fix: permission check for actions v1 post creation user grants (#10638)

# Which Problems Are Solved Unnecessary default permission check in creating an authorization fails even if the functionality was called internally. # How the Problems Are Solved Move permission check to the proper implementation, so that necessary permission checks are provided by the responsible API. # Additional Changes None # Additional Context Closes #10624 Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-12-23 02:26:44 +00:00 · 2025-09-03 16:39:18 +02:00
parent 7f27efcac1
commit bdefd9147f
4 changed files with 18 additions and 15 deletions
--- a/internal/api/grpc/management/auth_checks.go
+++ b/internal/api/grpc/management/auth_checks.go
@@ -4,22 +4,27 @@ import (
 	"context"

 	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/command"
 	"github.com/zitadel/zitadel/internal/zerrors"
 )

-func checkExplicitProjectPermission(ctx context.Context, grantID, projectID string) error {
+func checkExplicitProjectPermission(ctx context.Context) command.UserGrantPermissionCheck {
 	permissions := authz.GetRequestPermissionsFromCtx(ctx)
 	if authz.HasGlobalPermission(permissions) {
 		return nil
 	}
 	ids := authz.GetAllPermissionCtxIDs(permissions)
-	if grantID != "" && listContainsID(ids, grantID) {
-		return nil
+	return func(projectID, grantID string) command.PermissionCheck {
+		return func(resourceOwner, aggregateID string) error {
+			if grantID != "" && listContainsID(ids, grantID) {
+				return nil
+			}
+			if listContainsID(ids, projectID) {
+				return nil
+			}
+			return zerrors.ThrowPermissionDenied(nil, "EVENT-Shu7e", "Errors.UserGrant.NoPermissionForProject")
+		}
 	}
-	if listContainsID(ids, projectID) {
-		return nil
-	}
-	return zerrors.ThrowPermissionDenied(nil, "EVENT-Shu7e", "Errors.UserGrant.NoPermissionForProject")
 }

 func listContainsID(ids []string, id string) bool {
--- a/internal/api/grpc/management/user_grant.go
+++ b/internal/api/grpc/management/user_grant.go
@@ -45,10 +45,7 @@ func (s *Server) ListUserGrants(ctx context.Context, req *mgmt_pb.ListUserGrantR

 func (s *Server) AddUserGrant(ctx context.Context, req *mgmt_pb.AddUserGrantRequest) (*mgmt_pb.AddUserGrantResponse, error) {
 	grant := AddUserGrantRequestToDomain(req, authz.GetCtxData(ctx).OrgID)
-	if err := checkExplicitProjectPermission(ctx, grant.ProjectGrantID, grant.ProjectID); err != nil {
-		return nil, err
-	}
-	grant, err := s.command.AddUserGrant(ctx, grant, nil)
+	grant, err := s.command.AddUserGrant(ctx, grant, checkExplicitProjectPermission(ctx))
 	if err != nil {
 		return nil, err
 	}
@@ -63,7 +60,7 @@ func (s *Server) AddUserGrant(ctx context.Context, req *mgmt_pb.AddUserGrantRequ
 }

 func (s *Server) UpdateUserGrant(ctx context.Context, req *mgmt_pb.UpdateUserGrantRequest) (*mgmt_pb.UpdateUserGrantResponse, error) {
-	grant, err := s.command.ChangeUserGrant(ctx, UpdateUserGrantRequestToDomain(req, authz.GetCtxData(ctx).OrgID), false, false, nil)
+	grant, err := s.command.ChangeUserGrant(ctx, UpdateUserGrantRequestToDomain(req, authz.GetCtxData(ctx).OrgID), false, false, checkExplicitProjectPermission(ctx))
 	if err != nil {
 		return nil, err
 	}
--- a/internal/command/user_grant.go
+++ b/internal/command/user_grant.go
@@ -340,7 +340,7 @@ func (c *Commands) checkUserGrantPreCondition(ctx context.Context, usergrant *do
 	if check != nil {
 		return check(usergrant.ProjectID, usergrant.ProjectGrantID)(usergrant.ResourceOwner, "")
 	}
-	return checkExplicitProjectPermission(ctx, usergrant.ProjectGrantID, usergrant.ProjectID)
+	return nil
 }

 // this code needs to be rewritten anyways as soon as we improved the fields handling
@@ -488,7 +488,7 @@ func (c *Commands) checkUserGrantPreConditionOld(ctx context.Context, usergrant
 	if check != nil {
 		return check(usergrant.ProjectID, usergrant.ProjectGrantID)(usergrant.ResourceOwner, "")
 	}
-	return checkExplicitProjectPermission(ctx, usergrant.ProjectGrantID, usergrant.ProjectID)
+	return nil
 }

 func (c *Commands) searchProjectOwnerAndGrantID(ctx context.Context, projectID string, grantedOrgID string) (projectOwner string, grantID string, err error) {
--- a/internal/command/user_grant_test.go
+++ b/internal/command/user_grant_test.go
@@ -1072,9 +1072,10 @@ func TestCommandSide_ChangeUserGrant(t *testing.T) {
 					},
 					UserID: "user1",
 				},
+				permissionCheck: failingUserGrantPermissionCheck,
 			},
 			res: res{
-				err: zerrors.IsPermissionDenied,
+				err: isMockedPermissionCheckErr,
 			},
 		},
 		{