fix: allow user self deletion (#9828)

# Which Problems Are Solved

Currently, users can't delete themselves using the V2 RemoveUser API
because of the redunant API middleware permission check.

On main, using a machine user PAT to delete the same machine user:

```bash
grpcurl -plaintext -H "Authorization: Bearer ${ZITADEL_ACCESS_TOKEN}" -d '{"userId": "318838604669387137"}' localhost:8080 zitadel.user.v2.UserService.DeleteUser
ERROR:
  Code: NotFound
  Message: membership not found (AUTHZ-cdgFk)
  Details:
  1)	{
    	  "@type": "type.googleapis.com/zitadel.v1.ErrorDetail",
    	  "id": "AUTHZ-cdgFk",
    	  "message": "membership not found"
    	}
```

Same on this PRs branch:

```bash
grpcurl -plaintext -H "Authorization: Bearer ${ZITADEL_ACCESS_TOKEN}" -d '{"userId": "318838604669387137"}' localhost:8080 zitadel.user.v2.UserService.DeleteUser
{
  "details": {
    "sequence": "3",
    "changeDate": "2025-05-06T13:44:54.349048Z",
    "resourceOwner": "318838541083804033"
  }
}
```

Repeated call
```bash
grpcurl -plaintext -H "Authorization: Bearer ${ZITADEL_ACCESS_TOKEN}" -d '{"userId": "318838604669387137"}' localhost:8080 zitadel.user.v2.UserService.DeleteUser
ERROR:
  Code: Unauthenticated
  Message: Errors.Token.Invalid (AUTH-7fs1e)
  Details:
  1)	{
    	  "@type": "type.googleapis.com/zitadel.v1.ErrorDetail",
    	  "id": "AUTH-7fs1e",
    	  "message": "Errors.Token.Invalid"
    	}
```

# How the Problems Are Solved

The middleware permission check is disabled and the
domain.PermissionCheck is used exclusively.

# Additional Changes

A new type command.PermissionCheck allows to optionally accept a
permission check for commands, so APIs with middleware permission checks
can omit redundant permission checks by passing nil while APIs without
middleware permission checks can pass one to the command.

