TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-12 05:37:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: correct permissions for projects on v2 api (#9973)

Browse Source 
# Which Problems Are Solved

Permission checks in project v2beta API did not cover projects and
granted projects correctly.

# How the Problems Are Solved

Add permission checks v1 correctly to the list queries, add correct
permission checks v2 for projects.

# Additional Changes

Correct Pre-Checks for project grants that the right resource owner is
used.

# Additional Context

Permission checks v2 for project grants is still outstanding under
#9972.
This commit is contained in:
Stefan Benz
2025-06-04 13:46:10 +02:00
committed by GitHub
parent 6aeaa89c25
commit 85e3b7449c
15 changed files with 950 additions and 102 deletions
Download Patch File Download Diff File Expand all files Collapse all files

65
internal/api/grpc/project/v2beta/integration/project_test.go
View File

@@ -300,6 +300,12 @@ func TestServer_UpdateProject_Permission(t *testing.T) {
iamOwnerCtx := instance.WithAuthorization(CTX, integration.UserTypeIAMOwner)
orgResp := instance.CreateOrganization(iamOwnerCtx, gofakeit.AppName(), gofakeit.Email())
userResp := instance.CreateMachineUser(iamOwnerCtx)
patResp := instance.CreatePersonalAccessToken(iamOwnerCtx, userResp.GetUserId())
projectID := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), gofakeit.AppName(), false, false).GetId()
instance.CreateProjectMembership(t, iamOwnerCtx, projectID, userResp.GetUserId())
projectOwnerCtx := integration.WithAuthorizationToken(CTX, patResp.Token)
type args struct {
ctx context.Context
req *project.UpdateProjectRequest
@@ -343,6 +349,36 @@ func TestServer_UpdateProject_Permission(t *testing.T) {
},
wantErr: true,
},
{
name: "project owner, no permission",
prepare: func(request *project.UpdateProjectRequest) {
projectID := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), gofakeit.AppName(), false, false).GetId()
request.Id = projectID
},
args: args{
ctx: projectOwnerCtx,
req: &project.UpdateProjectRequest{
Name: gu.Ptr(gofakeit.AppName()),
},
},
wantErr: true,
},
{
name: " roject owner, ok",
prepare: func(request *project.UpdateProjectRequest) {
request.Id = projectID
},
args: args{
ctx: projectOwnerCtx,
req: &project.UpdateProjectRequest{
Name: gu.Ptr(gofakeit.AppName()),
},
},
want: want{
change: true,
changeDate: true,
},
},
{
name: "missing permission, other organization",
prepare: func(request *project.UpdateProjectRequest) {
@@ -499,6 +535,12 @@ func TestServer_DeleteProject_Permission(t *testing.T) {
iamOwnerCtx := instance.WithAuthorization(CTX, integration.UserTypeIAMOwner)
orgResp := instance.CreateOrganization(iamOwnerCtx, gofakeit.AppName(), gofakeit.Email())
userResp := instance.CreateMachineUser(iamOwnerCtx)
patResp := instance.CreatePersonalAccessToken(iamOwnerCtx, userResp.GetUserId())
projectID := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), gofakeit.AppName(), false, false).GetId()
instance.CreateProjectMembership(t, iamOwnerCtx, projectID, userResp.GetUserId())
projectOwnerCtx := integration.WithAuthorizationToken(CTX, patResp.Token)
tests := []struct {
name string
ctx context.Context
@@ -531,6 +573,29 @@ func TestServer_DeleteProject_Permission(t *testing.T) {
req: &project.DeleteProjectRequest{},
wantErr: true,
},
{
name: "project owner, no permission",
ctx: projectOwnerCtx,
prepare: func(request *project.DeleteProjectRequest) (time.Time, time.Time) {
creationDate := time.Now().UTC()
projectID := instance.CreateProject(iamOwnerCtx, t, orgResp.GetOrganizationId(), gofakeit.AppName(), false, false).GetId()
request.Id = projectID
return creationDate, time.Time{}
},
req: &project.DeleteProjectRequest{},
wantErr: true,
},
{
name: "project owner, ok",
ctx: projectOwnerCtx,
prepare: func(request *project.DeleteProjectRequest) (time.Time, time.Time) {
creationDate := time.Now().UTC()
request.Id = projectID
return creationDate, time.Time{}
},
req: &project.DeleteProjectRequest{},
wantDeletionDate: true,
},
{
name: "organization owner, other org",
ctx: instance.WithAuthorization(CTX, integration.UserTypeOrgOwner),