fix: correct required permissions on admin APIs

# Which Problems Are Solved ZITADEL's Admin API, intended for managing ZITADEL instances, contains 12 HTTP endpoints that are unexpectedly accessible to authenticated ZITADEL users who are not ZITADEL managers. The most critical vulnerable endpoints relate to LDAP configuration: - /idps/ldap - /idps/ldap/{id} By accessing these endpoints, unauthorized users could: - Modify ZITADEL's instance LDAP settings, redirecting all LDAP login attempts to a malicious server, effectively taking over user accounts. - Expose the original LDAP server's password, potentially compromising all user accounts. The following endpoints are also affected by IDOR vulnerabilities, potentially allowing unauthorized modification of instance settings such as languages, labels, and templates: - /idps/templates/_search - /idps/templates/{id} - /policies/label/_activate - /policies/label/logo - /policies/label/logo_dark - /policies/label/icon - /policies/label/icon_dark - /policies/label/font - /text/message/passwordless_registration/{language} - /text/login/{language} Please checkout https://github.com/zitadel/zitadel/security/advisories/GHSA-f3gh-529w-v32x for more information. # How the Problems Are Solved - Required permission have been fixed (only instance level allowed) # Additional Changes None # Additional Context - resolves https://github.com/zitadel/zitadel/security/advisories/GHSA-f3gh-529w-v32x (cherry picked from commit d9d8339813f1c43d3eb7d8d80f11fdabb2fd2ee4)
2025-06-07 22:08:32 +00:00 · 2025-03-04 08:49:02 +01:00 · 2025-03-04 08:49:02 +01:00 · e399d90f6f
commit e399d90f6f
parent c6a9665b2b
1 changed files with 12 additions and 12 deletions
--- a/proto/zitadel/admin.proto
+++ b/proto/zitadel/admin.proto
@ -1715,7 +1715,7 @@ service AdminService {
        };

        option (zitadel.v1.auth_option) = {
-            permission: "org.idp.read"
+            permission: "iam.idp.read"
        };

        option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
@ -1732,7 +1732,7 @@ service AdminService {
        };

        option (zitadel.v1.auth_option) = {
-            permission: "org.idp.read"
+            permission: "iam.idp.read"
        };

        option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
@ -2092,7 +2092,7 @@ service AdminService {
        };

        option (zitadel.v1.auth_option) = {
-            permission: "org.idp.write"
+            permission: "iam.idp.write"
        };

        option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
@ -2110,7 +2110,7 @@ service AdminService {
        };

        option (zitadel.v1.auth_option) = {
-            permission: "org.idp.write"
+            permission: "iam.idp.write"
        };

        option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
@ -2561,7 +2561,7 @@ service AdminService {
        };

        option (zitadel.v1.auth_option) = {
-            permission: "policy.write"
+            permission: "iam.policy.write"
        };

        option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
@ -2578,7 +2578,7 @@ service AdminService {
        };

        option (zitadel.v1.auth_option) = {
-            permission: "policy.write"
+            permission: "iam.policy.write"
        };

        option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
@ -2595,7 +2595,7 @@ service AdminService {
        };

        option (zitadel.v1.auth_option) = {
-            permission: "policy.write"
+            permission: "iam.policy.write"
        };

        option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
@ -2612,7 +2612,7 @@ service AdminService {
        };

        option (zitadel.v1.auth_option) = {
-            permission: "policy.write"
+            permission: "iam.policy.write"
        };

        option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
@ -2629,7 +2629,7 @@ service AdminService {
        };

        option (zitadel.v1.auth_option) = {
-            permission: "policy.write"
+            permission: "iam.policy.write"
        };

        option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
@ -2646,7 +2646,7 @@ service AdminService {
        };

        option (zitadel.v1.auth_option) = {
-            permission: "policy.write"
+            permission: "iam.policy.write"
        };

        option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
@ -3777,7 +3777,7 @@ service AdminService {
        };

        option (zitadel.v1.auth_option) = {
-            permission: "policy.delete"
+            permission: "iam.policy.delete"
        };

        option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
@ -3972,7 +3972,7 @@ service AdminService {
        };

        option (zitadel.v1.auth_option) = {
-            permission: "policy.delete"
+            permission: "iam.policy.delete"
        };

        option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {