mirror of
https://github.com/zitadel/zitadel.git
synced 2025-03-01 02:37:23 +00:00
9aad207ee4
# Which Problems Are Solved When running `ListUsers()` with no permissions, the calling user shoud be returned # How the Problems Are Solved Added additional clause to SQL search statement # Additional Changes n/a # Additional Context - Closes https://github.com/zitadel/zitadel/issues/9355 --------- Co-authored-by: Iraq Jaber <IraqJaber@gmail.com>
53 lines
2.1 KiB
Go
53 lines
2.1 KiB
Go
package query
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
|
|
sq "github.com/Masterminds/squirrel"
|
|
"github.com/zitadel/logging"
|
|
|
|
"github.com/zitadel/zitadel/internal/api/authz"
|
|
)
|
|
|
|
const (
|
|
// eventstore.permitted_orgs(instanceid text, userid text, perm text, filter_orgs text)
|
|
wherePermittedOrgsClause = "%s = ANY(eventstore.permitted_orgs(?, ?, ?, ?))"
|
|
wherePermittedOrgsOrCurrentUserClause = "(" + wherePermittedOrgsClause + " OR %s = ?" + ")"
|
|
)
|
|
|
|
// wherePermittedOrgs sets a `WHERE` clause to the query that filters the orgs
|
|
// for which the authenticated user has the requested permission for.
|
|
// The user ID is taken from the context.
|
|
//
|
|
// The `orgIDColumn` specifies the table column to which this filter must be applied,
|
|
// and is typically the `resource_owner` column in ZITADEL.
|
|
// We use full identifiers in the query builder so this function should be
|
|
// called with something like `UserResourceOwnerCol.identifier()` for example.
|
|
func wherePermittedOrgs(ctx context.Context, query sq.SelectBuilder, filterOrgIds, orgIDColumn, permission string) sq.SelectBuilder {
|
|
userID := authz.GetCtxData(ctx).UserID
|
|
logging.WithFields("permission_check_v2_flag", authz.GetFeatures(ctx).PermissionCheckV2, "org_id_column", orgIDColumn, "permission", permission, "user_id", userID).Debug("permitted orgs check used")
|
|
|
|
return query.Where(
|
|
fmt.Sprintf(wherePermittedOrgsClause, orgIDColumn),
|
|
authz.GetInstance(ctx).InstanceID(),
|
|
userID,
|
|
permission,
|
|
filterOrgIds,
|
|
)
|
|
}
|
|
|
|
func wherePermittedOrgsOrCurrentUser(ctx context.Context, query sq.SelectBuilder, filterOrgIds, orgIDColumn, userIdColum, permission string) sq.SelectBuilder {
|
|
userID := authz.GetCtxData(ctx).UserID
|
|
logging.WithFields("permission_check_v2_flag", authz.GetFeatures(ctx).PermissionCheckV2, "org_id_column", orgIDColumn, "user_id_colum", userIdColum, "permission", permission, "user_id", userID).Debug("permitted orgs check used")
|
|
|
|
return query.Where(
|
|
fmt.Sprintf(wherePermittedOrgsOrCurrentUserClause, orgIDColumn, userIdColum),
|
|
authz.GetInstance(ctx).InstanceID(),
|
|
userID,
|
|
permission,
|
|
filterOrgIds,
|
|
userID,
|
|
)
|
|
}
|