TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-11 21:07:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: allow user self deletion (#9828)

Browse Source 
# Which Problems Are Solved

Currently, users can't delete themselves using the V2 RemoveUser API
because of the redunant API middleware permission check.

On main, using a machine user PAT to delete the same machine user:

```bash
grpcurl -plaintext -H "Authorization: Bearer ${ZITADEL_ACCESS_TOKEN}" -d '{"userId": "318838604669387137"}' localhost:8080 zitadel.user.v2.UserService.DeleteUser
ERROR:
  Code: NotFound
  Message: membership not found (AUTHZ-cdgFk)
  Details:
  1)	{
    	  "@type": "type.googleapis.com/zitadel.v1.ErrorDetail",
    	  "id": "AUTHZ-cdgFk",
    	  "message": "membership not found"
    	}
```

Same on this PRs branch:

```bash
grpcurl -plaintext -H "Authorization: Bearer ${ZITADEL_ACCESS_TOKEN}" -d '{"userId": "318838604669387137"}' localhost:8080 zitadel.user.v2.UserService.DeleteUser
{
  "details": {
    "sequence": "3",
    "changeDate": "2025-05-06T13:44:54.349048Z",
    "resourceOwner": "318838541083804033"
  }
}
```

Repeated call
```bash
grpcurl -plaintext -H "Authorization: Bearer ${ZITADEL_ACCESS_TOKEN}" -d '{"userId": "318838604669387137"}' localhost:8080 zitadel.user.v2.UserService.DeleteUser
ERROR:
  Code: Unauthenticated
  Message: Errors.Token.Invalid (AUTH-7fs1e)
  Details:
  1)	{
    	  "@type": "type.googleapis.com/zitadel.v1.ErrorDetail",
    	  "id": "AUTH-7fs1e",
    	  "message": "Errors.Token.Invalid"
    	}
```

# How the Problems Are Solved

The middleware permission check is disabled and the
domain.PermissionCheck is used exclusively.

# Additional Changes

A new type command.PermissionCheck allows to optionally accept a
permission check for commands, so APIs with middleware permission checks
can omit redundant permission checks by passing nil while APIs without
middleware permission checks can pass one to the command.

# Additional Context

This is a subtask of #9763

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
This commit is contained in:
Elio Bischof
2025-05-07 15:24:24 +02:00
committed by GitHub
parent 0d7d4e6af0
commit 898366c537
9 changed files with 459 additions and 79 deletions
Download Patch File Download Diff File Expand all files Collapse all files

