fix(actions v1): return org metadata again (#11040)

# Which Problems Are Solved The latest fix to the organization v2beta service unintentionally prevented actions v1 to retrieve organization metadata because of an additional permission check. # How the Problems Are Solved - Implicitly allow the actions v1 org metadata query. - V1 endpoints doing the same query also no longer require the additional permission check as they already do the corresponding check in the API. (same for organization domains). # Additional Changes None # Additional Context Reported by customers after the deployment of v4.6.3
2025-12-02 12:32:24 +00:00 · 2025-11-05 16:44:46 +01:00
parent bd354ded61
commit 9c50087550
8 changed files with 22 additions and 14 deletions
--- a/internal/actions/object/metadata.go
+++ b/internal/actions/object/metadata.go
@@ -85,6 +85,7 @@ func GetOrganizationMetadata(ctx context.Context, queries *query.Queries, c *act
 		organizationID,
 		&query.OrgMetadataSearchQueries{},
 		false,
+		false,
 	)
 	if err != nil {
 		logging.WithError(err).Info("unable to get org metadata in action")
--- a/internal/api/grpc/admin/export.go
+++ b/internal/api/grpc/admin/export.go
@@ -290,7 +290,7 @@ func (s *Server) getDomains(ctx context.Context, orgID string) (_ []*org_pb.Doma
 	if err != nil {
 		return nil, err
 	}
-	orgDomainsQuery, err := s.query.SearchOrgDomains(ctx, &query.OrgDomainSearchQueries{Queries: []query.SearchQuery{orgDomainOrgIDQuery}}, false)
+	orgDomainsQuery, err := s.query.SearchOrgDomains(ctx, &query.OrgDomainSearchQueries{Queries: []query.SearchQuery{orgDomainOrgIDQuery}}, false, false)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/management/org.go
+++ b/internal/api/grpc/management/org.go
@@ -171,7 +171,7 @@ func (s *Server) ListOrgDomains(ctx context.Context, req *mgmt_pb.ListOrgDomains
 	}
 	queries.Queries = append(queries.Queries, orgIDQuery)

-	domains, err := s.query.SearchOrgDomains(ctx, queries, false)
+	domains, err := s.query.SearchOrgDomains(ctx, queries, false, false)
 	if err != nil {
 		return nil, err
 	}
@@ -324,7 +324,7 @@ func (s *Server) ListOrgMetadata(ctx context.Context, req *mgmt_pb.ListOrgMetada
 	if err != nil {
 		return nil, err
 	}
-	res, err := s.query.SearchOrgMetadata(ctx, true, authz.GetCtxData(ctx).OrgID, metadataQueries, false)
+	res, err := s.query.SearchOrgMetadata(ctx, true, authz.GetCtxData(ctx).OrgID, metadataQueries, false, false)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/org/v2beta/org.go
+++ b/internal/api/grpc/org/v2beta/org.go
@@ -83,7 +83,7 @@ func (s *Server) ListOrganizationMetadata(ctx context.Context, request *connect.
 	if err != nil {
 		return nil, err
 	}
-	res, err := s.query.SearchOrgMetadata(ctx, true, request.Msg.GetOrganizationId(), metadataQueries, false)
+	res, err := s.query.SearchOrgMetadata(ctx, true, request.Msg.GetOrganizationId(), metadataQueries, false, true)
 	if err != nil {
 		return nil, err
 	}
@@ -151,7 +151,7 @@ func (s *Server) ListOrganizationDomains(ctx context.Context, req *connect.Reque
 	}
 	queries.Queries = append(queries.Queries, orgIDQuery)

