TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-11 21:07:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: add permission check for saml request query (#9520)

Browse Source
This commit is contained in:
Stefan Benz
2025-03-12 21:53:16 +01:00
committed by GitHub
parent d527a1c824
commit 5eb3a543e8
2 changed files with 47 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
internal/query/saml_request.go
View File

@@ -12,6 +12,7 @@ import (
"github.com/zitadel/zitadel/internal/api/authz"
"github.com/zitadel/zitadel/internal/api/call"
"github.com/zitadel/zitadel/internal/domain"
"github.com/zitadel/zitadel/internal/eventstore/handler/v2"
"github.com/zitadel/zitadel/internal/query/projection"
"github.com/zitadel/zitadel/internal/telemetry/tracing"
@@ -28,9 +29,9 @@ type SamlRequest struct {
Binding string
}
func (a *SamlRequest) checkLoginClient(ctx context.Context) error {
func (a *SamlRequest) checkLoginClient(ctx context.Context, permissionCheck domain.PermissionCheck) error {
if uid := authz.GetCtxData(ctx).UserID; uid != a.LoginClient {
return zerrors.ThrowPermissionDenied(nil, "OIDCv2-aL0ag", "Errors.SamlRequest.WrongLoginClient")
return permissionCheck(ctx, domain.PermissionSessionRead, authz.GetInstance(ctx).InstanceID(), "")
}
return nil
}
@@ -72,7 +73,7 @@ func (q *Queries) SamlRequestByID(ctx context.Context, shouldTriggerBulk bool, i
}
if checkLoginClient {
if err = dst.checkLoginClient(ctx); err != nil {
if err = dst.checkLoginClient(ctx, q.checkPermission); err != nil {
return nil, err
}
}