fix: consistent permission check on user v2 (#8807)

# Which Problems Are Solved

Some user v2 API calls checked for permission only on the user itself.

# How the Problems Are Solved

Consistent check for permissions on user v2 API.

# Additional Changes

None

# Additional Context

Closes #7944

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>

internal/api/grpc/user/v2/integration_test/otp_test.go

@@ -58,7 +58,7 @@ func TestServer_AddOTPSMS(t *testing.T) {
 			wantErr: true,
 		},
 		{
-			name: "user mismatch",
+			name: "no permission",
 			args: args{
 				ctx: integration.WithAuthorizationToken(context.Background(), sessionTokenOtherUser),
 				req: &user.AddOTPSMSRequest{
@@ -127,14 +127,24 @@ func TestServer_RemoveOTPSMS(t *testing.T) {
 
 	userVerified := Instance.CreateHumanUser(CTX)
 	Instance.RegisterUserPasskey(CTX, userVerified.GetUserId())
-	_, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userVerified.GetUserId())
-	userVerifiedCtx := integration.WithAuthorizationToken(context.Background(), sessionTokenVerified)
-	_, err := Instance.Client.UserV2.VerifyPhone(userVerifiedCtx, &user.VerifyPhoneRequest{
+	_, err := Instance.Client.UserV2.VerifyPhone(CTX, &user.VerifyPhoneRequest{
 		UserId:           userVerified.GetUserId(),
 		VerificationCode: userVerified.GetPhoneCode(),
 	})
 	require.NoError(t, err)
-	_, err = Instance.Client.UserV2.AddOTPSMS(userVerifiedCtx, &user.AddOTPSMSRequest{UserId: userVerified.GetUserId()})
+	_, err = Instance.Client.UserV2.AddOTPSMS(CTX, &user.AddOTPSMSRequest{UserId: userVerified.GetUserId()})
+	require.NoError(t, err)
+
+	userSelf := Instance.CreateHumanUser(CTX)
+	Instance.RegisterUserPasskey(CTX, userSelf.GetUserId())
+	_, sessionTokenSelf, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userSelf.GetUserId())
+	userSelfCtx := integration.WithAuthorizationToken(context.Background(), sessionTokenSelf)
+	_, err = Instance.Client.UserV2.VerifyPhone(CTX, &user.VerifyPhoneRequest{
+		UserId:           userSelf.GetUserId(),
+		VerificationCode: userSelf.GetPhoneCode(),
+	})
+	require.NoError(t, err)
+	_, err = Instance.Client.UserV2.AddOTPSMS(CTX, &user.AddOTPSMSRequest{UserId: userSelf.GetUserId()})
 	require.NoError(t, err)
 
 	type args struct {
@@ -157,10 +167,24 @@ func TestServer_RemoveOTPSMS(t *testing.T) {
 			},
 			wantErr: true,
 		},
+		{
+			name: "success, self",
+			args: args{
+				ctx: userSelfCtx,
+				req: &user.RemoveOTPSMSRequest{
+					UserId: userSelf.GetUserId(),
+				},
+			},
+			want: &user.RemoveOTPSMSResponse{
+				Details: &object.Details{
+					ResourceOwner: Instance.DefaultOrg.Details.ResourceOwner,
+				},
+			},
+		},
 		{
 			name: "success",
 			args: args{
-				ctx: userVerifiedCtx,
+				ctx: CTX,
 				req: &user.RemoveOTPSMSRequest{
 					UserId: userVerified.GetUserId(),
 				},
@@ -230,7 +254,7 @@ func TestServer_AddOTPEmail(t *testing.T) {
 			wantErr: true,
 		},
 		{
-			name: "user mismatch",
+			name: "no permission",
 			args: args{
 				ctx: integration.WithAuthorizationToken(context.Background(), sessionTokenOtherUser),
 				req: &user.AddOTPEmailRequest{
@@ -301,14 +325,24 @@ func TestServer_RemoveOTPEmail(t *testing.T) {
 
 	userVerified := Instance.CreateHumanUser(CTX)
 	Instance.RegisterUserPasskey(CTX, userVerified.GetUserId())
-	_, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userVerified.GetUserId())
-	userVerifiedCtx := integration.WithAuthorizationToken(context.Background(), sessionTokenVerified)
-	_, err := Instance.Client.UserV2.VerifyEmail(userVerifiedCtx, &user.VerifyEmailRequest{
+	_, err := Instance.Client.UserV2.VerifyEmail(CTX, &user.VerifyEmailRequest{
 		UserId:           userVerified.GetUserId(),
 		VerificationCode: userVerified.GetEmailCode(),
 	})
 	require.NoError(t, err)
-	_, err = Instance.Client.UserV2.AddOTPEmail(userVerifiedCtx, &user.AddOTPEmailRequest{UserId: userVerified.GetUserId()})
+	_, err = Instance.Client.UserV2.AddOTPEmail(CTX, &user.AddOTPEmailRequest{UserId: userVerified.GetUserId()})
+	require.NoError(t, err)
+
+	userSelf := Instance.CreateHumanUser(CTX)
+	Instance.RegisterUserPasskey(CTX, userSelf.GetUserId())
+	_, sessionTokenSelf, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userSelf.GetUserId())
+	userSelfCtx := integration.WithAuthorizationToken(context.Background(), sessionTokenSelf)
+	_, err = Instance.Client.UserV2.VerifyEmail(CTX, &user.VerifyEmailRequest{
+		UserId:           userSelf.GetUserId(),
+		VerificationCode: userSelf.GetEmailCode(),
+	})
+	require.NoError(t, err)
+	_, err = Instance.Client.UserV2.AddOTPEmail(CTX, &user.AddOTPEmailRequest{UserId: userSelf.GetUserId()})
 	require.NoError(t, err)
 
