diff --git a/internal/command/user_grant.go b/internal/command/user_grant.go index 1d28e6a842..e02fe9e3e6 100644 --- a/internal/command/user_grant.go +++ b/internal/command/user_grant.go @@ -75,10 +75,6 @@ func (c *Commands) ChangeUserGrant(ctx context.Context, userGrant *domain.UserGr } func (c *Commands) changeUserGrant(ctx context.Context, userGrant *domain.UserGrant, resourceOwner string, cascade bool) (_ eventstore.EventPusher, _ *UserGrantWriteModel, err error) { - err = checkExplicitProjectPermission(ctx, userGrant.ProjectGrantID, userGrant.ProjectID) - if err != nil { - return nil, nil, err - } if userGrant.AggregateID == "" { return nil, nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-3M0sd", "Errors.UserGrant.Invalid") } @@ -86,12 +82,18 @@ func (c *Commands) changeUserGrant(ctx context.Context, userGrant *domain.UserGr if err != nil { return nil, nil, err } + err = checkExplicitProjectPermission(ctx, existingUserGrant.ProjectGrantID, existingUserGrant.ProjectID) + if err != nil { + return nil, nil, err + } if existingUserGrant.State == domain.UserGrantStateUnspecified || existingUserGrant.State == domain.UserGrantStateRemoved { return nil, nil, caos_errs.ThrowNotFound(nil, "COMMAND-3M9sd", "Errors.UserGrant.NotFound") } if reflect.DeepEqual(existingUserGrant.RoleKeys, userGrant.RoleKeys) { return nil, nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-Rs8fy", "Errors.UserGrant.NotChanged") } + userGrant.ProjectID = existingUserGrant.ProjectID + userGrant.ProjectGrantID = existingUserGrant.ProjectGrantID err = c.checkUserGrantPreCondition(ctx, userGrant) if err != nil { return nil, nil, err diff --git a/internal/command/user_grant_test.go b/internal/command/user_grant_test.go index 0ca74a2ca3..5a8f57e11d 100644 --- a/internal/command/user_grant_test.go +++ b/internal/command/user_grant_test.go @@ -502,24 +502,6 @@ func TestCommandSide_ChangeUserGrant(t *testing.T) { args args res res }{ - { - name: "invalid permissions, error", - fields: fields{ - eventstore: eventstoreExpect( - t, - ), - }, - args: args{ - ctx: context.Background(), - userGrant: &domain.UserGrant{ - UserID: "user1", - }, - resourceOwner: "org1", - }, - res: res{ - err: caos_errs.IsPermissionDenied, - }, - }, { name: "invalid usergrant, error", fields: fields{ @@ -538,6 +520,36 @@ func TestCommandSide_ChangeUserGrant(t *testing.T) { err: caos_errs.IsErrorInvalidArgument, }, }, + { + name: "invalid permissions, error", + fields: fields{ + eventstore: eventstoreExpect( + t, + expectFilter( + eventFromEventPusher( + usergrant.NewUserGrantAddedEvent(context.Background(), + &usergrant.NewAggregate("usergrant1", "org").Aggregate, + "user1", + "project1", + "", []string{"rolekey1"}), + ), + ), + ), + }, + args: args{ + ctx: context.Background(), + userGrant: &domain.UserGrant{ + ObjectRoot: models.ObjectRoot{ + AggregateID: "usergrant1", + }, + UserID: "user1", + }, + resourceOwner: "org1", + }, + res: res{ + err: caos_errs.IsPermissionDenied, + }, + }, { name: "usergrant not existing, not found error", fields: fields{