From 388582d348db82771507ddc875f280af66d3dfab Mon Sep 17 00:00:00 2001 From: Iraq <66622793+kkrime@users.noreply.github.com> Date: Fri, 22 Aug 2025 08:08:53 +0200 Subject: [PATCH] fix(project_roles): fixed bad permission check in command layer for project roles add/update/delete (#10531) # Which Problems Are Solved Project Admins would get permission errors when trying to add project roles # How the Problems Are Solved Fixed wrong parameters were being passed into the permission check - Closes https://github.com/zitadel/zitadel/issues/10505 (cherry picked from commit 24a7d3ceb19d21cbbae3f419cf1e9c7b0991ed2a) --- .../integration_test/project_role_test.go | 207 ++++++++++++++---- internal/command/project_role.go | 16 +- 2 files changed, 171 insertions(+), 52 deletions(-) diff --git a/internal/api/grpc/project/v2beta/integration_test/project_role_test.go b/internal/api/grpc/project/v2beta/integration_test/project_role_test.go index 8ac44308b47..a1c004f22d5 100644 --- a/internal/api/grpc/project/v2beta/integration_test/project_role_test.go +++ b/internal/api/grpc/project/v2beta/integration_test/project_role_test.go @@ -12,6 +12,7 @@ import ( "github.com/stretchr/testify/assert" "github.com/zitadel/zitadel/internal/integration" + "github.com/zitadel/zitadel/pkg/grpc/management" project "github.com/zitadel/zitadel/pkg/grpc/project/v2beta" ) @@ -29,7 +30,7 @@ func TestServer_AddProjectRole(t *testing.T) { tests := []struct { name string ctx context.Context - prepare func(request *project.AddProjectRoleRequest) + prepare func(t *testing.T, request *project.AddProjectRoleRequest) req *project.AddProjectRoleRequest want wantErr bool @@ -37,7 +38,7 @@ func TestServer_AddProjectRole(t *testing.T) { { name: "empty key", ctx: iamOwnerCtx, - prepare: func(request *project.AddProjectRoleRequest) { + prepare: func(t *testing.T, request *project.AddProjectRoleRequest) { projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false) request.ProjectId = projectResp.GetId() }, @@ -50,7 +51,7 @@ func TestServer_AddProjectRole(t *testing.T) { { name: "empty displayname", ctx: iamOwnerCtx, - prepare: func(request *project.AddProjectRoleRequest) { + prepare: func(t *testing.T, request *project.AddProjectRoleRequest) { projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false) request.ProjectId = projectResp.GetId() }, @@ -63,7 +64,7 @@ func TestServer_AddProjectRole(t *testing.T) { { name: "already existing, error", ctx: iamOwnerCtx, - prepare: func(request *project.AddProjectRoleRequest) { + prepare: func(t *testing.T, request *project.AddProjectRoleRequest) { request.ProjectId = alreadyExistingProject.GetId() }, req: &project.AddProjectRoleRequest{ @@ -75,7 +76,7 @@ func TestServer_AddProjectRole(t *testing.T) { { name: "empty, ok", ctx: iamOwnerCtx, - prepare: func(request *project.AddProjectRoleRequest) { + prepare: func(t *testing.T, request *project.AddProjectRoleRequest) { projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false) request.ProjectId = projectResp.GetId() }, @@ -91,7 +92,7 @@ func TestServer_AddProjectRole(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { if tt.prepare != nil { - tt.prepare(tt.req) + tt.prepare(t, tt.req) } creationDate := time.Now().UTC() @@ -118,18 +119,20 @@ func TestServer_AddProjectRole_Permission(t *testing.T) { type want struct { creationDate bool } - tests := []struct { + + type test struct { name string ctx context.Context - prepare func(request *project.AddProjectRoleRequest) + prepare func(t *testing.T, request *project.AddProjectRoleRequest) req *project.AddProjectRoleRequest want wantErr bool - }{ + } + tests := []*test{ { name: "unauthenticated", ctx: CTX, - prepare: func(request *project.AddProjectRoleRequest) { + prepare: func(t *testing.T, request *project.AddProjectRoleRequest) { projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false) request.ProjectId = projectResp.GetId() }, @@ -142,7 +145,7 @@ func TestServer_AddProjectRole_Permission(t *testing.T) { { name: "no permission", ctx: instance.WithAuthorizationToken(CTX, integration.UserTypeNoPermission), - prepare: func(request *project.AddProjectRoleRequest) { + prepare: func(t *testing.T, request *project.AddProjectRoleRequest) { projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false) request.ProjectId = projectResp.GetId() }, @@ -155,7 +158,7 @@ func TestServer_AddProjectRole_Permission(t *testing.T) { { name: "organization owner, other org", ctx: instance.WithAuthorizationToken(CTX, integration.UserTypeOrgOwner), - prepare: func(request *project.AddProjectRoleRequest) { + prepare: func(t *testing.T, request *project.AddProjectRoleRequest) { projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false) request.ProjectId = projectResp.GetId() }, @@ -168,7 +171,7 @@ func TestServer_AddProjectRole_Permission(t *testing.T) { { name: "organization owner, ok", ctx: instance.WithAuthorizationToken(CTX, integration.UserTypeOrgOwner), - prepare: func(request *project.AddProjectRoleRequest) { + prepare: func(t *testing.T, request *project.AddProjectRoleRequest) { projectResp := instance.CreateProject(iamOwnerCtx, t, instance.DefaultOrg.GetId(), integration.ProjectName(), false, false) request.ProjectId = projectResp.GetId() }, @@ -183,7 +186,7 @@ func TestServer_AddProjectRole_Permission(t *testing.T) { { name: "instance owner, ok", ctx: iamOwnerCtx, - prepare: func(request *project.AddProjectRoleRequest) { + prepare: func(t *testing.T, request *project.AddProjectRoleRequest) { projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false) request.ProjectId = projectResp.GetId() }, @@ -195,11 +198,47 @@ func TestServer_AddProjectRole_Permission(t *testing.T) { creationDate: true, }, }, + func() *test { + out := test{ + name: "add project role as a added project admin, ok", + req: &project.AddProjectRoleRequest{ + RoleKey: integration.RoleKey(), + DisplayName: integration.RoleDisplayName(), + }, + want: want{ + creationDate: true, + }, + } + + out.prepare = func(t *testing.T, request *project.AddProjectRoleRequest) { + // create project + projectResp := instance.CreateProject(iamOwnerCtx, t, instance.DefaultOrg.Id, integration.ProjectName(), false, false) + // create user + userID := instance.CreateHumanUser(iamOwnerCtx).GetUserId() + loginCTX := instance.WithAuthorization(iamOwnerCtx, integration.UserTypeLogin) + instance.RegisterUserPasskey(iamOwnerCtx, userID) + _, token, _, _ := instance.CreateVerifiedWebAuthNSession(t, loginCTX, userID) + // assign user as project admin + _, err := instance.Client.Mgmt.AddProjectMember(iamOwnerCtx, &management.AddProjectMemberRequest{ + ProjectId: projectResp.GetId(), + UserId: userID, + Roles: []string{"PROJECT_OWNER_GLOBAL"}, + }) + assert.NoError(t, err) + + // set context + out.ctx = integration.WithAuthorizationToken(context.Background(), token) + + request.ProjectId = projectResp.GetId() + } + + return &out + }(), } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { if tt.prepare != nil { - tt.prepare(tt.req) + tt.prepare(t, tt.req) } creationDate := time.Now().UTC() @@ -241,14 +280,14 @@ func TestServer_UpdateProjectRole(t *testing.T) { } tests := []struct { name string - prepare func(request *project.UpdateProjectRoleRequest) + prepare func(t *testing.T, request *project.UpdateProjectRoleRequest) args args want want wantErr bool }{ { name: "missing permission", - prepare: func(request *project.UpdateProjectRoleRequest) { + prepare: func(t *testing.T, request *project.UpdateProjectRoleRequest) { projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false) roleName := integration.RoleKey() instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "") @@ -265,7 +304,7 @@ func TestServer_UpdateProjectRole(t *testing.T) { }, { name: "not existing", - prepare: func(request *project.UpdateProjectRoleRequest) { + prepare: