fix: add additional permission tests to user v2 query endpoints (#7382)

Add additional permission integration tests to the user v2 query endpoints including some fixes to correctly check the permissions after the data is known which you want to query.
2025-08-12 07:57:32 +00:00 · 2024-03-08 09:37:23 +01:00
parent 6df4b1b2c2
commit 9f72fc63ac
5 changed files with 451 additions and 15 deletions
--- a/internal/api/grpc/user/v2/query.go
+++ b/internal/api/grpc/user/v2/query.go
@@ -14,17 +14,15 @@ import (
 )

 func (s *Server) GetUserByID(ctx context.Context, req *user.GetUserByIDRequest) (_ *user.GetUserByIDResponse, err error) {
-	ctxData := authz.GetCtxData(ctx)
-	if ctxData.UserID != req.GetUserId() {
-		if err := s.checkPermission(ctx, domain.PermissionUserRead, ctxData.OrgID, req.GetUserId()); err != nil {
-			return nil, err
-		}
-	}
-
 	resp, err := s.query.GetUserByID(ctx, true, req.GetUserId())
 	if err != nil {
 		return nil, err
 	}
+	if authz.GetCtxData(ctx).UserID != req.GetUserId() {
+		if err := s.checkPermission(ctx, domain.PermissionUserRead, resp.ResourceOwner, req.GetUserId()); err != nil {
+			return nil, err
+		}
+	}
 	return &user.GetUserByIDResponse{
 		Details: object.DomainToDetailsPb(&domain.ObjectDetails{
 			Sequence:      resp.Sequence,