-	domains, err := s.query.SearchOrgDomains(ctx, queries, false)
+	domains, err := s.query.SearchOrgDomains(ctx, queries, false, true)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/ui/login/custom_action.go
+++ b/internal/api/ui/login/custom_action.go
@@ -131,6 +131,7 @@ func (l *Login) runPostExternalAuthenticationActions(
 								resourceOwner,
 								&query.OrgMetadataSearchQueries{},
 								false,
+								false,
 							)
 							if err != nil {
 								logging.WithError(err).Info("unable to get org metadata in action")
@@ -325,6 +326,7 @@ func (l *Login) runPreCreationActions(
 								resourceOwner,
 								&query.OrgMetadataSearchQueries{},
 								false,
+								false,
 							)
 							if err != nil {
 								logging.WithError(err).Info("unable to get org metadata in action")
@@ -401,6 +403,7 @@ func (l *Login) runPostCreationActions(
 								resourceOwner,
 								&query.OrgMetadataSearchQueries{},
 								false,
+								false,
 							)
 							if err != nil {
 								logging.WithError(err).Info("unable to get org metadata in action")
--- a/internal/api/ui/login/register_option_handler.go
+++ b/internal/api/ui/login/register_option_handler.go
@@ -105,7 +105,7 @@ func (l *Login) passLoginHintToRegistration(r *http.Request, authReq *domain.Aut
 		logging.WithFields("authRequest", authReq.ID, "org", authReq.RequestedOrgID).Error("unable to search query for registration loginHint")
 		return data
 	}
-	domains, err := l.query.SearchOrgDomains(r.Context(), &query.OrgDomainSearchQueries{Queries: []query.SearchQuery{searchQuery}}, false)
+	domains, err := l.query.SearchOrgDomains(r.Context(), &query.OrgDomainSearchQueries{Queries: []query.SearchQuery{searchQuery}}, false, false)
 	if err != nil {
 		logging.WithFields("authRequest", authReq.ID, "org", authReq.RequestedOrgID).Error("unable to load domains for registration loginHint")
 		return data
--- a/internal/query/org_domain.go
+++ b/internal/query/org_domain.go
@@ -55,7 +55,7 @@ func NewOrgDomainVerifiedSearchQuery(verified bool) (SearchQuery, error) {
 	return NewBoolQuery(OrgDomainIsVerifiedCol, verified)
 }

-func (q *Queries) SearchOrgDomains(ctx context.Context, queries *OrgDomainSearchQueries, withOwnerRemoved bool) (domains *Domains, err error) {
+func (q *Queries) SearchOrgDomains(ctx context.Context, queries *OrgDomainSearchQueries, withOwnerRemoved, withPermissionCheck bool) (domains *Domains, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()

@@ -64,9 +64,11 @@ func (q *Queries) SearchOrgDomains(ctx context.Context, queries *OrgDomainSearch
 	if !withOwnerRemoved {
 		eq[OrgDomainOwnerRemovedCol.identifier()] = false
 	}
-	// We always use the permission v2 check and don't check the feature flag, since it's stable enough to work
-	// in this case and using the old checks only adds more latency, but no benefit.
-	query = orgDomainPermissionCheckV2(ctx, query, queries)
+	if withPermissionCheck {
+		// We always use the permission v2 check and don't check the feature flag, since it's stable enough to work
+		// in this case and using the old checks only adds more latency, but no benefit.
+		query = orgDomainPermissionCheckV2(ctx, query, queries)
+	}
 	stmt, args, err := queries.toQuery(query).Where(eq).ToSql()
 	if err != nil {
 		return nil, zerrors.ThrowInvalidArgument(err, "QUERY-ZRfj1", "Errors.Query.SQLStatement")
--- a/internal/query/org_metadata.go
+++ b/internal/query/org_metadata.go
@@ -114,7 +114,7 @@ func (q *Queries) GetOrgMetadataByKey(ctx context.Context, shouldTriggerBulk boo
 	return metadata, err
 }

-func (q *Queries) SearchOrgMetadata(ctx context.Context, shouldTriggerBulk bool, orgID string, queries *OrgMetadataSearchQueries, withOwnerRemoved bool) (metadata *OrgMetadataList, err error) {
+func (q *Queries) SearchOrgMetadata(ctx context.Context, shouldTriggerBulk bool, orgID string, queries *OrgMetadataSearchQueries, withOwnerRemoved, withPermissionCheck bool) (metadata *OrgMetadataList, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()

@@ -132,9 +132,11 @@ func (q *Queries) SearchOrgMetadata(ctx context.Context, shouldTriggerBulk bool,
 		eq[OrgMetadataOwnerRemovedCol.identifier()] = false
 	}
 	query, scan := prepareOrgMetadataListQuery()
-	// We always use the permission v2 check and don't check the feature flag, since it's stable enough to work
-	// in this case and using the old checks only adds more latency, but no benefit.
-	query = orgMetadataPermissionCheckV2(ctx, query, queries)
+	if withPermissionCheck {
+		// We always use the permission v2 check and don't check the feature flag, since it's stable enough to work
+		// in this case and using the old checks only adds more latency, but no benefit.
+		query = orgMetadataPermissionCheckV2(ctx, query, queries)
+	}
 	stmt, args, err := queries.toQuery(query).Where(eq).ToSql()
 	if err != nil {
 		return nil, zerrors.ThrowInternal(err, "QUERY-Egbld", "Errors.Query.SQLStatement")