feat(permissions): project member permission filter (#9757)

# Which Problems Are Solved Add the possibility to filter project resources based on project member roles. # How the Problems Are Solved Extend and refactor existing Pl/PgSQL functions to implement the following: - Solve O(n) complexity in returned resources IDs by returning a boolean filter for instance level permissions. - Individually permitted orgs are returned only if there was no instance permission - Individually permitted projects are returned only if there was no instance permission - Because of the multiple filter terms, use `INNER JOIN`s instead of `WHERE` clauses. # Additional Changes - system permission function no longer query the organization view and therefore can be `immutable`, giving big performance benefits for frequently reused system users. (like our hosted login in Zitadel cloud) - The permitted org and project functions are now defined as `stable` because the don't modify on-disk data. This might give a small performance gain - The Pl/PgSQL functions are now tested using Go unit tests. # Additional Context - Depends on https://github.com/zitadel/zitadel/pull/9677 - Part of https://github.com/zitadel/zitadel/issues/9188 - Closes https://github.com/zitadel/zitadel/issues/9190
2025-08-11 21:37:32 +00:00 · 2025-04-22 11:42:59 +03:00
parent 618143931b
commit 658ca3606b
18 changed files with 1403 additions and 225 deletions
--- a/internal/api/authz/context.go
+++ b/internal/api/authz/context.go
@@ -1,4 +1,4 @@
-//go:generate enumer -type MemberType -trimprefix MemberType -json
+//go:generate enumer -type MemberType -trimprefix MemberType -json -sql

 package authz

--- a/internal/api/authz/membertype_enumer.go
+++ b/internal/api/authz/membertype_enumer.go
@@ -1,8 +1,9 @@
-// Code generated by "enumer -type MemberType -trimprefix MemberType -json"; DO NOT EDIT.
+// Code generated by "enumer -type MemberType -trimprefix MemberType -json -sql"; DO NOT EDIT.

 package authz

 import (
+	"database/sql/driver"
 	"encoding/json"
 	"fmt"
 	"strings"
@@ -110,3 +111,33 @@ func (i *MemberType) UnmarshalJSON(data []byte) error {
 	*i, err = MemberTypeString(s)
 	return err
 }
+
+func (i MemberType) Value() (driver.Value, error) {
+	return i.String(), nil
+}
+
+func (i *MemberType) Scan(value interface{}) error {
+	if value == nil {
+		return nil
+	}
+
+	var str string
+	switch v := value.(type) {
+	case []byte:
+		str = string(v)
+	case string:
+		str = v
+	case fmt.Stringer:
+		str = v.String()
+	default:
+		return fmt.Errorf("invalid value of MemberType: %[1]T(%[1]v)", value)
+	}
+
+	val, err := MemberTypeString(str)
+	if err != nil {
+		return err
+	}
+
+	*i = val
+	return nil
+}
--- a/internal/query/idp_user_link.go
+++ b/internal/query/idp_user_link.go
@@ -110,13 +110,14 @@ func idpLinksPermissionCheckV2(ctx context.Context, query sq.SelectBuilder, enab
 	if !enabled {
 		return query
 	}
-	return query.Where(PermissionClause(
+	join, args := PermissionClause(
 		ctx,
 		IDPUserLinkResourceOwnerCol,
 		domain.PermissionUserRead,
 		SingleOrgPermissionOption(queries.Queries),
 		OwnedRowsPermissionOption(IDPUserLinkUserIDCol),
-	))
+	)
+	return query.JoinClause(join, args...)
 }

 func (q *Queries) IDPUserLinks(ctx context.Context, queries *IDPUserLinksSearchQuery, permissionCheck domain.PermissionCheck) (idps *IDPUserLinks, err error) {
--- a/internal/query/org.go
+++ b/internal/query/org.go
@@ -97,11 +97,12 @@ func orgsPermissionCheckV2(ctx context.Context, query sq.SelectBuilder, enabled
 	if !enabled {
 		return query
 	}
-	return query.Where(PermissionClause(
+	join, args := PermissionClause(
 		ctx,
 		OrgColumnID,
 		domain_pkg.PermissionOrgRead,
-	))
+	)
+	return query.JoinClause(join, args...)
 }

 type OrgSearchQueries struct {
--- a/internal/query/permission.go
+++ b/internal/query/permission.go
@@ -2,7 +2,6 @@ package query

