fix: consistent permission check on user v2 (#8807)

# Which Problems Are Solved Some user v2 API calls checked for permission only on the user itself. # How the Problems Are Solved Consistent check for permissions on user v2 API. # Additional Changes None # Additional Context Closes #7944 --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-08-12 00:17:32 +00:00 · 2024-12-03 11:14:04 +01:00
parent 26e936aec3
commit c07a5f4277
15 changed files with 213 additions and 105 deletions
--- a/internal/command/user_v2_password.go
+++ b/internal/command/user_v2_password.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	"io"

-	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/repository/user"
 	"github.com/zitadel/zitadel/internal/zerrors"
@@ -50,10 +49,8 @@ func (c *Commands) requestPasswordReset(ctx context.Context, userID string, retu
 	if model.UserState == domain.UserStateInitial {
 		return nil, nil, zerrors.ThrowPreconditionFailed(nil, "COMMAND-Sfe4g", "Errors.User.NotInitialised")
 	}
-	if authz.GetCtxData(ctx).UserID != userID {
-		if err = c.checkPermission(ctx, domain.PermissionUserWrite, model.ResourceOwner, userID); err != nil {
-			return nil, nil, err
-		}
+	if err = c.checkPermissionUpdateUser(ctx, model.ResourceOwner, userID); err != nil {
+		return nil, nil, err
 	}
 	var passwordCode *EncryptedCode
 	var generatorID string