# Additional Context

This is a subtask of #9763

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>

internal/command/permission_checks_test.go

@@ -0,0 +1,278 @@
+package command
+
+import (
+	"context"
+	"database/sql"
+	"errors"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/eventstore/repository"
+	"github.com/zitadel/zitadel/internal/zerrors"
+)
+
+func TestCommands_CheckPermission(t *testing.T) {
+	type fields struct {
+		eventstore            func(*testing.T) *eventstore.Eventstore
+		domainPermissionCheck func(*testing.T) domain.PermissionCheck
+	}
+	type args struct {
+		ctx                        context.Context
+		permission                 string
+		aggregateType              eventstore.AggregateType
+		resourceOwner, aggregateID string
+	}
+	type want struct {
+		err func(error) bool
+	}
+	ctx := context.Background()
+	filterErr := errors.New("filter error")
+	tests := []struct {
+		name   string
+		fields fields
+		args   args
+		want   want
+	}{
+		{
+			name: "resource owner is given, no query",
+			fields: fields{
+				domainPermissionCheck: mockDomainPermissionCheck(
+					ctx,
+					"permission",
+					"resourceOwner",
+					"aggregateID"),
+			},
+			args: args{
+				ctx:           ctx,
+				permission:    "permission",
+				resourceOwner: "resourceOwner",
+				aggregateID:   "aggregateID",
+			},
+		},
+		{
+			name: "resource owner is empty, query for resource owner",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(&repository.Event{
+						AggregateID:   "aggregateID",
+						ResourceOwner: sql.NullString{String: "resourceOwner"},
+					}),
+				),
+				domainPermissionCheck: mockDomainPermissionCheck(ctx, "permission", "resourceOwner", "aggregateID"),
+			},
+			args: args{
+				ctx:           ctx,
+				permission:    "permission",
+				resourceOwner: "",
+				aggregateID:   "aggregateID",
+			},
+		},
+		{
+			name: "resource owner is empty, query for resource owner, error",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilterError(filterErr),
+				),
+			},
+			args: args{
+				ctx:           ctx,
+				permission:    "permission",
+				resourceOwner: "",
+				aggregateID:   "aggregateID",
+			},
+			want: want{
+				err: func(err error) bool {
+					return errors.Is(err, filterErr)
+				},
+			},
+		},
+		{
+			name: "resource owner is empty, query for resource owner, no events",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(),
+				),
+			},
+			args: args{
+				ctx:           ctx,
+				permission:    "permission",
+				resourceOwner: "",
+				aggregateID:   "aggregateID",
+			},
+			want: want{
+				err: zerrors.IsNotFound,
+			},
+		},
+		{
+			name: "no aggregateID, internal error",
+			args: args{
+				ctx: ctx,
+			},
+			want: want{
+				err: zerrors.IsInternal,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			c := &Commands{
+				checkPermission: func(ctx context.Context, permission, orgID, resourceID string) (err error) {
+					assert.Failf(t, "Domain permission check should not be called", "Called c.checkPermission(%v,%v,%v,%v)", ctx, permission, orgID, resourceID)
+					return nil
+				},
+				eventstore: expectEventstore()(t),
+			}
+			if tt.fields.domainPermissionCheck != nil {
+				c.checkPermission = tt.fields.domainPermissionCheck(t)
+			}
+			if tt.fields.eventstore != nil {
+				c.eventstore = tt.fields.eventstore(t)
+			}
+			err := c.newPermissionCheck(tt.args.ctx, tt.args.permission, tt.args.aggregateType)(tt.args.resourceOwner, tt.args.aggregateID)
+			if tt.want.err != nil {
+				assert.True(t, tt.want.err(err))
+			}
+		})
+	}
+}
+
+func TestCommands_CheckPermissionUserWrite(t *testing.T) {
+	type fields struct {
+		domainPermissionCheck func(*testing.T) domain.PermissionCheck
+	}
+	type args struct {
+		ctx                        context.Context
+		resourceOwner, aggregateID string
+	}
+	type want struct {
+		err func(error) bool
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		args   args
+		want   want
+	}{
+		{
+			name: "self, no permission check",
+			args: args{
+				ctx: authz.SetCtxData(context.Background(), authz.CtxData{
+					UserID: "aggregateID",
+				}),
+				resourceOwner: "resourceOwner",
+				aggregateID:   "aggregateID",
+			},
+		},
+		{
+			name: "not self, permission check",
+			fields: fields{
+				domainPermissionCheck: mockDomainPermissionCheck(
+					context.Background(),
+					"user.write",
+					"resourceOwner",
+					"foreignAggregateID"),
+			},
+			args: args{
+				ctx:           context.Background(),
+				resourceOwner: "resourceOwner",
+				aggregateID:   "foreignAggregateID",
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			c := &Commands{
+				checkPermission: func(ctx context.Context, permission, orgID, resourceID string) (err error) {
+					assert.Failf(t, "Domain permission check should not be called", "Called c.checkPermission(%v,%v,%v,%v)", ctx, permission, orgID, resourceID)
+					return nil
+				},
+			}
+			if tt.fields.domainPermissionCheck != nil {
+				c.checkPermission = tt.fields.domainPermissionCheck(t)
+			}
+			err := c.NewPermissionCheckUserWrite(tt.args.ctx)(tt.args.resourceOwner, tt.args.aggregateID)
+			if tt.want.err != nil {
+				assert.True(t, tt.want.err(err))
+			}
+		})
+	}
+}
+
+func TestCommands_CheckPermissionUserDelete(t *testing.T) {
+	type fields struct {
+		domainPermissionCheck func(*testing.T) domain.PermissionCheck
+	}
+	type args struct {
+		ctx                        context.Context
+		resourceOwner, aggregateID string
+	}
+	type want struct {
+		err func(error) bool
+	}
+	userCtx := authz.SetCtxData(context.Background(), authz.CtxData{
+		UserID: "aggregateID",
+	})
+	tests := []struct {
+		name   string
+		fields fields
+		args   args
+		want   want
+	}{
+		{
+			name: "self, no permission check",
+			args: args{
+				ctx:           userCtx,
+				resourceOwner: "resourceOwner",
+				aggregateID:   "aggregateID",
+			},
+		},
+		{
+			name: "not self, permission check",
+			fields: fields{
+				domainPermissionCheck: mockDomainPermissionCheck(
+					context.Background(),
+					"user.delete",
+					"resourceOwner",
+					"foreignAggregateID"),
+			},
+			args: args{
+				ctx:           context.Background(),
+				resourceOwner: "resourceOwner",
+				aggregateID:   "foreignAggregateID",
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			c := &Commands{
+				checkPermission: func(ctx context.Context, permission, orgID, resourceID string) (err error) {
+					assert.Failf(t, "Domain permission check should not be called", "Called c.checkPermission(%v,%v,%v,%v)", ctx, permission, orgID, resourceID)
+					return nil
+				},
+			}
+			if tt.fields.domainPermissionCheck != nil {
+				c.checkPermission = tt.fields.domainPermissionCheck(t)
+			}
+			err := c.checkPermissionDeleteUser(tt.args.ctx, tt.args.resourceOwner, tt.args.aggregateID)
+			if tt.want.err != nil {
+				assert.True(t, tt.want.err(err))
+			}
+		})
+	}
+}
+
+func mockDomainPermissionCheck(expectCtx context.Context, expectPermission, expectResourceOwner, expectResourceID string) func(t *testing.T) domain.PermissionCheck {
+	return func(t *testing.T) domain.PermissionCheck {
+		return func(ctx context.Context, permission, orgID, resourceID string) (err error) {
+			assert.Equal(t, expectCtx, ctx)
+			assert.Equal(t, expectPermission, permission)
+			assert.Equal(t, expectResourceOwner, orgID)
+			assert.Equal(t, expectResourceID, resourceID)
+			return nil
+		}
+	}
+}