 import (
 	"context"
-	"fmt"

 	sq "github.com/Masterminds/squirrel"
 	"github.com/zitadel/logging"
@@ -10,41 +9,66 @@ import (
 	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/database"
 	domain_pkg "github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/zerrors"
 )

 const (
-	// eventstore.permitted_orgs(instanceid text, userid text, system_user_perms JSONB, perm text, filter_org text)
-	wherePermittedOrgsExpr = "%s = ANY(eventstore.permitted_orgs(?, ?, ?, ?, ?))"
+	// eventstore.permitted_orgs(req_instance_id text, auth_user_id text, system_user_perms JSONB, perm text, filter_org text)
+	joinPermittedOrgsFunction = `INNER JOIN eventstore.permitted_orgs(?, ?, ?, ?, ?) permissions ON `
+
+	// eventstore.permitted_projects(req_instance_id text, auth_user_id text, system_user_perms JSONB, perm text, filter_org text)
+	joinPermittedProjectsFunction = `INNER JOIN eventstore.permitted_projects(?, ?, ?, ?, ?) permissions ON `
 )

+// permissionClauseBuilder is used to build the SQL clause for permission checks.
+// Don't use it directly, use the [PermissionClause] function with proper options instead.
 type permissionClauseBuilder struct {
 	orgIDColumn       Column
 	instanceID        string
 	userID            string
 	systemPermissions []authz.SystemUserPermissions
 	permission        string
-	orgID             string
-	connections       []sq.Eq
+
+	// optional fields
+	orgID           *string
+	projectIDColumn *Column
+	connections     []sq.Eq
 }

 func (b *permissionClauseBuilder) appendConnection(column string, value any) {
 	b.connections = append(b.connections, sq.Eq{column: value})
 }

-func (b *permissionClauseBuilder) clauses() sq.Or {
-	clauses := make(sq.Or, 1, len(b.connections)+1)
-	clauses[0] = sq.Expr(
-		fmt.Sprintf(wherePermittedOrgsExpr, b.orgIDColumn.identifier()),
+// joinFunction picks the correct SQL function and return the required arguments for that function.
+func (b *permissionClauseBuilder) joinFunction() (sql string, args []any) {
+	sql = joinPermittedOrgsFunction
+	if b.projectIDColumn != nil {
+		sql = joinPermittedProjectsFunction
+	}
+	return sql, []any{
 		b.instanceID,
 		b.userID,
 		database.NewJSONArray(b.systemPermissions),
 		b.permission,
 		b.orgID,
-	)
-	for _, include := range b.connections {
-		clauses = append(clauses, include)
 	}
-	return clauses
+}
+
+// joinConditions returns the conditions for the join,
+// which are dynamic based on the provided options.
+func (b *permissionClauseBuilder) joinConditions() sq.Or {
+	conditions := make(sq.Or, 2, len(b.connections)+3)
+	conditions[0] = sq.Expr("permissions.instance_permitted")
+	conditions[1] = sq.Expr(b.orgIDColumn.identifier() + " = ANY(permissions.org_ids)")
+	if b.projectIDColumn != nil {
+		conditions = append(conditions,
+			sq.Expr(b.projectIDColumn.identifier()+" = ANY(permissions.project_ids)"),
+		)
+	}
+	for _, c := range b.connections {
+		conditions = append(conditions, c)
+	}
+	return conditions
 }

 type PermissionOption func(b *permissionClauseBuilder)
@@ -52,6 +76,8 @@ type PermissionOption func(b *permissionClauseBuilder)
 // OwnedRowsPermissionOption allows rows to be returned of which the current user is the owner.
 // Even if the user does not have an explicit permission for the organization.
 // For example an authenticated user can always see his own user account.
+// This option may be provided multiple times to allow matching with multiple columns.
+// See [ConnectionPermissionOption] for more details.
 func OwnedRowsPermissionOption(userIDColumn Column) PermissionOption {
 	return func(b *permissionClauseBuilder) {
 		b.appendConnection(userIDColumn.identifier(), b.userID)
@@ -59,7 +85,10 @@ func OwnedRowsPermissionOption(userIDColumn Column) PermissionOption {
 }

