TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-12-23 14:37:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: permission check for actions v1 post creation user grants (#10638)

Browse Source 
# Which Problems Are Solved

Unnecessary default permission check in creating an authorization fails
even if the functionality was called internally.

# How the Problems Are Solved

Move permission check to the proper implementation, so that necessary
permission checks are provided by the responsible API.

# Additional Changes

None

# Additional Context

Closes #10624

Co-authored-by: Livio Spring <livio.a@gmail.com>
This commit is contained in:
Stefan Benz
2025-09-03 16:39:18 +02:00
committed by GitHub
parent 7f27efcac1
commit bdefd9147f
4 changed files with 18 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
internal/api/grpc/management/auth_checks.go
View File

@@ -4,15 +4,18 @@ import (
"context" "context"
"github.com/zitadel/zitadel/internal/api/authz" "github.com/zitadel/zitadel/internal/api/authz"
"github.com/zitadel/zitadel/internal/command"
"github.com/zitadel/zitadel/internal/zerrors" "github.com/zitadel/zitadel/internal/zerrors"
) )
func checkExplicitProjectPermission(ctx context.Context, grantID, projectID string) error { func checkExplicitProjectPermission(ctx context.Context) command.UserGrantPermissionCheck {
permissions := authz.GetRequestPermissionsFromCtx(ctx) permissions := authz.GetRequestPermissionsFromCtx(ctx)
if authz.HasGlobalPermission(permissions) { if authz.HasGlobalPermission(permissions) {
return nil return nil
} }
ids := authz.GetAllPermissionCtxIDs(permissions) ids := authz.GetAllPermissionCtxIDs(permissions)
return func(projectID, grantID string) command.PermissionCheck {
return func(resourceOwner, aggregateID string) error {
if grantID != "" && listContainsID(ids, grantID) { if grantID != "" && listContainsID(ids, grantID) {
return nil return nil
} }
@@ -20,6 +23,8 @@ func checkExplicitProjectPermission(ctx context.Context, grantID, projectID stri
return nil return nil
} }
return zerrors.ThrowPermissionDenied(nil, "EVENT-Shu7e", "Errors.UserGrant.NoPermissionForProject") return zerrors.ThrowPermissionDenied(nil, "EVENT-Shu7e", "Errors.UserGrant.NoPermissionForProject")
}
}
} }
func listContainsID(ids []string, id string) bool { func listContainsID(ids []string, id string) bool {

7
internal/api/grpc/management/user_grant.go
View File

@@ -45,10 +45,7 @@ func (s *Server) ListUserGrants(ctx context.Context, req *mgmt_pb.ListUserGrantR
func (s *Server) AddUserGrant(ctx context.Context, req *mgmt_pb.AddUserGrantRequest) (*mgmt_pb.AddUserGrantResponse, error) { func (s *Server) AddUserGrant(ctx context.Context, req *mgmt_pb.AddUserGrantRequest) (*mgmt_pb.AddUserGrantResponse, error) {
grant := AddUserGrantRequestToDomain(req, authz.GetCtxData(ctx).OrgID) grant := AddUserGrantRequestToDomain(req, authz.GetCtxData(ctx).OrgID)
if err := checkExplicitProjectPermission(ctx, grant.ProjectGrantID, grant.ProjectID); err != nil { grant, err := s.command.AddUserGrant(ctx, grant, checkExplicitProjectPermission(ctx))
return nil, err
}
grant, err := s.command.AddUserGrant(ctx, grant, nil)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@@ -63,7 +60,7 @@ func (s *Server) AddUserGrant(ctx context.Context, req *mgmt_pb.AddUserGrantRequ
} }
func (s *Server) UpdateUserGrant(ctx context.Context, req *mgmt_pb.UpdateUserGrantRequest) (*mgmt_pb.UpdateUserGrantResponse, error) { func (s *Server) UpdateUserGrant(ctx context.Context, req *mgmt_pb.UpdateUserGrantRequest) (*mgmt_pb.UpdateUserGrantResponse, error) {
grant, err := s.command.ChangeUserGrant(ctx, UpdateUserGrantRequestToDomain(req, authz.GetCtxData(ctx).OrgID), false, false, nil) grant, err := s.command.ChangeUserGrant(ctx, UpdateUserGrantRequestToDomain(req, authz.GetCtxData(ctx).OrgID), false, false, checkExplicitProjectPermission(ctx))
if err != nil { if err != nil {
return nil, err return nil, err
} }

4
internal/command/user_grant.go
View File

@@ -340,7 +340,7 @@ func (c *Commands) checkUserGrantPreCondition(ctx context.Context, usergrant *do
if check != nil { if check != nil {
return check(usergrant.ProjectID, usergrant.ProjectGrantID)(usergrant.ResourceOwner, "") return check(usergrant.ProjectID, usergrant.ProjectGrantID)(usergrant.ResourceOwner, "")
} }
return checkExplicitProjectPermission(ctx, usergrant.ProjectGrantID, usergrant.ProjectID) return nil
} }
// this code needs to be rewritten anyways as soon as we improved the fields handling // this code needs to be rewritten anyways as soon as we improved the fields handling
@@ -488,7 +488,7 @@ func (c *Commands) checkUserGrantPreConditionOld(ctx context.Context, usergrant
if check != nil { if check != nil {
return check(usergrant.ProjectID, usergrant.ProjectGrantID)(usergrant.ResourceOwner, "") return check(usergrant.ProjectID, usergrant.ProjectGrantID)(usergrant.ResourceOwner, "")
} }
return checkExplicitProjectPermission(ctx, usergrant.ProjectGrantID, usergrant.ProjectID) return nil
} }
func (c *Commands) searchProjectOwnerAndGrantID(ctx context.Context, projectID string, grantedOrgID string) (projectOwner string, grantID string, err error) { func (c *Commands) searchProjectOwnerAndGrantID(ctx context.Context, projectID string, grantedOrgID string) (projectOwner string, grantID string, err error) {

3
internal/command/user_grant_test.go
View File

@@ -1072,9 +1072,10 @@ func TestCommandSide_ChangeUserGrant(t *testing.T) {
}, },
UserID: "user1", UserID: "user1",
}, },
permissionCheck: failingUserGrantPermissionCheck,
}, },
res: res{ res: res{
err: zerrors.IsPermissionDenied, err: isMockedPermissionCheckErr,
}, },
}, },
{ {