fix: allow user self deletion (#9828)

# Which Problems Are Solved Currently, users can't delete themselves using the V2 RemoveUser API because of the redunant API middleware permission check. On main, using a machine user PAT to delete the same machine user: ```bash grpcurl -plaintext -H "Authorization: Bearer ${ZITADEL_ACCESS_TOKEN}" -d '{"userId": "318838604669387137"}' localhost:8080 zitadel.user.v2.UserService.DeleteUser ERROR: Code: NotFound Message: membership not found (AUTHZ-cdgFk) Details: 1) { "@type": "type.googleapis.com/zitadel.v1.ErrorDetail", "id": "AUTHZ-cdgFk", "message": "membership not found" } ``` Same on this PRs branch: ```bash grpcurl -plaintext -H "Authorization: Bearer ${ZITADEL_ACCESS_TOKEN}" -d '{"userId": "318838604669387137"}' localhost:8080 zitadel.user.v2.UserService.DeleteUser { "details": { "sequence": "3", "changeDate": "2025-05-06T13:44:54.349048Z", "resourceOwner": "318838541083804033" } } ``` Repeated call ```bash grpcurl -plaintext -H "Authorization: Bearer ${ZITADEL_ACCESS_TOKEN}" -d '{"userId": "318838604669387137"}' localhost:8080 zitadel.user.v2.UserService.DeleteUser ERROR: Code: Unauthenticated Message: Errors.Token.Invalid (AUTH-7fs1e) Details: 1) { "@type": "type.googleapis.com/zitadel.v1.ErrorDetail", "id": "AUTH-7fs1e", "message": "Errors.Token.Invalid" } ``` # How the Problems Are Solved The middleware permission check is disabled and the domain.PermissionCheck is used exclusively. # Additional Changes A new type command.PermissionCheck allows to optionally accept a permission check for commands, so APIs with middleware permission checks can omit redundant permission checks by passing nil while APIs without middleware permission checks can pass one to the command. # Additional Context This is a subtask of #9763 --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-12-06 14:22:13 +00:00 · 2025-05-07 15:24:24 +02:00
parent 0d7d4e6af0
commit 898366c537
9 changed files with 459 additions and 79 deletions
--- a/internal/command/permission_checks.go
+++ b/internal/command/permission_checks.go
@@ -0,0 +1,60 @@
+package command
+
+import (
+	"context"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/v2/user"
+	"github.com/zitadel/zitadel/internal/zerrors"
+)
+
+type PermissionCheck func(resourceOwner, aggregateID string) error
+
+func (c *Commands) newPermissionCheck(ctx context.Context, permission string, aggregateType eventstore.AggregateType) PermissionCheck {
+	return func(resourceOwner, aggregateID string) error {
+		if aggregateID == "" {
+			return zerrors.ThrowInternal(nil, "COMMAND-ulBlS", "Errors.IDMissing")
+		}
+		// For example if a write model didn't query any events, the resource owner is probably empty.
+		// In this case, we have to query an event on the given aggregate to get the resource owner.
+		if resourceOwner == "" {
+			r := NewResourceOwnerModel(authz.GetInstance(ctx).InstanceID(), aggregateType, aggregateID)
+			err := c.eventstore.FilterToQueryReducer(ctx, r)
+			if err != nil {
+				return err
+			}
+			resourceOwner = r.resourceOwner
+		}
+		if resourceOwner == "" {
+			return zerrors.ThrowNotFound(nil, "COMMAND-4g3xq", "Errors.NotFound")
+		}
+		return c.checkPermission(ctx, permission, resourceOwner, aggregateID)
+	}
+}
+
+func (c *Commands) checkPermissionOnUser(ctx context.Context, permission string) PermissionCheck {
+	return func(resourceOwner, aggregateID string) error {
+		if aggregateID != "" && aggregateID == authz.GetCtxData(ctx).UserID {
+			return nil
+		}
+		return c.newPermissionCheck(ctx, permission, user.AggregateType)(resourceOwner, aggregateID)
+	}
+}
+
+func (c *Commands) NewPermissionCheckUserWrite(ctx context.Context) PermissionCheck {
+	return c.checkPermissionOnUser(ctx, domain.PermissionUserWrite)
+}
+
+func (c *Commands) checkPermissionDeleteUser(ctx context.Context, resourceOwner, userID string) error {
+	return c.checkPermissionOnUser(ctx, domain.PermissionUserDelete)(resourceOwner, userID)
+}
+
+func (c *Commands) checkPermissionUpdateUser(ctx context.Context, resourceOwner, userID string) error {
+	return c.NewPermissionCheckUserWrite(ctx)(resourceOwner, userID)
+}
+
+func (c *Commands) checkPermissionUpdateUserCredentials(ctx context.Context, resourceOwner, userID string) error {
+	return c.checkPermissionOnUser(ctx, domain.PermissionUserCredentialWrite)(resourceOwner, userID)
+}