fix: user grant change (#1953)

2024-12-12 02:54:20 +00:00 · 2021-07-01 17:08:40 +02:00 · 2021-07-01 17:08:40 +02:00 · 62b4df8c09
commit 62b4df8c09
parent 15ae8be3c3
2 changed files with 36 additions and 22 deletions
--- a/internal/command/user_grant.go
+++ b/internal/command/user_grant.go
@ -75,10 +75,6 @@ func (c *Commands) ChangeUserGrant(ctx context.Context, userGrant *domain.UserGr
 }

 func (c *Commands) changeUserGrant(ctx context.Context, userGrant *domain.UserGrant, resourceOwner string, cascade bool) (_ eventstore.EventPusher, _ *UserGrantWriteModel, err error) {
-	err = checkExplicitProjectPermission(ctx, userGrant.ProjectGrantID, userGrant.ProjectID)
-	if err != nil {
-		return nil, nil, err
-	}
 	if userGrant.AggregateID == "" {
 		return nil, nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-3M0sd", "Errors.UserGrant.Invalid")
 	}
@ -86,12 +82,18 @@ func (c *Commands) changeUserGrant(ctx context.Context, userGrant *domain.UserGr
 	if err != nil {
 		return nil, nil, err
 	}
+	err = checkExplicitProjectPermission(ctx, existingUserGrant.ProjectGrantID, existingUserGrant.ProjectID)
+	if err != nil {
+		return nil, nil, err
+	}
 	if existingUserGrant.State == domain.UserGrantStateUnspecified || existingUserGrant.State == domain.UserGrantStateRemoved {
 		return nil, nil, caos_errs.ThrowNotFound(nil, "COMMAND-3M9sd", "Errors.UserGrant.NotFound")
 	}
 	if reflect.DeepEqual(existingUserGrant.RoleKeys, userGrant.RoleKeys) {
 		return nil, nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-Rs8fy", "Errors.UserGrant.NotChanged")
 	}
+	userGrant.ProjectID = existingUserGrant.ProjectID
+	userGrant.ProjectGrantID = existingUserGrant.ProjectGrantID
 	err = c.checkUserGrantPreCondition(ctx, userGrant)
 	if err != nil {
 		return nil, nil, err
--- a/internal/command/user_grant_test.go
+++ b/internal/command/user_grant_test.go
@ -502,24 +502,6 @@ func TestCommandSide_ChangeUserGrant(t *testing.T) {
 		args   args
 		res    res
 	}{
-		{
-			name: "invalid permissions, error",
-			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
-				),
-			},
-			args: args{
-				ctx: context.Background(),
-				userGrant: &domain.UserGrant{
-					UserID: "user1",
-				},
-				resourceOwner: "org1",
-			},
-			res: res{
-				err: caos_errs.IsPermissionDenied,
-			},
-		},
 		{
 			name: "invalid usergrant, error",
 			fields: fields{
@ -538,6 +520,36 @@ func TestCommandSide_ChangeUserGrant(t *testing.T) {
 				err: caos_errs.IsErrorInvalidArgument,
 			},
 		},
+		{
+			name: "invalid permissions, error",
+			fields: fields{
+				eventstore: eventstoreExpect(
+					t,
+					expectFilter(
+						eventFromEventPusher(
+							usergrant.NewUserGrantAddedEvent(context.Background(),
+								&usergrant.NewAggregate("usergrant1", "org").Aggregate,
+								"user1",
+								"project1",
+								"", []string{"rolekey1"}),
+						),
+					),
+				),
+			},
+			args: args{
+				ctx: context.Background(),
+				userGrant: &domain.UserGrant{
+					ObjectRoot: models.ObjectRoot{
+						AggregateID: "usergrant1",
+					},
+					UserID: "user1",
+				},
+				resourceOwner: "org1",
+			},
+			res: res{
+				err: caos_errs.IsPermissionDenied,
+			},
+		},
 		{
 			name: "usergrant not existing, not found error",
 			fields: fields{