 // ConnectionPermissionOption allows returning of rows where the value is matched.
-// Even if the user does not have an explicit permission for the organization.
+// Even if the user does not have an explicit permission for the resource.
+// Multiple connections may be provided.
+// Each connection is applied in a OR condition, so if previous permissions are not met,
+// matching rows are still returned for a later match.
 func ConnectionPermissionOption(column Column, value any) PermissionOption {
 	return func(b *permissionClauseBuilder) {
 		b.appendConnection(column.identifier(), value)
@@ -70,15 +99,28 @@ func ConnectionPermissionOption(column Column, value any) PermissionOption {
 // returned organizations, to the one used in the requested filters.
 func SingleOrgPermissionOption(queries []SearchQuery) PermissionOption {
 	return func(b *permissionClauseBuilder) {
-		b.orgID = findTextEqualsQuery(b.orgIDColumn, queries)
+		orgID, ok := findTextEqualsQuery(b.orgIDColumn, queries)
+		if ok {
+			b.orgID = &orgID
+		}
 	}
 }

-// PermissionClause sets a `WHERE` clause to query,
-// which filters returned rows the current authenticated user has the requested permission to.
+// WithProjectsPermissionOption sets an additional filter against the project ID column,
+// allowing for project specific permissions.
+func WithProjectsPermissionOption(projectIDColumn Column) PermissionOption {
+	return func(b *permissionClauseBuilder) {
+		b.projectIDColumn = &projectIDColumn
+	}
+}
+
+// PermissionClause builds a `INNER JOIN` clause which can be applied to a query builder.
+// It filters returned rows the current authenticated user has the requested permission to.
+// See permission_example_test.go for examples.
 //
-// Experimental: Work in progress. Currently only organization permissions are supported
-func PermissionClause(ctx context.Context, orgIDCol Column, permission string, options ...PermissionOption) sq.Or {
+// Experimental: Work in progress. Currently only organization and project permissions are supported
+// TODO: Add support for project grants.
+func PermissionClause(ctx context.Context, orgIDCol Column, permission string, options ...PermissionOption) (string, []any) {
 	ctxData := authz.GetCtxData(ctx)
 	b := &permissionClauseBuilder{
 		orgIDColumn:       orgIDCol,
@@ -97,10 +139,18 @@ func PermissionClause(ctx context.Context, orgIDCol Column, permission string, o
 		"system_user_permissions", b.systemPermissions,
 		"permission", b.permission,
 		"org_id", b.orgID,
-		"overrides", b.connections,
+		"project_id_column", b.projectIDColumn,
+		"connections", b.connections,
 	).Debug("permitted orgs check used")

-	return b.clauses()
+	sql, args := b.joinFunction()
+	conditions, conditionArgs, err := b.joinConditions().ToSql()
+	if err != nil {
+		// all cases are tested, no need to return an error.
+		// If an error does happen, it's a bug and not a user error.
+		panic(zerrors.ThrowInternal(err, "PERMISSION-OoS5o", "Errors.Internal"))
+	}
+	return sql + conditions, append(args, conditionArgs...)
 }

