fix: filter of domain claimed users (#2752)

internal/api/grpc/admin/org.go

@@ -3,14 +3,14 @@ package admin
 import (
 	"context"
 
-	"github.com/caos/zitadel/internal/api/authz"
+	"google.golang.org/protobuf/types/known/timestamppb"
+
 	"github.com/caos/zitadel/internal/api/grpc/object"
 	org_grpc "github.com/caos/zitadel/internal/api/grpc/org"
 	"github.com/caos/zitadel/internal/domain"
 	usr_model "github.com/caos/zitadel/internal/user/model"
 	admin_pb "github.com/caos/zitadel/pkg/grpc/admin"
 	obj_pb "github.com/caos/zitadel/pkg/grpc/object"
-	"google.golang.org/protobuf/types/known/timestamppb"
 )
 
 func (s *Server) IsOrgUnique(ctx context.Context, req *admin_pb.IsOrgUniqueRequest) (*admin_pb.IsOrgUniqueResponse, error) {
@@ -68,12 +68,7 @@ func (s *Server) getClaimedUserIDsOfOrgDomain(ctx context.Context, orgDomain str
 			{
 				Key:    usr_model.UserSearchKeyPreferredLoginName,
 				Method: domain.SearchMethodEndsWithIgnoreCase,
-				Value:  orgDomain,
+				Value:  "@" + orgDomain,
-			},
-			{
-				Key:    usr_model.UserSearchKeyResourceOwner,
-				Method: domain.SearchMethodNotEquals,
-				Value:  authz.GetCtxData(ctx).OrgID,
 			},
 		},
 	})

internal/api/grpc/management/org.go

@@ -50,7 +50,7 @@ func (s *Server) ListOrgChanges(ctx context.Context, req *mgmt_pb.ListOrgChanges
 }
 
 func (s *Server) AddOrg(ctx context.Context, req *mgmt_pb.AddOrgRequest) (*mgmt_pb.AddOrgResponse, error) {
-	userIDs, err := s.getClaimedUserIDsOfOrgDomain(ctx, domain.NewIAMDomainName(req.Name, s.systemDefaults.Domain))
+	userIDs, err := s.getClaimedUserIDsOfOrgDomain(ctx, domain.NewIAMDomainName(req.Name, s.systemDefaults.Domain), "")
 	if err != nil {
 		return nil, err
 	}
@@ -185,7 +185,7 @@ func GenerateOrgDomainValidationRequestToDomain(ctx context.Context, req *mgmt_p
 }
 
 func (s *Server) ValidateOrgDomain(ctx context.Context, req *mgmt_pb.ValidateOrgDomainRequest) (*mgmt_pb.ValidateOrgDomainResponse, error) {
-	userIDs, err := s.getClaimedUserIDsOfOrgDomain(ctx, req.Domain)
+	userIDs, err := s.getClaimedUserIDsOfOrgDomain(ctx, req.Domain, authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}
@@ -284,20 +284,24 @@ func (s *Server) RemoveOrgMember(ctx context.Context, req *mgmt_pb.RemoveOrgMemb
 	}, nil
 }
 
-func (s *Server) getClaimedUserIDsOfOrgDomain(ctx context.Context, orgDomain string) ([]string, error) {
+func (s *Server) getClaimedUserIDsOfOrgDomain(ctx context.Context, orgDomain, orgID string) ([]string, error) {
-	users, err := s.user.SearchUsers(ctx, &usr_model.UserSearchRequest{
+	queries := []*usr_model.UserSearchQuery{
-		Queries: []*usr_model.UserSearchQuery{
 		{
 			Key:    usr_model.UserSearchKeyPreferredLoginName,
 			Method: domain.SearchMethodEndsWithIgnoreCase,
-				Value:  orgDomain,
+			Value:  "@" + orgDomain,
 		},
-			{
+	}
+	if orgID != "" {
+		queries = append(queries,
+			&usr_model.UserSearchQuery{
 				Key:    usr_model.UserSearchKeyResourceOwner,
 				Method: domain.SearchMethodNotEquals,
-				Value:  authz.GetCtxData(ctx).OrgID,
+				Value:  orgID,
-			},
+			})
-		},
+	}
+	users, err := s.user.SearchUsers(ctx, &usr_model.UserSearchRequest{
+		Queries: queries,
 	}, false)
 	if err != nil {
 		return nil, err

internal/ui/login/handler/login.go

@@ -168,12 +168,7 @@ func (l *Login) getClaimedUserIDsOfOrgDomain(ctx context.Context, orgName string
 			{
 				Key:    usr_model.UserSearchKeyPreferredLoginName,
 				Method: domain.SearchMethodEndsWithIgnoreCase,
-				Value:  domain.NewIAMDomainName(orgName, l.iamDomain),
+				Value:  "@" + domain.NewIAMDomainName(orgName, l.iamDomain),
-			},
-			{
-				Key:    usr_model.UserSearchKeyResourceOwner,
-				Method: domain.SearchMethodNotEquals,
-				Value:  authz.GetCtxData(ctx).OrgID,
 			},
 		},
 	})