fix: scim v2 endpoints enforce user resource owner (#9273)

# Which Problems Are Solved - If a SCIM endpoint is called with an orgID in the URL that is not the resource owner, no error is returned, and the action is executed. # How the Problems Are Solved - The orgID provided in the SCIM URL path must match the resource owner of the target user. Otherwise, an error will be returned. # Additional Context Part of https://github.com/zitadel/zitadel/issues/8140
2025-08-11 21:37:32 +00:00 · 2025-01-30 16:43:13 +01:00
parent 60cfa6cb76
commit 563f74640e
16 changed files with 153 additions and 78 deletions
--- a/internal/api/grpc/user/v2/user.go
+++ b/internal/api/grpc/user/v2/user.go
@@ -275,7 +275,7 @@ func (s *Server) DeleteUser(ctx context.Context, req *user.DeleteUserRequest) (_
 	if err != nil {
 		return nil, err
 	}
-	details, err := s.command.RemoveUserV2(ctx, req.UserId, memberships, grants...)
+	details, err := s.command.RemoveUserV2(ctx, req.UserId, "", memberships, grants...)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/user/v2beta/user.go
+++ b/internal/api/grpc/user/v2beta/user.go
@@ -278,7 +278,7 @@ func (s *Server) DeleteUser(ctx context.Context, req *user.DeleteUserRequest) (_
 	if err != nil {
 		return nil, err
 	}
-	details, err := s.command.RemoveUserV2(ctx, req.UserId, memberships, grants...)
+	details, err := s.command.RemoveUserV2(ctx, req.UserId, "", memberships, grants...)
 	if err != nil {
 		return nil, err
 	}