 // PermissionV2 checks are enabled when the feature flag is set and the permission check function is not nil.
--- a/internal/query/permission_example_test.go
+++ b/internal/query/permission_example_test.go
@@ -0,0 +1,78 @@
+package query
+
+import (
+	"context"
+	"fmt"
+
+	sq "github.com/Masterminds/squirrel"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/domain"
+)
+
+// ExamplePermissionClause_org shows how to use the PermissionClause function to filter
+// permitted records based on the resource owner and the user's instance or organization membership.
+func ExamplePermissionClause_org() {
+	// These variables are typically set in the middleware of Zitadel.
+	// They do not influence the generation of the clause, just what
+	// the function does in Postgres.
+	ctx := authz.WithInstanceID(context.Background(), "instanceID")
+	ctx = authz.SetCtxData(ctx, authz.CtxData{
+		UserID: "userID",
+	})
+
+	join, args := PermissionClause(
+		ctx,
+		UserResourceOwnerCol, // match the resource owner column
+		domain.PermissionUserRead,
+		SingleOrgPermissionOption([]SearchQuery{
+			mustSearchQuery(NewUserDisplayNameSearchQuery("zitadel", TextContains)),
+			mustSearchQuery(NewUserResourceOwnerSearchQuery("orgID", TextEquals)),
+		}), // If the request had an orgID filter, it can be used to optimize the SQL function.
+		OwnedRowsPermissionOption(UserIDCol), // allow user to find themselves.
+	)
+
+	sql, _, _ := sq.Select("*").
+		From(userTable.identifier()).
+		JoinClause(join, args...).
+		Where(sq.Eq{
+			UserInstanceIDCol.identifier(): authz.GetInstance(ctx).InstanceID(),
+		}).ToSql()
+	fmt.Println(sql)
+	// Output:
+	// SELECT * FROM projections.users14 INNER JOIN eventstore.permitted_orgs(?, ?, ?, ?, ?) permissions ON (permissions.instance_permitted OR projections.users14.resource_owner = ANY(permissions.org_ids) OR projections.users14.id = ?) WHERE projections.users14.instance_id = ?
+}
+
+// ExamplePermissionClause_project shows how to use the PermissionClause function to filter
+// permitted records based on the resource owner and the user's instance or organization membership.
+// Additionally, it allows returning records based on the project ID and project membership.
+func ExamplePermissionClause_project() {
+	// These variables are typically set in the middleware of Zitadel.
+	// They do not influence the generation of the clause, just what
+	// the function does in Postgres.
+	ctx := authz.WithInstanceID(context.Background(), "instanceID")
+	ctx = authz.SetCtxData(ctx, authz.CtxData{
+		UserID: "userID",
+	})
+
+	join, args := PermissionClause(
+		ctx,
+		ProjectColumnResourceOwner, // match the resource owner column
+		"project.read",
+		WithProjectsPermissionOption(ProjectColumnID),
+		SingleOrgPermissionOption([]SearchQuery{
+			mustSearchQuery(NewUserDisplayNameSearchQuery("zitadel", TextContains)),
+			mustSearchQuery(NewUserResourceOwnerSearchQuery("orgID", TextEquals)),
+		}), // If the request had an orgID filter, it can be used to optimize the SQL function.
+	)
+
+	sql, _, _ := sq.Select("*").
+		From(projectsTable.identifier()).
+		JoinClause(join, args...).
+		Where(sq.Eq{
+			ProjectColumnInstanceID.identifier(): authz.GetInstance(ctx).InstanceID(),
+		}).ToSql()
+	fmt.Println(sql)
+	// Output:
+	// SELECT * FROM projections.projects4 INNER JOIN eventstore.permitted_projects(?, ?, ?, ?, ?) permissions ON (permissions.instance_permitted OR projections.projects4.resource_owner = ANY(permissions.org_ids) OR projections.projects4.id = ANY(permissions.project_ids)) WHERE projections.projects4.instance_id = ?
+}
--- a/internal/query/permission_test.go
+++ b/internal/query/permission_test.go
@@ -4,7 +4,7 @@ import (
 	"context"
 	"testing"

-	sq "github.com/Masterminds/squirrel"
+	"github.com/muhlemmer/gu"
 	"github.com/stretchr/testify/assert"