func(t *testing.T, request *project.UpdateProjectRoleRequest) { request.RoleKey = "notexisting" return }, @@ -279,7 +318,7 @@ func TestServer_UpdateProjectRole(t *testing.T) { }, { name: "no change, ok", - prepare: func(request *project.UpdateProjectRoleRequest) { + prepare: func(t *testing.T, request *project.UpdateProjectRoleRequest) { projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false) roleName := integration.RoleKey() instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "") @@ -298,7 +337,7 @@ func TestServer_UpdateProjectRole(t *testing.T) { }, { name: "change display name, ok", - prepare: func(request *project.UpdateProjectRoleRequest) { + prepare: func(t *testing.T, request *project.UpdateProjectRoleRequest) { projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false) roleName := integration.RoleKey() instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "") @@ -318,7 +357,7 @@ func TestServer_UpdateProjectRole(t *testing.T) { }, { name: "change full, ok", - prepare: func(request *project.UpdateProjectRoleRequest) { + prepare: func(t *testing.T, request *project.UpdateProjectRoleRequest) { projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false) roleName := integration.RoleKey() instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "") @@ -341,7 +380,7 @@ func TestServer_UpdateProjectRole(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { creationDate := time.Now().UTC() - tt.prepare(tt.args.req) + tt.prepare(t, tt.args.req) got, err := instance.Client.Projectv2Beta.UpdateProjectRole(tt.args.ctx, tt.args.req) if tt.wantErr { @@ -370,16 +409,17 @@ func TestServer_UpdateProjectRole_Permission(t *testing.T) { change bool changeDate bool } - tests := []struct { + type test struct { name string - prepare func(request *project.UpdateProjectRoleRequest) + prepare func(t *testing.T, request *project.UpdateProjectRoleRequest) args args want want wantErr bool - }{ + } + tests := []*test{ { name: "unauthenicated", - prepare: func(request *project.UpdateProjectRoleRequest) { + prepare: func(t *testing.T, request *project.UpdateProjectRoleRequest) { projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false) roleName := integration.RoleKey() instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "") @@ -396,7 +436,7 @@ func TestServer_UpdateProjectRole_Permission(t *testing.T) { }, { name: "no permission", - prepare: func(request *project.UpdateProjectRoleRequest) { + prepare: func(t *testing.T, request *project.UpdateProjectRoleRequest) { projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false) roleName := integration.RoleKey() instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "") @@ -413,7 +453,7 @@ func TestServer_UpdateProjectRole_Permission(t *testing.T) { }, { name: "organization owner, other org", - prepare: func(request *project.UpdateProjectRoleRequest) { + prepare: func(t *testing.T, request *project.UpdateProjectRoleRequest) { projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false) roleName := integration.RoleKey() instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "") @@ -430,7 +470,7 @@ func TestServer_UpdateProjectRole_Permission(t *testing.T) { }, { name: "organization owner, ok", - prepare: func(request *project.UpdateProjectRoleRequest) { + prepare: func(t *testing.T, request *project.UpdateProjectRoleRequest) { projectResp := instance.CreateProject(iamOwnerCtx, t, instance.DefaultOrg.GetId(), integration.ProjectName(), false, false) roleName := integration.RoleKey() instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "") @@ -450,7 +490,7 @@ func TestServer_UpdateProjectRole_Permission(t *testing.T) { }, { name: "instance owner, ok", - prepare: func(request *project.UpdateProjectRoleRequest) { + prepare: func(t *testing.T, request *project.UpdateProjectRoleRequest) { projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false) roleName := integration.RoleKey() instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "") @@ -468,11 +508,53 @@ func TestServer_UpdateProjectRole_Permission(t *testing.T) { changeDate: true, }, }, + func() *test { + out := test{ + name: "change project role as a added project admin, ok", + args: args{ + req: &project.UpdateProjectRoleRequest{ + DisplayName: gu.Ptr(integration.RoleKey()), + Group: gu.Ptr(integration.RoleKey()), + }, + }, + want: want{ + change: true, + changeDate: true, + }, + } + + out.prepare = func(t *testing.T, request *project.UpdateProjectRoleRequest) { + // create project + projectResp := instance.CreateProject(iamOwnerCtx, t, instance.DefaultOrg.Id, integration.ProjectName(), false, false) + // create user + userID := instance.CreateHumanUser(iamOwnerCtx).GetUserId() + loginCTX := instance.WithAuthorization(iamOwnerCtx, integration.UserTypeLogin) + instance.RegisterUserPasskey(iamOwnerCtx, userID) + _, token, _, _ := instance.CreateVerifiedWebAuthNSession(t, loginCTX, userID) + // assign user as project admin + _, err := instance.Client.Mgmt.AddProjectMember(iamOwnerCtx, &management.AddProjectMemberRequest{ + ProjectId: projectResp.GetId(), + UserId: userID, + Roles: []string{"PROJECT_OWNER_GLOBAL"}, + }) + assert.NoError(t, err) + + // set context + out.args.ctx = integration.WithAuthorizationToken(context.Background(), token) + + roleName := integration.RoleKey() + instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "") + request.ProjectId = projectResp.GetId() + request.RoleKey = roleName + } + + return &out + }(), } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { creationDate := time.Now().UTC() - tt.prepare(tt.args.req) + tt.prepare(t, tt.args.req) got, err := instance.Client.Projectv2Beta.UpdateProjectRole(tt.args.ctx, tt.args.req) if tt.wantErr { @@ -508,7 +590,7 @@ func TestServer_DeleteProjectRole(t *testing.T) { tests := []struct { name string ctx context.Context - prepare func(request *project.RemoveProjectRoleRequest) (time.Time, time.Time) + prepare func(t *testing.T, request *project.RemoveProjectRoleRequest) (time.Time, time.Time) req *project.RemoveProjectRoleRequest wantDeletionDate bool wantErr bool @@ -534,7 +616,7 @@ func TestServer_DeleteProjectRole(t *testing.T) { { name: "delete", ctx: iamOwnerCtx, - prepare: func(request *project.RemoveProjectRoleRequest) (time.Time, time.Time) { + prepare: func(t *testing.T, request *project.RemoveProjectRoleRequest) (time.Time, time.Time) { creationDate := time.Now().UTC() projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false) roleName := integration.RoleKey() @@ -549,7 +631,7 @@ func TestServer_DeleteProjectRole(t *testing.T) { { name: "delete, already removed", ctx: iamOwnerCtx, - prepare: func(request *project.RemoveProjectRoleRequest) (time.Time, time.Time) { + prepare: func(t *testing.T, request *project.RemoveProjectRoleRequest) (time.Time, time.Time) { creationDate := time.Now().UTC() projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false) roleName := integration.RoleKey() @@ -567,7 +649,7 @@ func TestServer_DeleteProjectRole(t *testing.T) { t.Run(tt.name, func(t *testing.T) { var creationDate, deletionDate time.Time if tt.prepare != nil { - creationDate, deletionDate = tt.prepare(tt.req) + creationDate, deletionDate = tt.prepare(t, tt.req) } got, err := instance.Client.Projectv2Beta.RemoveProjectRole(tt.ctx, tt.req) if tt.wantErr { @@ -584,18 +666,19 @@ func TestServer_DeleteProjectRole_Permission(t *testing.T) { iamOwnerCtx := instance.WithAuthorizationToken(CTX, integration.UserTypeIAMOwner) orgResp := instance.CreateOrganization(iamOwnerCtx, integration.OrganizationName(), gofakeit.Email()) - tests := []struct { + type test struct { name string ctx context.Context - prepare func(request *project.RemoveProjectRoleRequest) (time.Time, time.Time) + prepare func(t *testing.T, request *project.RemoveProjectRoleRequest) (time.Time, time.Time) req *project.RemoveProjectRoleRequest wantDeletionDate bool wantErr bool - }{ + } + tests := []*test{ { name: "unauthenticated", ctx: CTX, - prepare: func(request *project.RemoveProjectRoleRequest) (time.Time, time.Time) { + prepare: func(t *testing.T, request *project.RemoveProjectRoleRequest) (time.Time, time.Time) { creationDate := time.Now().UTC() projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false) roleName := integration.RoleKey() @@ -610,7 +693,7 @@ func TestServer_DeleteProjectRole_Permission(t *testing.T) { { name: "no permission", ctx: instance.WithAuthorizationToken(CTX, integration.UserTypeNoPermission), - prepare: func(request *project.RemoveProjectRoleRequest) (time.Time, time.Time) { + prepare: func(t *testing.T, request *project.RemoveProjectRoleRequest) (time.Time, time.Time) { creationDate := time.Now().UTC() projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false) roleName := integration.RoleKey() @@ -625,7 +708,7 @@ func TestServer_DeleteProjectRole_Permission(t *testing.T) { { name: "organization owner, other org", ctx: instance.WithAuthorizationToken(CTX, integration.UserTypeOrgOwner), - prepare: func(request *project.RemoveProjectRoleRequest) (time.Time, time.Time) { + prepare: func(t *testing.T, request *project.RemoveProjectRoleRequest) (time.Time, time.Time) { creationDate := time.Now().UTC() projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false) roleName := integration.RoleKey() @@ -640,7 +723,7 @@ func TestServer_DeleteProjectRole_Permission(t *testing.T) { { name: "organization owner, ok", ctx: instance.WithAuthorizationToken(CTX, integration.UserTypeOrgOwner), - prepare: func(request *project.RemoveProjectRoleRequest) (time.Time, time.Time) { + prepare: func(t *testing.T, request *project.RemoveProjectRoleRequest) (time.Time, time.Time) { creationDate := time.Now().UTC() projectResp := instance.CreateProject(iamOwnerCtx, t, instance.DefaultOrg.GetId(), integration.ProjectName(), false, false) roleName := integration.RoleKey() @@ -655,7 +738,7 @@ func TestServer_DeleteProjectRole_Permission(t *testing.T) { { name: "instance owner, ok", ctx: iamOwnerCtx, - prepare: func(request *project.RemoveProjectRoleRequest) (time.Time, time.Time) { + prepare: func(t *testing.T, request *project.RemoveProjectRoleRequest) (time.Time, time.Time) { creationDate := time.Now().UTC() projectResp := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), integration.ProjectName(), false, false) roleName := integration.RoleKey() @@ -667,12 +750,48 @@ func TestServer_DeleteProjectRole_Permission(t *testing.T) { req: &project.RemoveProjectRoleRequest{}, wantDeletionDate: true, }, + func() *test { + out := test{ + name: "delete project role as a added project admin, ok", + req: &project.RemoveProjectRoleRequest{}, + wantDeletionDate: true, + } + + out.prepare = func(t *testing.T, request *project.RemoveProjectRoleRequest) (time.Time, time.Time) { + // create project + creationDate := time.Now().UTC() + projectResp := instance.CreateProject(iamOwnerCtx, t, instance.DefaultOrg.Id, integration.ProjectName(), false, false) + // create user + userID := instance.CreateHumanUser(iamOwnerCtx).GetUserId() + loginCTX := instance.WithAuthorization(iamOwnerCtx, integration.UserTypeLogin) + instance.RegisterUserPasskey(iamOwnerCtx, userID) + _, token, _, _ := instance.CreateVerifiedWebAuthNSession(t, loginCTX, userID) + // assign user as project admin + _, err := instance.Client.Mgmt.AddProjectMember(iamOwnerCtx, &management.AddProjectMemberRequest{ + ProjectId: projectResp.GetId(), + UserId: userID, + Roles: []string{"PROJECT_OWNER_GLOBAL"}, + }) + assert.NoError(t, err) + + // set context + out.ctx = integration.WithAuthorizationToken(context.Background(), token) + + roleName := integration.RoleKey() + instance.AddProjectRole(iamOwnerCtx, t, projectResp.GetId(), roleName, roleName, "") + request.ProjectId = projectResp.GetId() + request.RoleKey = roleName + return creationDate, time.Time{} + } + + return &out + }(), } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { var creationDate, deletionDate time.Time if tt.prepare != nil { - creationDate, deletionDate = tt.prepare(tt.req) + creationDate, deletionDate = tt.prepare(t, tt.req) } got, err := instance.Client.Projectv2Beta.RemoveProjectRole(tt.ctx, tt.req) if tt.wantErr { diff --git a/internal/command/project_role.go b/internal/command/project_role.go index 60d002b9674..efee594a3f3 100644 --- a/internal/command/project_role.go +++ b/internal/command/project_role.go @@ -36,7 +36,7 @@ func (c *Commands) AddProjectRole(ctx context.Context, projectRole *AddProjectRo if projectRole.ResourceOwner == "" { projectRole.ResourceOwner = projectResourceOwner } - if err := c.checkPermissionWriteProjectRole(ctx, projectRole.ResourceOwner, projectRole.Key); err != nil { + if err := c.checkPermissionWriteProjectRole(ctx, projectRole.ResourceOwner, projectRole.AggregateID); err != nil { return nil, err } @@ -61,8 +61,8 @@ func (c *Commands) AddProjectRole(ctx context.Context, projectRole *AddProjectRo return writeModelToObjectDetails(&roleWriteModel.WriteModel), nil } -func (c *Commands) checkPermissionWriteProjectRole(ctx context.Context, resourceOwner, roleKey string) error { - return c.checkPermission(ctx, domain.PermissionProjectRoleWrite, resourceOwner, roleKey) +func (c *Commands) checkPermissionWriteProjectRole(ctx context.Context, orgID, projectID string) error { + return c.checkPermission(ctx, domain.PermissionProjectRoleWrite, orgID, projectID) } func (c *Commands) BulkAddProjectRole(ctx context.Context, projectID, resourceOwner string, projectRoles []*AddProjectRole) (details *domain.ObjectDetails, err error) { @@ -74,7 +74,7 @@ func (c *Commands) BulkAddProjectRole(ctx context.Context, projectID, resourceOw if projectRole.ResourceOwner == "" { projectRole.ResourceOwner = projectResourceOwner } - if err := c.checkPermissionWriteProjectRole(ctx, projectRole.ResourceOwner, projectRole.Key); err != nil { + if err := c.checkPermissionWriteProjectRole(ctx, projectRole.ResourceOwner, projectID); err != nil { return nil, err } if projectRole.ResourceOwner != projectResourceOwner { @@ -135,7 +135,7 @@ func (c *Commands) ChangeProjectRole(ctx context.Context, projectRole *ChangePro if projectRole.ResourceOwner == "" { projectRole.ResourceOwner = projectResourceOwner } - if err := c.checkPermissionWriteProjectRole(ctx, projectRole.ResourceOwner, projectRole.Key); err != nil { + if err := c.checkPermissionWriteProjectRole(ctx, projectRole.ResourceOwner, projectRole.AggregateID); err != nil { return nil, err } @@ -175,7 +175,7 @@ func (c *Commands) RemoveProjectRole(ctx context.Context, projectID, key, resour if !existingRole.State.Exists() { return writeModelToObjectDetails(&existingRole.WriteModel), nil } - if err := c.checkPermissionDeleteProjectRole(ctx, existingRole.ResourceOwner, existingRole.Key); err != nil { + if err := c.checkPermissionDeleteProjectRole(ctx, existingRole.ResourceOwner, projectID); err != nil { return nil, err } projectAgg := ProjectAggregateFromWriteModelWithCTX(ctx, &existingRole.WriteModel) @@ -204,8 +204,8 @@ func (c *Commands) RemoveProjectRole(ctx context.Context, projectID, key, resour return c.pushAppendAndReduceDetails(ctx, existingRole, events...) } -func (c *Commands) checkPermissionDeleteProjectRole(ctx context.Context, resourceOwner, roleKey string) error { - return c.checkPermission(ctx, domain.PermissionProjectRoleDelete, resourceOwner, roleKey) +func (c *Commands) checkPermissionDeleteProjectRole(ctx context.Context, orgID, projectID string) error { + return c.checkPermission(ctx, domain.PermissionProjectRoleDelete, orgID, projectID) } func (c *Commands) getProjectRoleWriteModelByID(ctx context.Context, key, projectID, resourceOwner string) (*ProjectRoleWriteModel, error) {