 	type args struct {
@@ -331,10 +365,25 @@ func TestServer_RemoveOTPEmail(t *testing.T) {
 			},
 			wantErr: true,
 		},
+		{
+			name: "success, self",
+			args: args{
+				ctx: userSelfCtx,
+				req: &user.RemoveOTPEmailRequest{
+					UserId: userSelf.GetUserId(),
+				},
+			},
+			want: &user.RemoveOTPEmailResponse{
+				Details: &object.Details{
+					ChangeDate:    timestamppb.Now(),
+					ResourceOwner: Instance.DefaultOrg.Details.ResourceOwner,
+				},
+			},
+		},
 		{
 			name: "success",
 			args: args{
-				ctx: userVerifiedCtx,
+				ctx: CTX,
 				req: &user.RemoveOTPEmailRequest{
 					UserId: userVerified.GetUserId(),
 				},

internal/api/grpc/user/v2/integration_test/passkey_test.go

@@ -93,15 +93,30 @@ func TestServer_RegisterPasskey(t *testing.T) {
 			wantErr: true,
 		},
 		{
-			name: "user mismatch",
+			name: "user no permission",
 			args: args{
-				ctx: CTX,
+				ctx: UserCTX,
 				req: &user.RegisterPasskeyRequest{
 					UserId: userID,
 				},
 			},
 			wantErr: true,
 		},
+		{
+			name: "user permission",
+			args: args{
+				ctx: IamCTX,
+				req: &user.RegisterPasskeyRequest{
+					UserId: userID,
+				},
+			},
+			want: &user.RegisterPasskeyResponse{
+				Details: &object.Details{
+					ChangeDate:    timestamppb.Now(),
+					ResourceOwner: Instance.DefaultOrg.Id,
+				},
+			},
+		},
 		{
 			name: "user setting its own passkey",
 			args: args{

internal/api/grpc/user/v2/otp.go

@@ -13,7 +13,6 @@ func (s *Server) AddOTPSMS(ctx context.Context, req *user.AddOTPSMSRequest) (*us
 		return nil, err
 	}
 	return &user.AddOTPSMSResponse{Details: object.DomainToDetailsPb(details)}, nil
-
 }
 
 func (s *Server) RemoveOTPSMS(ctx context.Context, req *user.RemoveOTPSMSRequest) (*user.RemoveOTPSMSResponse, error) {

internal/api/grpc/user/v2beta/integration_test/otp_test.go

@@ -58,7 +58,7 @@ func TestServer_AddOTPSMS(t *testing.T) {
 			wantErr: true,
 		},
 		{
-			name: "user mismatch",
+			name: "no permission",
 			args: args{
 				ctx: integration.WithAuthorizationToken(context.Background(), sessionTokenOtherUser),
 				req: &user.AddOTPSMSRequest{
@@ -127,14 +127,24 @@ func TestServer_RemoveOTPSMS(t *testing.T) {
 
 	userVerified := Instance.CreateHumanUser(CTX)
 	Instance.RegisterUserPasskey(CTX, userVerified.GetUserId())
-	_, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userVerified.GetUserId())
-	userVerifiedCtx := integration.WithAuthorizationToken(context.Background(), sessionTokenVerified)
-	_, err := Client.VerifyPhone(userVerifiedCtx, &user.VerifyPhoneRequest{
+	_, err := Instance.Client.UserV2beta.VerifyPhone(CTX, &user.VerifyPhoneRequest{
 		UserId:           userVerified.GetUserId(),
 		VerificationCode: userVerified.GetPhoneCode(),
 	})
 	require.NoError(t, err)
-	_, err = Client.AddOTPSMS(userVerifiedCtx, &user.AddOTPSMSRequest{UserId: userVerified.GetUserId()})
+	_, err = Instance.Client.UserV2beta.AddOTPSMS(CTX, &user.AddOTPSMSRequest{UserId: userVerified.GetUserId()})
+	require.NoError(t, err)
+
+	userSelf := Instance.CreateHumanUser(CTX)
+	Instance.RegisterUserPasskey(CTX, userSelf.GetUserId())
+	_, sessionTokenSelf, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userSelf.GetUserId())
+	userSelfCtx := integration.WithAuthorizationToken(context.Background(), sessionTokenSelf)
+	_, err = Instance.Client.UserV2beta.VerifyPhone(CTX, &user.VerifyPhoneRequest{
+		UserId:           userSelf.GetUserId(),
+		VerificationCode: userSelf.GetPhoneCode(),
+	})
+	require.NoError(t, err)
+	_, err = Instance.Client.UserV2beta.AddOTPSMS(CTX, &user.AddOTPSMSRequest{UserId: userSelf.GetUserId()})
 	require.NoError(t, err)
 
