fix(permissions): return current user when calling ListUsers() when user does not have permissions (#9374)

# Which Problems Are Solved When running `ListUsers()` with no permissions, the calling user shoud be returned # How the Problems Are Solved Added additional clause to SQL search statement # Additional Changes n/a # Additional Context - Closes https://github.com/zitadel/zitadel/issues/9355 --------- Co-authored-by: Iraq Jaber <IraqJaber@gmail.com>
2025-08-11 21:17:32 +00:00 · 2025-02-20 15:39:48 +00:00
parent 93466055ee
commit 9aad207ee4
4 changed files with 145 additions and 4 deletions
--- a/internal/query/user.go
+++ b/internal/query/user.go
@@ -655,7 +655,7 @@ func (q *Queries) searchUsers(ctx context.Context, queries *UserSearchQueries, f
 		UserInstanceIDCol.identifier(): authz.GetInstance(ctx).InstanceID(),
 	})
 	if permissionCheckV2 {
-		query = wherePermittedOrgs(ctx, query, filterOrgIds, UserResourceOwnerCol.identifier(), domain.PermissionUserRead)
+		query = wherePermittedOrgsOrCurrentUser(ctx, query, filterOrgIds, UserResourceOwnerCol.identifier(), UserIDCol.identifier(), domain.PermissionUserRead)
 	}

 	stmt, args, err := query.ToSql()