fix: improve permission checks (#682)

* separate roles for global org * remove old user grant permissions * allow context permissions Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
2025-08-11 21:27:42 +00:00 · 2020-09-01 16:38:34 +02:00
parent 0d44b69c0e
commit 370cd19a83
10 changed files with 98 additions and 36 deletions
--- a/internal/project/repository/eventsourcing/eventstore.go
+++ b/internal/project/repository/eventsourcing/eventstore.go
@@ -23,7 +23,8 @@ import (
 )

 const (
-	projectOwnerRole = "PROJECT_OWNER"
+	projectOwnerRole       = "PROJECT_OWNER"
+	projectOwnerGlobalRole = "PROJECT_OWNER_GLOBAL"
 )

 type ProjectEventstore struct {
@@ -78,7 +79,7 @@ func (es *ProjectEventstore) ProjectEventsByID(ctx context.Context, id string, s
 	return es.FilterEvents(ctx, query)
 }

-func (es *ProjectEventstore) CreateProject(ctx context.Context, project *proj_model.Project) (*proj_model.Project, error) {
+func (es *ProjectEventstore) CreateProject(ctx context.Context, project *proj_model.Project, global bool) (*proj_model.Project, error) {
 	if !project.IsValid() {
 		return nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-IOVCC", "Errors.Project.Invalid")
 	}
@@ -89,9 +90,13 @@ func (es *ProjectEventstore) CreateProject(ctx context.Context, project *proj_mo
 	project.AggregateID = id
 	project.State = proj_model.ProjectStateActive
 	repoProject := model.ProjectFromModel(project)
+	projectRole := projectOwnerRole
+	if global {
+		projectRole = projectOwnerGlobalRole
+	}
 	member := &model.ProjectMember{
 		UserID: authz.GetCtxData(ctx).UserID,
-		Roles:  []string{projectOwnerRole},
+		Roles:  []string{projectRole},
 	}

 	createAggregate := ProjectCreateAggregate(es.AggregateCreator(), repoProject, member)
--- a/internal/project/repository/eventsourcing/eventstore_test.go
+++ b/internal/project/repository/eventsourcing/eventstore_test.go
@@ -82,9 +82,11 @@ func TestCreateProject(t *testing.T) {
 		es      *ProjectEventstore
 		ctx     context.Context
 		project *model.Project
+		global  bool
 	}
 	type res struct {
 		project *model.Project
+		role    string
 		wantErr bool
 		errFunc func(err error) bool
 	}
@@ -102,6 +104,20 @@ func TestCreateProject(t *testing.T) {
 			},
 			res: res{
 				project: &model.Project{ObjectRoot: es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 1}, Name: "Name"},
+				role:    projectOwnerRole,
+			},
+		},
+		{
+			name: "create global project, ok",
+			args: args{
+				es:      GetMockManipulateProject(ctrl),
+				ctx:     authz.NewMockContext("orgID", "userID"),
+				project: &model.Project{ObjectRoot: es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 1}, Name: "Name"},
+				global:  true,
+			},
+			res: res{
+				project: &model.Project{ObjectRoot: es_models.ObjectRoot{AggregateID: "AggregateID", Sequence: 1}, Name: "Name"},
+				role:    projectOwnerGlobalRole,
 			},
 		},
 		{
@@ -119,7 +135,7 @@ func TestCreateProject(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			result, err := tt.args.es.CreateProject(tt.args.ctx, tt.args.project)
+			result, err := tt.args.es.CreateProject(tt.args.ctx, tt.args.project, tt.args.global)

 			if !tt.res.wantErr && result.AggregateID == "" {
 				t.Errorf("result has no id")
@@ -127,6 +143,9 @@ func TestCreateProject(t *testing.T) {
 			if !tt.res.wantErr && result.Name != tt.res.project.Name {
 				t.Errorf("got wrong result name: expected: %v, actual: %v ", tt.res.project.Name, result.Name)
 			}
+			if !tt.res.wantErr && result.Members[0].Roles[0] != tt.res.role {
+				t.Errorf("got wrong result role: expected: %v, actual: %v ", tt.res.role, result.Members[0].Roles[0])
+			}
 			if tt.res.wantErr && !tt.res.errFunc(err) {
 				t.Errorf("got wrong err: %v ", err)
 			}