 	type args struct {
@@ -157,10 +167,24 @@ func TestServer_RemoveOTPSMS(t *testing.T) {
 			},
 			wantErr: true,
 		},
+		{
+			name: "success, self",
+			args: args{
+				ctx: userSelfCtx,
+				req: &user.RemoveOTPSMSRequest{
+					UserId: userSelf.GetUserId(),
+				},
+			},
+			want: &user.RemoveOTPSMSResponse{
+				Details: &object.Details{
+					ResourceOwner: Instance.DefaultOrg.Details.ResourceOwner,
+				},
+			},
+		},
 		{
 			name: "success",
 			args: args{
-				ctx: userVerifiedCtx,
+				ctx: CTX,
 				req: &user.RemoveOTPSMSRequest{
 					UserId: userVerified.GetUserId(),
 				},
@@ -301,14 +325,24 @@ func TestServer_RemoveOTPEmail(t *testing.T) {
 
 	userVerified := Instance.CreateHumanUser(CTX)
 	Instance.RegisterUserPasskey(CTX, userVerified.GetUserId())
-	_, sessionTokenVerified, _, _ := Instance.CreateVerifiedWebAuthNSession(t, CTX, userVerified.GetUserId())
-	userVerifiedCtx := integration.WithAuthorizationToken(context.Background(), sessionTokenVerified)
-	_, err := Client.VerifyEmail(userVerifiedCtx, &user.VerifyEmailRequest{
+	_, err := Client.VerifyEmail(CTX, &user.VerifyEmailRequest{
 		UserId:           userVerified.GetUserId(),
 		VerificationCode: userVerified.GetEmailCode(),
 	})
 	require.NoError(t, err)
-	_, err = Client.AddOTPEmail(userVerifiedCtx, &user.AddOTPEmailRequest{UserId: userVerified.GetUserId()})
+	_, err = Client.AddOTPEmail(CTX, &user.AddOTPEmailRequest{UserId: userVerified.GetUserId()})
+	require.NoError(t, err)
+
+	userSelf := Instance.CreateHumanUser(CTX)
+	Instance.RegisterUserPasskey(CTX, userSelf.GetUserId())
+	_, sessionTokenSelf, _, _ := Instance.CreateVerifiedWebAuthNSession(t, IamCTX, userSelf.GetUserId())
+	userSelfCtx := integration.WithAuthorizationToken(context.Background(), sessionTokenSelf)
+	_, err = Client.VerifyEmail(CTX, &user.VerifyEmailRequest{
+		UserId:           userSelf.GetUserId(),
+		VerificationCode: userSelf.GetEmailCode(),
+	})
+	require.NoError(t, err)
+	_, err = Client.AddOTPEmail(CTX, &user.AddOTPEmailRequest{UserId: userSelf.GetUserId()})
 	require.NoError(t, err)
 
 	type args struct {
@@ -331,10 +365,25 @@ func TestServer_RemoveOTPEmail(t *testing.T) {
 			},
 			wantErr: true,
 		},
+		{
+			name: "success, self",
+			args: args{
+				ctx: userSelfCtx,
+				req: &user.RemoveOTPEmailRequest{
+					UserId: userSelf.GetUserId(),
+				},
+			},
+			want: &user.RemoveOTPEmailResponse{
+				Details: &object.Details{
+					ChangeDate:    timestamppb.Now(),
+					ResourceOwner: Instance.DefaultOrg.Details.ResourceOwner,
+				},
+			},
+		},
 		{
 			name: "success",
 			args: args{
-				ctx: userVerifiedCtx,
+				ctx: CTX,
 				req: &user.RemoveOTPEmailRequest{
 					UserId: userVerified.GetUserId(),
 				},

internal/api/grpc/user/v2beta/integration_test/passkey_test.go

@@ -92,15 +92,30 @@ func TestServer_RegisterPasskey(t *testing.T) {
 			wantErr: true,
 		},
 		{
-			name: "user mismatch",
+			name: "user no permission",
 			args: args{
-				ctx: CTX,
+				ctx: UserCTX,
 				req: &user.RegisterPasskeyRequest{
 					UserId: userID,
 				},
 			},
 			wantErr: true,
 		},
+		{
+			name: "user permission",
+			args: args{
+				ctx: IamCTX,
+				req: &user.RegisterPasskeyRequest{
+					UserId: userID,
+				},
+			},
+			want: &user.RegisterPasskeyResponse{
+				Details: &object.Details{
+					ChangeDate:    timestamppb.Now(),
+					ResourceOwner: Instance.DefaultOrg.Id,
+				},
+			},
+		},
 		{
 			name: "user setting its own passkey",
 			args: args{