TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-07-31 23:03:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: prevent panic when retrieving session by id in internal calls (#9442)

Browse Source 
# Which Problems Are Solved

#9110 introduced more possibilities to search for "own" sessions. Due to
this the permission checks for retrieving a session had to be updated
accordingly. Internal calls, such as retrieving them for sending
notifications do not require a permission, but the code was not properly
adjusted and thus could lead to panics.

# How the Problems Are Solved

- Properly handled (do not require) permission check for internal only
calls when retrieving the session by id.

# Additional Changes

None

# Additional Context

- needs backports to 2.68.x, 2.69.x, 2.70.x
- closes zitadel/devops#117
This commit is contained in:
Livio Spring 2025-03-03 11:24:52 +01:00 committed by GitHub
parent b0f70626c8
commit 4e1868e9bb
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
internal/query/session.go
View File

@ -235,6 +235,10 @@ func (q *Queries) SessionByID(ctx context.Context, shouldTriggerBulk bool, id, s
return nil, err return nil, err
} }
if sessionToken == "" { if sessionToken == "" {
// for internal calls, no token or permission check is necessary
if permissionCheck == nil {
return session, nil
}
if err := sessionCheckPermission(ctx, session.ResourceOwner, session.Creator, session.UserAgent, session.UserFactor, permissionCheck); err != nil { if err := sessionCheckPermission(ctx, session.ResourceOwner, session.Creator, session.UserAgent, session.UserFactor, permissionCheck); err != nil {
return nil, err return nil, err
} }