fix(permissions): return current user when calling ListUsers() when user does not have permissions (#9374)

# Which Problems Are Solved When running `ListUsers()` with no permissions, the calling user shoud be returned # How the Problems Are Solved Added additional clause to SQL search statement # Additional Changes n/a # Additional Context - Closes https://github.com/zitadel/zitadel/issues/9355 --------- Co-authored-by: Iraq Jaber <IraqJaber@gmail.com>
2025-08-11 21:17:32 +00:00 · 2025-02-20 15:39:48 +00:00
parent 93466055ee
commit 9aad207ee4
4 changed files with 145 additions and 4 deletions
--- a/internal/query/permission.go
+++ b/internal/query/permission.go
@@ -12,7 +12,8 @@ import (

 const (
 	// eventstore.permitted_orgs(instanceid text, userid text, perm text, filter_orgs text)
-	wherePermittedOrgsClause = "%s = ANY(eventstore.permitted_orgs(?, ?, ?, ?))"
+	wherePermittedOrgsClause              = "%s = ANY(eventstore.permitted_orgs(?, ?, ?, ?))"
+	wherePermittedOrgsOrCurrentUserClause = "(" + wherePermittedOrgsClause + " OR %s = ?" + ")"
 )

 // wherePermittedOrgs sets a `WHERE` clause to the query that filters the orgs
@@ -35,3 +36,17 @@ func wherePermittedOrgs(ctx context.Context, query sq.SelectBuilder, filterOrgId
 		filterOrgIds,
 	)
 }
+
+func wherePermittedOrgsOrCurrentUser(ctx context.Context, query sq.SelectBuilder, filterOrgIds, orgIDColumn, userIdColum, permission string) sq.SelectBuilder {
+	userID := authz.GetCtxData(ctx).UserID
+	logging.WithFields("permission_check_v2_flag", authz.GetFeatures(ctx).PermissionCheckV2, "org_id_column", orgIDColumn, "user_id_colum", userIdColum, "permission", permission, "user_id", userID).Debug("permitted orgs check used")
+
+	return query.Where(
+		fmt.Sprintf(wherePermittedOrgsOrCurrentUserClause, orgIDColumn, userIdColum),
+		authz.GetInstance(ctx).InstanceID(),
+		userID,
+		permission,
+		filterOrgIds,
+		userID,
+	)
+}