Gayathri Vijayan ad9cc03d57 fix(user): auth option while listing user metadata (#10968) ...

# Which Problems Are Solved

A user from `org A` with `ORG_USER_MANAGER` role in `org B` is unable to
list user metadata for a user in `org B`.

# How the Problems Are Solved

The `auth.option` is set to a specific permission (`user.read`) in the
API definition of `ListUserMetadata`, which causes the interceptors to
check for this specific permission. In this case, there is no specific
check for org membership of a user (from org A) in a target organization
(org B), and hence the call fails even though the user has the necessary
permissions.

This has been fixed by setting the `auth.option` to `authenticated`, and
the necessary [permission checks are handled in the
query-layer](https://github.com/zitadel/zitadel/blob/main/internal/query/user_metadata.go#L173).

# Additional Changes
N/A

# Additional Context
- Closes #10925

---------

Co-authored-by: Marco A. <marco@zitadel.com>
(cherry picked from commit 196eaa84d2)

2025-10-28 15:08:44 +01:00

..

zitadel

fix(user): auth option while listing user metadata (#10968)

2025-10-28 15:08:44 +01:00

buf.lock

chore(console): buf stub build (#5215)

2023-02-17 14:09:11 +00:00

buf.yaml

fix: query organization directly from event store (#10463)

2025-08-12 11:47:00 +02:00