fix: add resourceowner to check for project in project grant (#8785)

# Which Problems Are Solved Resource owner can be different than expected if the provided x-zitadel-orgid header is provided. # How the Problems Are Solved Check that the project is only checked with the correct resource owner to avoid unexpected situations. # Additional Changes None # Additional Context Closes #8685 --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-08-11 20:57:31 +00:00 · 2024-10-30 09:53:00 +01:00
parent cff4fe5dfd
commit 6780c5a07c
4 changed files with 114 additions and 9 deletions
--- a/internal/command/project_grant.go
+++ b/internal/command/project_grant.go
@@ -27,7 +27,7 @@ func (c *Commands) AddProjectGrant(ctx context.Context, grant *domain.ProjectGra
 	if !grant.IsValid() {
 		return nil, zerrors.ThrowInvalidArgument(nil, "PROJECT-3b8fs", "Errors.Project.Grant.Invalid")
 	}
-	err = c.checkProjectGrantPreCondition(ctx, grant)
+	err = c.checkProjectGrantPreCondition(ctx, grant, resourceOwner)
 	if err != nil {
 		return nil, err
 	}
@@ -67,7 +67,7 @@ func (c *Commands) ChangeProjectGrant(ctx context.Context, grant *domain.Project
 		return nil, err
 	}
 	grant.GrantedOrgID = existingGrant.GrantedOrgID
-	err = c.checkProjectGrantPreCondition(ctx, grant)
+	err = c.checkProjectGrantPreCondition(ctx, grant, resourceOwner)
 	if err != nil {
 		return nil, err
 	}
@@ -255,11 +255,11 @@ func (c *Commands) projectGrantWriteModelByID(ctx context.Context, grantID, proj
 	return writeModel, nil
 }

-func (c *Commands) checkProjectGrantPreCondition(ctx context.Context, projectGrant *domain.ProjectGrant) error {
+func (c *Commands) checkProjectGrantPreCondition(ctx context.Context, projectGrant *domain.ProjectGrant, resourceOwner string) error {
 	if !authz.GetFeatures(ctx).ShouldUseImprovedPerformance(feature.ImprovedPerformanceTypeProjectGrant) {
-		return c.checkProjectGrantPreConditionOld(ctx, projectGrant)
+		return c.checkProjectGrantPreConditionOld(ctx, projectGrant, resourceOwner)
 	}
-	existingRoleKeys, err := c.searchProjectGrantState(ctx, projectGrant.AggregateID, projectGrant.GrantedOrgID)
+	existingRoleKeys, err := c.searchProjectGrantState(ctx, projectGrant.AggregateID, projectGrant.GrantedOrgID, resourceOwner)
 	if err != nil {
 		return err
 	}
@@ -270,11 +270,12 @@ func (c *Commands) checkProjectGrantPreCondition(ctx context.Context, projectGra
 	return nil
 }

-func (c *Commands) searchProjectGrantState(ctx context.Context, projectID, grantedOrgID string) (existingRoleKeys []string, err error) {
+func (c *Commands) searchProjectGrantState(ctx context.Context, projectID, grantedOrgID, resourceOwner string) (existingRoleKeys []string, err error) {
 	results, err := c.eventstore.Search(
 		ctx,
 		// project state query
 		map[eventstore.FieldType]any{
+			eventstore.FieldTypeResourceOwner: resourceOwner,
 			eventstore.FieldTypeAggregateType: project.AggregateType,
 			eventstore.FieldTypeAggregateID:   projectID,
 			eventstore.FieldTypeFieldName:     project.ProjectStateSearchField,
@@ -289,6 +290,7 @@ func (c *Commands) searchProjectGrantState(ctx context.Context, projectID, grant
 		},
 		// role query
 		map[eventstore.FieldType]any{
+			eventstore.FieldTypeResourceOwner: resourceOwner,
 			eventstore.FieldTypeAggregateType: project.AggregateType,
 			eventstore.FieldTypeAggregateID:   projectID,
 			eventstore.FieldTypeFieldName:     project.ProjectRoleKeySearchField,