93
internal/command/user_v2_test.go
View File

@@ -9,6 +9,7 @@ import (
"github.com/stretchr/testify/assert"
"golang.org/x/text/language"
"github.com/zitadel/zitadel/internal/api/authz"
"github.com/zitadel/zitadel/internal/domain"
"github.com/zitadel/zitadel/internal/eventstore"
"github.com/zitadel/zitadel/internal/repository/org"
@@ -1081,13 +1082,14 @@ func TestCommandSide_ReactivateUserV2(t *testing.T) {
}
func TestCommandSide_RemoveUserV2(t *testing.T) {
ctxUserID := "ctxUserID"
ctx := authz.SetCtxData(context.Background(), authz.CtxData{UserID: ctxUserID})
type fields struct {
eventstore func(*testing.T) *eventstore.Eventstore
checkPermission domain.PermissionCheck
}
type (
args struct {
ctx context.Context
userID string
cascadingMemberships []*CascadingMembership
grantIDs []string
@@ -1110,7 +1112,6 @@ func TestCommandSide_RemoveUserV2(t *testing.T) {
checkPermission: newMockPermissionCheckAllowed(),
},
args: args{
ctx: context.Background(),
userID: "",
},
res: res{
@@ -1128,7 +1129,6 @@ func TestCommandSide_RemoveUserV2(t *testing.T) {
checkPermission: newMockPermissionCheckAllowed(),
},
args: args{
ctx: context.Background(),
userID: "user1",
},
res: res{
@@ -1143,7 +1143,7 @@ func TestCommandSide_RemoveUserV2(t *testing.T) {
eventstore: expectEventstore(
expectFilter(
eventFromEventPusher(
user.NewHumanAddedEvent(context.Background(),
user.NewHumanAddedEvent(ctx,
&user.NewAggregate("user1", "org1").Aggregate,
"username",
"firstname",
@@ -1157,7 +1157,7 @@ func TestCommandSide_RemoveUserV2(t *testing.T) {
),
),
eventFromEventPusher(
user.NewUserRemovedEvent(context.Background(),
user.NewUserRemovedEvent(ctx,
&user.NewAggregate("user1", "org1").Aggregate,
"username",
nil,
@@ -1169,7 +1169,6 @@ func TestCommandSide_RemoveUserV2(t *testing.T) {
checkPermission: newMockPermissionCheckAllowed(),
},
args: args{
ctx: context.Background(),
userID: "user1",
},
res: res{
@@ -1184,7 +1183,7 @@ func TestCommandSide_RemoveUserV2(t *testing.T) {
eventstore: expectEventstore(
expectFilter(
eventFromEventPusher(
user.NewHumanAddedEvent(context.Background(),
user.NewHumanAddedEvent(ctx,
&user.NewAggregate("user1", "org1").Aggregate,
"username",
"firstname",
@@ -1200,7 +1199,7 @@ func TestCommandSide_RemoveUserV2(t *testing.T) {
),
expectFilter(
eventFromEventPusher(
org.NewDomainPolicyAddedEvent(context.Background(),
org.NewDomainPolicyAddedEvent(ctx,
&user.NewAggregate("user1", "org1").Aggregate,
true,
true,
@@ -1209,7 +1208,7 @@ func TestCommandSide_RemoveUserV2(t *testing.T) {
),
),
expectPush(
user.NewUserRemovedEvent(context.Background(),
user.NewUserRemovedEvent(ctx,
&user.NewAggregate("user1", "org1").Aggregate,
"username",
nil,
@@ -1220,7 +1219,6 @@ func TestCommandSide_RemoveUserV2(t *testing.T) {
checkPermission: newMockPermissionCheckAllowed(),
},
args: args{
ctx: context.Background(),
userID: "user1",
},
res: res{
@@ -1235,7 +1233,7 @@ func TestCommandSide_RemoveUserV2(t *testing.T) {
eventstore: expectEventstore(
expectFilter(
eventFromEventPusher(
user.NewHumanAddedEvent(context.Background(),
user.NewHumanAddedEvent(ctx,
&user.NewAggregate("user1", "org1").Aggregate,
"username",
"firstname",
@@ -1249,7 +1247,7 @@ func TestCommandSide_RemoveUserV2(t *testing.T) {
),
),
eventFromEventPusher(
user.NewHumanInitializedCheckSucceededEvent(context.Background(),
user.NewHumanInitializedCheckSucceededEvent(ctx,
&user.NewAggregate("user1", "org1").Aggregate,
),
),
@@ -1258,13 +1256,10 @@ func TestCommandSide_RemoveUserV2(t *testing.T) {
checkPermission: newMockPermissionCheckNotAllowed(),
},
args: args{
ctx: context.Background(),
userID: "user1",
},
res: res{
err: func(err error) bool {
return errors.Is(err, zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"))
},
err: zerrors.IsPermissionDenied,
},
},
{
@@ -1273,7 +1268,7 @@ func TestCommandSide_RemoveUserV2(t *testing.T) {
eventstore: expectEventstore(
expectFilter(
eventFromEventPusher(
user.NewMachineAddedEvent(context.Background(),
user.NewMachineAddedEvent(ctx,
&user.NewAggregate("user1", "org1").Aggregate,
"username",
"name",
@@ -1283,7 +1278,7 @@ func TestCommandSide_RemoveUserV2(t *testing.T) {
),
),
eventFromEventPusher(
user.NewUserRemovedEvent(context.Background(),
user.NewUserRemovedEvent(ctx,
&user.NewAggregate("user1", "org1").Aggregate,
"username",
nil,
@@ -1292,10 +1287,8 @@ func TestCommandSide_RemoveUserV2(t *testing.T) {
),
),
),
checkPermission: newMockPermissionCheckAllowed(),
},
args: args{
ctx: context.Background(),
userID: "user1",
},
res: res{
@@ -1310,7 +1303,7 @@ func TestCommandSide_RemoveUserV2(t *testing.T) {
eventstore: expectEventstore(
expectFilter(
eventFromEventPusher(
user.NewMachineAddedEvent(context.Background(),
user.NewMachineAddedEvent(ctx,
&user.NewAggregate("user1", "org1").Aggregate,
"username",
"name",
@@ -1322,7 +1315,7 @@ func TestCommandSide_RemoveUserV2(t *testing.T) {
),
expectFilter(
eventFromEventPusher(
org.NewDomainPolicyAddedEvent(context.Background(),
org.NewDomainPolicyAddedEvent(ctx,
&user.NewAggregate("user1", "org1").Aggregate,
true,
true,
@@ -1331,7 +1324,7 @@ func TestCommandSide_RemoveUserV2(t *testing.T) {
),
),
expectPush(
user.NewUserRemovedEvent(context.Background(),
user.NewUserRemovedEvent(ctx,
&user.NewAggregate("user1", "org1").Aggregate,
"username",
nil,
@@ -1342,7 +1335,6 @@ func TestCommandSide_RemoveUserV2(t *testing.T) {
checkPermission: newMockPermissionCheckAllowed(),
},
args: args{
ctx: context.Background(),
userID: "user1",
},
res: res{
@@ -1351,6 +1343,56 @@ func TestCommandSide_RemoveUserV2(t *testing.T) {
},
},
},
{
name: "remove self, ok",
fields: fields{
eventstore: expectEventstore(
expectFilter(
eventFromEventPusher(
user.NewHumanAddedEvent(ctx,
&user.NewAggregate(ctxUserID, "org1").Aggregate,
"username",
"firstname",
"lastname",
"nickname",
"displayname",
language.German,
domain.GenderUnspecified,
"email@test.ch",
true,
),
),
),
expectFilter(
eventFromEventPusher(
org.NewDomainPolicyAddedEvent(ctx,
&user.NewAggregate(ctxUserID, "org1").Aggregate,
true,
true,
true,
),
),
),
expectPush(
user.NewUserRemovedEvent(ctx,
&user.NewAggregate(ctxUserID, "org1").Aggregate,
"username",
nil,
true,
),
),
),
checkPermission: newMockPermissionCheckNotAllowed(),
},
args: args{
userID: ctxUserID,
},
res: res{
want: &domain.ObjectDetails{
ResourceOwner: "org1",
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
@@ -1358,7 +1400,8 @@ func TestCommandSide_RemoveUserV2(t *testing.T) {
eventstore: tt.fields.eventstore(t),
checkPermission: tt.fields.checkPermission,
}
got, err := r.RemoveUserV2(tt.args.ctx, tt.args.userID, "", tt.args.cascadingMemberships, tt.args.grantIDs...)
got, err := r.RemoveUserV2(ctx, tt.args.userID, "", tt.args.cascadingMemberships, tt.args.grantIDs...)
if tt.res.err == nil {
assert.NoError(t, err)
}