 	"github.com/zitadel/zitadel/internal/api/authz"
@@ -38,30 +38,29 @@ func TestPermissionClause(t *testing.T) {
 		options    []PermissionOption
 	}
 	tests := []struct {
-		name       string
-		args       args
-		wantClause sq.Or
+		name     string
+		args     args
+		wantSql  string
+		wantArgs []any
 	}{
 		{
-			name: "no options",
+			name: "org, no options",
 			args: args{
 				ctx:        ctx,
 				orgIDCol:   UserResourceOwnerCol,
 				permission: "permission1",
 			},
-			wantClause: sq.Or{
-				sq.Expr(
-					"projections.users14.resource_owner = ANY(eventstore.permitted_orgs(?, ?, ?, ?, ?))",
-					"instanceID",
-					"userID",
-					database.NewJSONArray(permissions),
-					"permission1",
-					"",
-				),
+			wantSql: "INNER JOIN eventstore.permitted_orgs(?, ?, ?, ?, ?) permissions ON (permissions.instance_permitted OR projections.users14.resource_owner = ANY(permissions.org_ids))",
+			wantArgs: []any{
+				"instanceID",
+				"userID",
+				database.NewJSONArray(permissions),
+				"permission1",
+				(*string)(nil),
 			},
 		},
 		{
-			name: "owned rows option",
+			name: "org, owned rows option",
 			args: args{
 				ctx:        ctx,
 				orgIDCol:   UserResourceOwnerCol,
@@ -70,20 +69,18 @@ func TestPermissionClause(t *testing.T) {
 					OwnedRowsPermissionOption(UserIDCol),
 				},
 			},
-			wantClause: sq.Or{
-				sq.Expr(
-					"projections.users14.resource_owner = ANY(eventstore.permitted_orgs(?, ?, ?, ?, ?))",
-					"instanceID",
-					"userID",
-					database.NewJSONArray(permissions),
-					"permission1",
-					"",
-				),
-				sq.Eq{"projections.users14.id": "userID"},
+			wantSql: "INNER JOIN eventstore.permitted_orgs(?, ?, ?, ?, ?) permissions ON (permissions.instance_permitted OR projections.users14.resource_owner = ANY(permissions.org_ids) OR projections.users14.id = ?)",
+			wantArgs: []any{
+				"instanceID",
+				"userID",
+				database.NewJSONArray(permissions),
+				"permission1",
+				(*string)(nil),
+				"userID",
 			},
 		},
 		{
-			name: "connection rows option",
+			name: "org, connection rows option",
 			args: args{
 				ctx:        ctx,
 				orgIDCol:   UserResourceOwnerCol,
@@ -93,21 +90,19 @@ func TestPermissionClause(t *testing.T) {
 					ConnectionPermissionOption(UserStateCol, "bar"),
 				},
 			},
-			wantClause: sq.Or{
-				sq.Expr(
-					"projections.users14.resource_owner = ANY(eventstore.permitted_orgs(?, ?, ?, ?, ?))",
-					"instanceID",
-					"userID",
-					database.NewJSONArray(permissions),
-					"permission1",
-					"",
-				),
-				sq.Eq{"projections.users14.id": "userID"},
-				sq.Eq{"projections.users14.state": "bar"},
+			wantSql: "INNER JOIN eventstore.permitted_orgs(?, ?, ?, ?, ?) permissions ON (permissions.instance_permitted OR projections.users14.resource_owner = ANY(permissions.org_ids) OR projections.users14.id = ? OR projections.users14.state = ?)",
+			wantArgs: []any{
+				"instanceID",
+				"userID",
+				database.NewJSONArray(permissions),
+				"permission1",
+				(*string)(nil),
+				"userID",
+				"bar",
 			},
 		},
 		{
-			name: "single org option",
+			name: "org, with ID",
 			args: args{
 				ctx:        ctx,
 				orgIDCol:   UserResourceOwnerCol,
@@ -119,22 +114,62 @@ func TestPermissionClause(t *testing.T) {
 					}),
 				},
 			},
-			wantClause: sq.Or{
-				sq.Expr(
-					"projections.users14.resource_owner = ANY(eventstore.permitted_orgs(?, ?, ?, ?, ?))",
-					"instanceID",
-					"userID",
-					database.NewJSONArray(permissions),
-					"permission1",
-					"orgID",
-				),
+			wantSql: "INNER JOIN eventstore.permitted_orgs(?, ?, ?, ?, ?) permissions ON (permissions.instance_permitted OR projections.users14.resource_owner = ANY(permissions.org_ids))",
+			wantArgs: []any{
+				"instanceID",
+				"userID",
+				database.NewJSONArray(permissions),
+				"permission1",
+				gu.Ptr("orgID"),
+			},
+		},
+		{
+			name: "project",
+			args: args{
+				ctx:        ctx,
+				orgIDCol:   ProjectColumnResourceOwner,
+				permission: "permission1",
+				options: []PermissionOption{
+					WithProjectsPermissionOption(ProjectColumnID),
+				},
+			},
+			wantSql: "INNER JOIN eventstore.permitted_projects(?, ?, ?, ?, ?) permissions ON (permissions.instance_permitted OR projections.projects4.resource_owner = ANY(permissions.org_ids) OR projections.projects4.id = ANY(permissions.project_ids))",
+			wantArgs: []any{
+				"instanceID",
+				"userID",
+				database.NewJSONArray(permissions),
+				"permission1",
+				(*string)(nil),
+			},
+		},
+		{
+			name: "project, single org",
+			args: args{
+				ctx:        ctx,
+				orgIDCol:   ProjectColumnResourceOwner,
+				permission: "permission1",
+				options: []PermissionOption{
+					WithProjectsPermissionOption(ProjectColumnID),
+					SingleOrgPermissionOption([]SearchQuery{
+						mustSearchQuery(NewProjectResourceOwnerSearchQuery("orgID")),
+					}),
+				},
+			},
+			wantSql: "INNER JOIN eventstore.permitted_projects(?, ?, ?, ?, ?) permissions ON (permissions.instance_permitted OR projections.projects4.resource_owner = ANY(permissions.org_ids) OR projections.projects4.id = ANY(permissions.project_ids))",
+			wantArgs: []any{
+				"instanceID",
+				"userID",
+				database.NewJSONArray(permissions),
+				"permission1",
+				gu.Ptr("orgID"),
 			},
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			gotClause := PermissionClause(tt.args.ctx, tt.args.orgIDCol, tt.args.permission, tt.args.options...)
-			assert.Equal(t, tt.wantClause, gotClause)
+			gotSql, gotArgs := PermissionClause(tt.args.ctx, tt.args.orgIDCol, tt.args.permission, tt.args.options...)
+			assert.Equal(t, tt.wantSql, gotSql)
+			assert.Equal(t, tt.wantArgs, gotArgs)
 		})
 	}
 }
--- a/internal/query/query.go
+++ b/internal/query/query.go
@@ -149,15 +149,15 @@ func triggerBatch(ctx context.Context, handlers ...*handler.Handler) {
 	wg.Wait()
 }

-func findTextEqualsQuery(column Column, queries []SearchQuery) string {
+func findTextEqualsQuery(column Column, queries []SearchQuery) (text string, ok bool) {
 	for _, query := range queries {
 		if query.Col() != column {
 			continue
 		}
 		tq, ok := query.(*textQuery)
 		if ok && tq.Compare == TextEquals {
-			return tq.Text
+			return tq.Text, true
 		}
 	}
-	return ""
+	return "", false
 }
--- a/internal/query/session.go
+++ b/internal/query/session.go
@@ -117,7 +117,7 @@ func sessionsPermissionCheckV2(ctx context.Context, query sq.SelectBuilder, enab
 	if !enabled {
 		return query
 	}
-	return query.Where(PermissionClause(
+	join, args := PermissionClause(
 		ctx,
 		SessionColumnResourceOwner,
 		domain.PermissionSessionRead,
@@ -125,8 +125,10 @@ func sessionsPermissionCheckV2(ctx context.Context, query sq.SelectBuilder, enab
 		OwnedRowsPermissionOption(SessionColumnCreator),
 		// Allow if session belongs to the user
 		OwnedRowsPermissionOption(SessionColumnUserID),
+		// Allow if session belongs to the same useragent
 		ConnectionPermissionOption(SessionColumnUserAgentFingerprintID, authz.GetCtxData(ctx).AgentID),
-	))
+	)
+	return query.JoinClause(join, args...)
 }

 func (q *SessionsSearchQueries) toQuery(query sq.SelectBuilder) sq.SelectBuilder {
--- a/internal/query/user.go
+++ b/internal/query/user.go
@@ -136,13 +136,14 @@ func userPermissionCheckV2(ctx context.Context, query sq.SelectBuilder, enabled
 	if !enabled {
 		return query
 	}
-	return query.Where(PermissionClause(
+	join, args := PermissionClause(
 		ctx,
 		UserResourceOwnerCol,
 		domain.PermissionUserRead,
 		SingleOrgPermissionOption(queries.Queries),
 		OwnedRowsPermissionOption(UserIDCol),
-	))
+	)
+	return query.JoinClause(join, args...)
 }

 type UserSearchQueries struct {
--- a/internal/query/user_auth_method.go
+++ b/internal/query/user_auth_method.go
@@ -108,12 +108,13 @@ func userAuthMethodPermissionCheckV2(ctx context.Context, query sq.SelectBuilder
 	if !enabled {
 		return query
 	}
-	return query.Where(PermissionClause(
+	join, args := PermissionClause(
 		ctx,
 		UserAuthMethodColumnResourceOwner,
 		domain.PermissionUserRead,
 		OwnedRowsPermissionOption(UserIDCol),
-	))
+	)
+	return query.JoinClause(join, args...)
 }

 type AuthMethod struct {