From 62b4df8c0928ebcca1f175985f46e2506ab8e0ac Mon Sep 17 00:00:00 2001
From: Livio Amstutz <livio.a@gmail.com>
Date: Thu, 1 Jul 2021 17:08:40 +0200
Subject: [PATCH] fix: user grant change (#1953)

---
 internal/command/user_grant.go      | 10 +++---
 internal/command/user_grant_test.go | 48 ++++++++++++++++++-----------
 2 files changed, 36 insertions(+), 22 deletions(-)

diff --git a/internal/command/user_grant.go b/internal/command/user_grant.go
index 1d28e6a842..e02fe9e3e6 100644
--- a/internal/command/user_grant.go
+++ b/internal/command/user_grant.go
@@ -75,10 +75,6 @@ func (c *Commands) ChangeUserGrant(ctx context.Context, userGrant *domain.UserGr
 }
 
 func (c *Commands) changeUserGrant(ctx context.Context, userGrant *domain.UserGrant, resourceOwner string, cascade bool) (_ eventstore.EventPusher, _ *UserGrantWriteModel, err error) {
-	err = checkExplicitProjectPermission(ctx, userGrant.ProjectGrantID, userGrant.ProjectID)
-	if err != nil {
-		return nil, nil, err
-	}
 	if userGrant.AggregateID == "" {
 		return nil, nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-3M0sd", "Errors.UserGrant.Invalid")
 	}
@@ -86,12 +82,18 @@ func (c *Commands) changeUserGrant(ctx context.Context, userGrant *domain.UserGr
 	if err != nil {
 		return nil, nil, err
 	}
+	err = checkExplicitProjectPermission(ctx, existingUserGrant.ProjectGrantID, existingUserGrant.ProjectID)
+	if err != nil {
+		return nil, nil, err
+	}
 	if existingUserGrant.State == domain.UserGrantStateUnspecified || existingUserGrant.State == domain.UserGrantStateRemoved {
 		return nil, nil, caos_errs.ThrowNotFound(nil, "COMMAND-3M9sd", "Errors.UserGrant.NotFound")
 	}
 	if reflect.DeepEqual(existingUserGrant.RoleKeys, userGrant.RoleKeys) {
 		return nil, nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-Rs8fy", "Errors.UserGrant.NotChanged")
 	}
+	userGrant.ProjectID = existingUserGrant.ProjectID
+	userGrant.ProjectGrantID = existingUserGrant.ProjectGrantID
 	err = c.checkUserGrantPreCondition(ctx, userGrant)
 	if err != nil {
 		return nil, nil, err
diff --git a/internal/command/user_grant_test.go b/internal/command/user_grant_test.go
index 0ca74a2ca3..5a8f57e11d 100644
--- a/internal/command/user_grant_test.go
+++ b/internal/command/user_grant_test.go
@@ -502,24 +502,6 @@ func TestCommandSide_ChangeUserGrant(t *testing.T) {
 		args   args
 		res    res
 	}{
-		{
-			name: "invalid permissions, error",
-			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
-				),
-			},
-			args: args{
-				ctx: context.Background(),
-				userGrant: &domain.UserGrant{
-					UserID: "user1",
-				},
-				resourceOwner: "org1",
-			},
-			res: res{
-				err: caos_errs.IsPermissionDenied,
-			},
-		},
 		{
 			name: "invalid usergrant, error",
 			fields: fields{
@@ -538,6 +520,36 @@ func TestCommandSide_ChangeUserGrant(t *testing.T) {
 				err: caos_errs.IsErrorInvalidArgument,
 			},
 		},
+		{
+			name: "invalid permissions, error",
+			fields: fields{
+				eventstore: eventstoreExpect(
+					t,
+					expectFilter(
+						eventFromEventPusher(
+							usergrant.NewUserGrantAddedEvent(context.Background(),
+								&usergrant.NewAggregate("usergrant1", "org").Aggregate,
+								"user1",
+								"project1",
+								"", []string{"rolekey1"}),
+						),
+					),
+				),
+			},
+			args: args{
+				ctx: context.Background(),
+				userGrant: &domain.UserGrant{
+					ObjectRoot: models.ObjectRoot{
+						AggregateID: "usergrant1",
+					},
+					UserID: "user1",
+				},
+				resourceOwner: "org1",
+			},
+			res: res{
+				err: caos_errs.IsPermissionDenied,
+			},
+		},
 		{
 			name: "usergrant not existing, not found error",
 			fields: fields{