}/grants/{id}/_deactivate"
            body: "*"
@@ -1228,6 +1254,7 @@ service ManagementService {
    // reactivate user grant based on a project
    // This request is required that the user authorizations of zitadel can be differentiated
    rpc ReactivateProjectUserGrant(ProjectUserGrantID) returns (UserGrant) {
+        option deprecated = true;
        option (google.api.http) = {
            put: "/projects/{project_id}/users/{user_id}/grants/{id}/_reactivate"
            body: "*"
@@ -1242,6 +1269,7 @@ service ManagementService {
    // search user grants based on a projectgrant
    // This request is required that the user authorizations of zitadel can be differentiated
    rpc SearchProjectGrantUserGrants(ProjectGrantUserGrantSearchRequest) returns (UserGrantSearchResponse) {
+        option deprecated = true;
        option (google.api.http) = {
            post: "/projectgrants/{project_grant_id}/users/grants/_search"
            body: "*"
@@ -1256,6 +1284,7 @@ service ManagementService {
    // get user grant based on a projectgrant
    // This request is required that the user authorizations of zitadel can be differentiated
    rpc ProjectGrantUserGrantByID(ProjectGrantUserGrantID) returns (UserGrantView) {
+        option deprecated = true;
        option (google.api.http) = {
            get: "/projectgrants/{project_grant_id}/users/{user_id}/grants/{id}"
        };
@@ -1269,6 +1298,7 @@ service ManagementService {
    // create user grant based on a projectgrant
    // This request is required that the user authorizations of zitadel can be differentiated
    rpc CreateProjectGrantUserGrant(ProjectGrantUserGrantCreate) returns (UserGrant) {
+        option deprecated = true;
        option (google.api.http) = {
            post: "/projectgrants/{project_grant_id}/users/{user_id}/grants"
            body: "*"
@@ -1283,6 +1313,7 @@ service ManagementService {
    // update user grant based on a projectgrant
    // This request is required that the user authorizations of zitadel can be differentiated
    rpc UpdateProjectGrantUserGrant(ProjectGrantUserGrantUpdate) returns (UserGrant) {
+        option deprecated = true;
        option (google.api.http) = {
            put: "/projectgrants/{project_grant_id}/users/{user_id}/grants/{id}"
            body: "*"
@@ -1297,6 +1328,7 @@ service ManagementService {
    // deactivate user grant based on a projectgrant
    // This request is required that the user authorizations of zitadel can be differentiated
    rpc DeactivateProjectGrantUserGrant(ProjectGrantUserGrantID) returns (UserGrant) {
+        option deprecated = true;
        option (google.api.http) = {
            put: "/projectgrants/{project_grant_id}/users/{user_id}/grants/{id}/_deactivate"
            body: "*"
@@ -1311,6 +1343,7 @@ service ManagementService {
    // reactivate user grant based on a projectgrant
    // This request is required that the user authorizations of zitadel can be differentiated
    rpc ReactivateProjectGrantUserGrant(ProjectGrantUserGrantID) returns (UserGrant) {
+        option deprecated = true;
        option (google.api.http) = {
            put: "/projectgrants/{project_grant_id}/users/{user_id}/grants/{id}/_reactivate"
            body: "*"