fix: mitigate overload risk in processProject on user memberships (#2665)

2025-02-28 20:37:23 +00:00 · 2021-11-12 15:06:26 +01:00 · 2021-11-12 15:06:26 +01:00 · cfdb8c3301
commit cfdb8c3301
parent 4fc2582b4c
4 changed files with 29 additions and 12 deletions
--- a/internal/auth/repository/eventsourcing/handler/user_membership.go
+++ b/internal/auth/repository/eventsourcing/handler/user_membership.go
@ -2,11 +2,11 @@ package handler

 import (
 	"context"
-	"github.com/caos/zitadel/internal/eventstore/v1"

 	"github.com/caos/logging"

 	"github.com/caos/zitadel/internal/errors"
+	v1 "github.com/caos/zitadel/internal/eventstore/v1"
 	es_models "github.com/caos/zitadel/internal/eventstore/v1/models"
 	"github.com/caos/zitadel/internal/eventstore/v1/query"
 	es_sdk "github.com/caos/zitadel/internal/eventstore/v1/sdk"
@ -245,17 +245,21 @@ func (m *UserMembership) fillProjectDisplayName(member *usr_es_model.UserMembers
 }

 func (m *UserMembership) updateProjectDisplayName(event *es_models.Event) error {
-	project, err := m.getProjectByID(context.Background(), event.AggregateID)
+	proj := new(proj_es_model.Project)
+	err := proj.SetData(event)
 	if err != nil {
 		return err
 	}
+	if proj.Name == "" {
+		return m.view.ProcessedUserMembershipSequence(event)
+	}

 	memberships, err := m.view.UserMembershipsByAggregateID(event.AggregateID)
 	if err != nil {
 		return err
 	}
 	for _, membership := range memberships {
-		membership.DisplayName = project.Name
+		membership.DisplayName = proj.Name
 	}
 	return m.view.BulkPutUserMemberships(memberships, event)
 }
--- a/internal/authz/repository/eventsourcing/handler/user_membership.go
+++ b/internal/authz/repository/eventsourcing/handler/user_membership.go
@ -2,11 +2,11 @@ package handler

 import (
 	"context"
-	"github.com/caos/zitadel/internal/eventstore/v1"

 	"github.com/caos/logging"

 	"github.com/caos/zitadel/internal/errors"
+	v1 "github.com/caos/zitadel/internal/eventstore/v1"
 	es_models "github.com/caos/zitadel/internal/eventstore/v1/models"
 	"github.com/caos/zitadel/internal/eventstore/v1/query"
 	es_sdk "github.com/caos/zitadel/internal/eventstore/v1/sdk"
@ -244,17 +244,21 @@ func (m *UserMembership) fillProjectDisplayName(member *usr_es_model.UserMembers
 }

 func (m *UserMembership) updateProjectDisplayName(event *es_models.Event) error {
-	project, err := m.getProjectByID(context.Background(), event.AggregateID)
+	proj := new(proj_es_model.Project)
+	err := proj.SetData(event)
 	if err != nil {
 		return err
 	}
+	if proj.Name == "" {
+		return m.view.ProcessedUserMembershipSequence(event)
+	}

 	memberships, err := m.view.UserMembershipsByAggregateID(event.AggregateID)
 	if err != nil {
 		return err
 	}
 	for _, membership := range memberships {
-		membership.DisplayName = project.Name
+		membership.DisplayName = proj.Name
 	}
 	return m.view.BulkPutUserMemberships(memberships, event)
 }
--- a/internal/management/repository/eventsourcing/handler/user_membership.go
+++ b/internal/management/repository/eventsourcing/handler/user_membership.go
@ -4,6 +4,7 @@ import (
 	"context"

 	"github.com/caos/logging"
+
 	caos_errs "github.com/caos/zitadel/internal/errors"
 	v1 "github.com/caos/zitadel/internal/eventstore/v1"
 	es_models "github.com/caos/zitadel/internal/eventstore/v1/models"
@ -165,10 +166,14 @@ func (m *UserMembership) fillOrgDisplayName(member *usr_es_model.UserMembershipV
 }

 func (m *UserMembership) updateOrgDisplayName(event *es_models.Event) error {
-	org, err := m.getOrgByID(context.Background(), event.AggregateID)
+	org := new(org_es_model.Org)
+	err := org.SetData(event)
 	if err != nil {
 		return err
 	}
+	if org.Name == "" {
+		return m.view.ProcessedUserMembershipSequence(event)
+	}

 	memberships, err := m.view.UserMembershipsByAggregateID(event.AggregateID)
 	if err != nil {
@ -231,17 +236,21 @@ func (m *UserMembership) fillProjectDisplayName(member *usr_es_model.UserMembers
 }

 func (m *UserMembership) updateProjectDisplayName(event *es_models.Event) error {
-	project, err := m.getProjectByID(context.Background(), event.AggregateID)
+	proj := new(proj_es_model.Project)
+	err := proj.SetData(event)
 	if err != nil {
 		return err
 	}
+	if proj.Name == "" {
+		return m.view.ProcessedUserMembershipSequence(event)
+	}

 	memberships, err := m.view.UserMembershipsByAggregateID(event.AggregateID)
 	if err != nil {
 		return err
 	}
 	for _, membership := range memberships {
-		membership.DisplayName = project.Name
+		membership.DisplayName = proj.Name
 	}
 	return m.view.BulkPutUserMemberships(memberships, event)
 }
--- a/internal/org/repository/eventsourcing/model/org.go
+++ b/internal/org/repository/eventsourcing/model/org.go
@ -87,12 +87,12 @@ func (o *Org) AppendEvents(events ...*es_models.Event) error {
 func (o *Org) AppendEvent(event *es_models.Event) (err error) {
 	switch event.Type {
 	case OrgAdded:
-		err = o.setData(event)
+		err = o.SetData(event)
 		if err != nil {
 			return err
 		}
 	case OrgChanged:
-		err = o.setData(event)
+		err = o.SetData(event)
 		if err != nil {
 			return err
 		}
@ -210,7 +210,7 @@ func (o *Org) AppendEvent(event *es_models.Event) (err error) {
 	return nil
 }

-func (o *Org) setData(event *es_models.Event) error {
+func (o *Org) SetData(event *es_models.Event) error {
 	err := json.Unmarshal(event.Data, o)
 	if err != nil {
 		return errors.ThrowInternal(err, "EVENT-BpbQZ", "unable to unmarshal event")