fix: correct user self management on metadata and delete (#10666)

# Which Problems Are Solved This PR fixes the self-management of users for metadata and own removal and improves the corresponding permission checks. While looking into the problems, I also noticed that there's a bug in the metadata mapping when using `api.metadata.push` in actions v1 and that re-adding a previously existing key after its removal was not possible. # How the Problems Are Solved - Added a parameter `allowSelfManagement` to checkPermissionOnUser to not require a permission if a user is changing its own data. - Updated use of `NewPermissionCheckUserWrite` including prevention of self-management for metadata. - Pass permission check to the command side (for metadata functions) to allow it implicitly for login v1 and actions v1. - Use of json.Marshal for the metadata mapping (as with `AppendMetadata`) - Check the metadata state when comparing the value. # Additional Changes - added a variadic `roles` parameter to the `CreateOrgMembership` integration test helper function to allow defining specific roles. # Additional Context - noted internally while testing v4.1.x - requires backport to v4.x - closes https://github.com/zitadel/zitadel/issues/10470 - relates to https://github.com/zitadel/zitadel/pull/10426 (cherry picked from commit 5329d50509)
2025-12-06 10:13:16 +00:00 · 2025-09-16 14:26:21 +02:00
parent 389f908041
commit fa83c39510
31 changed files with 695 additions and 208 deletions
--- a/internal/command/permission_checks.go
+++ b/internal/command/permission_checks.go
@@ -39,29 +39,36 @@ func (c *Commands) newPermissionCheck(ctx context.Context, permission string, ag
 	}
 }

-func (c *Commands) checkPermissionOnUser(ctx context.Context, permission string) PermissionCheck {
+func (c *Commands) checkPermissionOnUser(ctx context.Context, permission string, allowSelfManagement bool) PermissionCheck {
 	return func(resourceOwner, aggregateID string) error {
-		if aggregateID != "" && aggregateID == authz.GetCtxData(ctx).UserID {
+		if allowSelfManagement && aggregateID != "" && aggregateID == authz.GetCtxData(ctx).UserID {
 			return nil
 		}
 		return c.newPermissionCheck(ctx, permission, user.AggregateType)(resourceOwner, aggregateID)
 	}
 }

-func (c *Commands) NewPermissionCheckUserWrite(ctx context.Context) PermissionCheck {
-	return c.checkPermissionOnUser(ctx, domain.PermissionUserWrite)
+func (c *Commands) NewPermissionCheckUserWrite(ctx context.Context, allowSelfManagement bool) PermissionCheck {
+	return c.checkPermissionOnUser(ctx, domain.PermissionUserWrite, allowSelfManagement)
 }

 func (c *Commands) checkPermissionDeleteUser(ctx context.Context, resourceOwner, userID string) error {
-	return c.checkPermissionOnUser(ctx, domain.PermissionUserDelete)(resourceOwner, userID)
+	err := c.checkPermissionOnUser(ctx, domain.PermissionUserDelete, false)(resourceOwner, userID)
+	if err == nil {
+		return nil
+	}
+	if userID != authz.GetCtxData(ctx).UserID {
+		return err
+	}
+	return c.checkPermissionOnUser(ctx, domain.PermissionUserDeleteSelf, false)(resourceOwner, userID)
 }

-func (c *Commands) checkPermissionUpdateUser(ctx context.Context, resourceOwner, userID string) error {
-	return c.NewPermissionCheckUserWrite(ctx)(resourceOwner, userID)
+func (c *Commands) checkPermissionUpdateUser(ctx context.Context, resourceOwner, userID string, allowSelfManagement bool) error {
+	return c.NewPermissionCheckUserWrite(ctx, allowSelfManagement)(resourceOwner, userID)
 }

 func (c *Commands) checkPermissionUpdateUserCredentials(ctx context.Context, resourceOwner, userID string) error {
-	return c.checkPermissionOnUser(ctx, domain.PermissionUserCredentialWrite)(resourceOwner, userID)
+	return c.checkPermissionOnUser(ctx, domain.PermissionUserCredentialWrite, true)(resourceOwner, userID)
 }

 func (c *Commands) checkPermissionCreateProject(ctx context.Context, resourceOwner, projectID string) error {