fix: memberships (#633)

* feat: add iam members to memberships * fix: search project grants * fix: rename
2025-12-06 15:12:14 +00:00 · 2020-08-25 16:08:51 +02:00
parent 568fa82d10
commit f05c5bae24
9 changed files with 86 additions and 26 deletions
--- a/internal/management/repository/eventsourcing/eventstore/permissions.go
+++ b/internal/management/repository/eventsourcing/eventstore/permissions.go
@@ -3,6 +3,7 @@ package eventstore
 const (
 	projectReadPerm            = "project.read"
 	orgMemberReadPerm          = "org.member.read"
+	iamMemberReadPerm          = "iam.member.read"
 	projectMemberReadPerm      = "project.member.read"
 	projectGrantMemberReadPerm = "project.member.read"
 )
--- a/internal/management/repository/eventsourcing/eventstore/user.go
+++ b/internal/management/repository/eventsourcing/eventstore/user.go
@@ -2,6 +2,7 @@ package eventstore

 import (
 	"context"
+	"github.com/caos/zitadel/internal/config/systemdefaults"
 	caos_errs "github.com/caos/zitadel/internal/errors"
 	global_model "github.com/caos/zitadel/internal/model"
 	"github.com/caos/zitadel/internal/view/repository"
@@ -18,11 +19,12 @@ import (
 )

 type UserRepo struct {
-	SearchLimit  uint64
-	UserEvents   *usr_event.UserEventstore
-	PolicyEvents *policy_event.PolicyEventstore
-	OrgEvents    *org_event.OrgEventstore
-	View         *view.View
+	SearchLimit    uint64
+	UserEvents     *usr_event.UserEventstore
+	PolicyEvents   *policy_event.PolicyEventstore
+	OrgEvents      *org_event.OrgEventstore
+	View           *view.View
+	SystemDefaults systemdefaults.SystemDefaults
 }

 func (repo *UserRepo) UserByID(ctx context.Context, id string) (*usr_model.UserView, error) {
@@ -220,6 +222,7 @@ func (repo *UserRepo) ChangeAddress(ctx context.Context, address *usr_model.Addr

 func (repo *UserRepo) SearchUserMemberships(ctx context.Context, request *usr_model.UserMembershipSearchRequest) (*usr_model.UserMembershipSearchResponse, error) {
 	request.EnsureLimit(repo.SearchLimit)
+	request.AppendResourceOwnerAndIamQuery(authz.GetCtxData(ctx).OrgID, repo.SystemDefaults.IamID)
 	sequence, err := repo.View.GetLatestUserMembershipSequence()
 	logging.Log("EVENT-Dn7sf").OnError(err).Warn("could not read latest user sequence")

@@ -235,7 +238,7 @@ func (repo *UserRepo) SearchUserMemberships(ctx context.Context, request *usr_mo
 	result = &usr_model.UserMembershipSearchResponse{
 		Offset:      request.Offset,
 		Limit:       request.Limit,
-		TotalResult: uint64(count),
+		TotalResult: count,
 		Result:      model.UserMembershipsToModel(memberships),
 	}
 	if err == nil {
@@ -247,13 +250,16 @@ func (repo *UserRepo) SearchUserMemberships(ctx context.Context, request *usr_mo

 func handleSearchUserMembershipsPermissions(ctx context.Context, request *usr_model.UserMembershipSearchRequest, sequence *repository.CurrentSequence) *usr_model.UserMembershipSearchResponse {
 	permissions := authz.GetAllPermissionsFromCtx(ctx)
+	iamPerm := authz.HasGlobalExplicitPermission(permissions, iamMemberReadPerm)
 	orgPerm := authz.HasGlobalExplicitPermission(permissions, orgMemberReadPerm)
 	projectPerm := authz.HasGlobalExplicitPermission(permissions, projectMemberReadPerm)
 	projectGrantPerm := authz.HasGlobalExplicitPermission(permissions, projectGrantMemberReadPerm)
-	if orgPerm && projectPerm && projectGrantPerm {
+	if iamPerm && orgPerm && projectPerm && projectGrantPerm {
 		return nil
 	}
-
+	if !iamPerm {
+		request.Queries = append(request.Queries, &usr_model.UserMembershipSearchQuery{Key: usr_model.UserMembershipSearchKeyMemberType, Method: global_model.SearchMethodNotEquals, Value: usr_model.MemberTypeIam})
+	}
 	if !orgPerm {
 		request.Queries = append(request.Queries, &usr_model.UserMembershipSearchQuery{Key: usr_model.UserMembershipSearchKeyMemberType, Method: global_model.SearchMethodNotEquals, Value: usr_model.MemberTypeOrganisation})
 	}