TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-07-16 21:28:36 +00:00
Code Issues Packages Projects Releases Wiki Activity
zitadel/internal/command/permission_checks.go
Elio Bischof 898366c537
fix: allow user self deletion (#9828) 
# Which Problems Are Solved

Currently, users can't delete themselves using the V2 RemoveUser API
because of the redunant API middleware permission check.

On main, using a machine user PAT to delete the same machine user:

```bash
grpcurl -plaintext -H "Authorization: Bearer ${ZITADEL_ACCESS_TOKEN}" -d '{"userId": "318838604669387137"}' localhost:8080 zitadel.user.v2.UserService.DeleteUser
ERROR:
  Code: NotFound
  Message: membership not found (AUTHZ-cdgFk)
  Details:
  1)	{
    	  "@type": "type.googleapis.com/zitadel.v1.ErrorDetail",
    	  "id": "AUTHZ-cdgFk",
    	  "message": "membership not found"
    	}
```

Same on this PRs branch:

```bash
grpcurl -plaintext -H "Authorization: Bearer ${ZITADEL_ACCESS_TOKEN}" -d '{"userId": "318838604669387137"}' localhost:8080 zitadel.user.v2.UserService.DeleteUser
{
  "details": {
    "sequence": "3",
    "changeDate": "2025-05-06T13:44:54.349048Z",
    "resourceOwner": "318838541083804033"
  }
}
```

Repeated call
```bash
grpcurl -plaintext -H "Authorization: Bearer ${ZITADEL_ACCESS_TOKEN}" -d '{"userId": "318838604669387137"}' localhost:8080 zitadel.user.v2.UserService.DeleteUser
ERROR:
  Code: Unauthenticated
  Message: Errors.Token.Invalid (AUTH-7fs1e)
  Details:
  1)	{
    	  "@type": "type.googleapis.com/zitadel.v1.ErrorDetail",
    	  "id": "AUTH-7fs1e",
    	  "message": "Errors.Token.Invalid"
    	}
```

# How the Problems Are Solved

The middleware permission check is disabled and the
domain.PermissionCheck is used exclusively.

# Additional Changes

A new type command.PermissionCheck allows to optionally accept a
permission check for commands, so APIs with middleware permission checks
can omit redundant permission checks by passing nil while APIs without
middleware permission checks can pass one to the command.

# Additional Context

This is a subtask of #9763

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-05-07 15:24:24 +02:00

61 lines
2.3 KiB
Go
Raw Blame History

package command
import (
"context"
"github.com/zitadel/zitadel/internal/api/authz"
"github.com/zitadel/zitadel/internal/domain"
"github.com/zitadel/zitadel/internal/eventstore"
"github.com/zitadel/zitadel/internal/v2/user"
"github.com/zitadel/zitadel/internal/zerrors"
)
type PermissionCheck func(resourceOwner, aggregateID string) error
func (c *Commands) newPermissionCheck(ctx context.Context, permission string, aggregateType eventstore.AggregateType) PermissionCheck {
return func(resourceOwner, aggregateID string) error {
if aggregateID == "" {
return zerrors.ThrowInternal(nil, "COMMAND-ulBlS", "Errors.IDMissing")
}
// For example if a write model didn't query any events, the resource owner is probably empty.
// In this case, we have to query an event on the given aggregate to get the resource owner.
if resourceOwner == "" {
r := NewResourceOwnerModel(authz.GetInstance(ctx).InstanceID(), aggregateType, aggregateID)
err := c.eventstore.FilterToQueryReducer(ctx, r)
if err != nil {
return err
}
resourceOwner = r.resourceOwner
}
if resourceOwner == "" {
return zerrors.ThrowNotFound(nil, "COMMAND-4g3xq", "Errors.NotFound")
}
return c.checkPermission(ctx, permission, resourceOwner, aggregateID)
}
}
func (c *Commands) checkPermissionOnUser(ctx context.Context, permission string) PermissionCheck {
return func(resourceOwner, aggregateID string) error {
if aggregateID != "" && aggregateID == authz.GetCtxData(ctx).UserID {
return nil
}
return c.newPermissionCheck(ctx, permission, user.AggregateType)(resourceOwner, aggregateID)
}
}
func (c *Commands) NewPermissionCheckUserWrite(ctx context.Context) PermissionCheck {
return c.checkPermissionOnUser(ctx, domain.PermissionUserWrite)
}
func (c *Commands) checkPermissionDeleteUser(ctx context.Context, resourceOwner, userID string) error {
return c.checkPermissionOnUser(ctx, domain.PermissionUserDelete)(resourceOwner, userID)
}
func (c *Commands) checkPermissionUpdateUser(ctx context.Context, resourceOwner, userID string) error {
return c.NewPermissionCheckUserWrite(ctx)(resourceOwner, userID)
}
func (c *Commands) checkPermissionUpdateUserCredentials(ctx context.Context, resourceOwner, userID string) error {
return c.checkPermissionOnUser(ctx, domain.PermissionUserCredentialWrite)(resourceOwner, userID)
}
Reference in New Issue View Git Blame Copy Permalink