TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-12-06 19:36:41 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
c3fdb991d856bac30ce6a661319c69c48b0145d7
zitadel/internal/api/grpc/management/user_grant.go
Stefan Benz 2dba5fa7fc fix: permission check for actions v1 post creation user grants (#10638) 
# Which Problems Are Solved

Unnecessary default permission check in creating an authorization fails
even if the functionality was called internally.

# How the Problems Are Solved

Move permission check to the proper implementation, so that necessary
permission checks are provided by the responsible API.

# Additional Changes

None

# Additional Context

Closes #10624

Co-authored-by: Livio Spring <livio.a@gmail.com>
(cherry picked from commit bdefd9147f)
2025-09-03 16:42:57 +02:00

113 lines
3.9 KiB
Go
Raw Blame History

package management
import (
"context"
"github.com/zitadel/zitadel/internal/api/authz"
obj_grpc "github.com/zitadel/zitadel/internal/api/grpc/object"
"github.com/zitadel/zitadel/internal/api/grpc/user"
"github.com/zitadel/zitadel/internal/query"
mgmt_pb "github.com/zitadel/zitadel/pkg/grpc/management"
)
func (s *Server) GetUserGrantByID(ctx context.Context, req *mgmt_pb.GetUserGrantByIDRequest) (*mgmt_pb.GetUserGrantByIDResponse, error) {
idQuery, err := query.NewUserGrantIDSearchQuery(req.GrantId)
if err != nil {
return nil, err
}
ownerQuery, err := query.NewUserGrantResourceOwnerSearchQuery(authz.GetCtxData(ctx).OrgID)
if err != nil {
return nil, err
}
grant, err := s.query.UserGrant(ctx, true, idQuery, ownerQuery)
if err != nil {
return nil, err
}
return &mgmt_pb.GetUserGrantByIDResponse{
UserGrant: user.UserGrantToPb(s.assetAPIPrefix(ctx), grant),
}, nil
}
func (s *Server) ListUserGrants(ctx context.Context, req *mgmt_pb.ListUserGrantRequest) (*mgmt_pb.ListUserGrantResponse, error) {
queries, err := ListUserGrantsRequestToQuery(ctx, req)
if err != nil {
return nil, err
}
res, err := s.query.UserGrants(ctx, queries, false, nil)
if err != nil {
return nil, err
}
return &mgmt_pb.ListUserGrantResponse{
Result: user.UserGrantsToPb(s.assetAPIPrefix(ctx), res.UserGrants),
Details: obj_grpc.ToListDetails(res.Count, res.Sequence, res.LastRun),
}, nil
}
func (s *Server) AddUserGrant(ctx context.Context, req *mgmt_pb.AddUserGrantRequest) (*mgmt_pb.AddUserGrantResponse, error) {
grant := AddUserGrantRequestToDomain(req, authz.GetCtxData(ctx).OrgID)
grant, err := s.command.AddUserGrant(ctx, grant, checkExplicitProjectPermission(ctx))
if err != nil {
return nil, err
}
return &mgmt_pb.AddUserGrantResponse{
UserGrantId: grant.AggregateID,
Details: obj_grpc.AddToDetailsPb(
grant.Sequence,
grant.ChangeDate,
grant.ResourceOwner,
),
}, nil
}
func (s *Server) UpdateUserGrant(ctx context.Context, req *mgmt_pb.UpdateUserGrantRequest) (*mgmt_pb.UpdateUserGrantResponse, error) {
grant, err := s.command.ChangeUserGrant(ctx, UpdateUserGrantRequestToDomain(req, authz.GetCtxData(ctx).OrgID), false, false, checkExplicitProjectPermission(ctx))
if err != nil {
return nil, err
}
return &mgmt_pb.UpdateUserGrantResponse{
Details: obj_grpc.ChangeToDetailsPb(
grant.Sequence,
grant.ChangeDate,
grant.ResourceOwner,
),
}, nil
}
func (s *Server) DeactivateUserGrant(ctx context.Context, req *mgmt_pb.DeactivateUserGrantRequest) (*mgmt_pb.DeactivateUserGrantResponse, error) {
objectDetails, err := s.command.DeactivateUserGrant(ctx, req.GrantId, authz.GetCtxData(ctx).OrgID, nil)
if err != nil {
return nil, err
}
return &mgmt_pb.DeactivateUserGrantResponse{
Details: obj_grpc.DomainToChangeDetailsPb(objectDetails),
}, nil
}
func (s *Server) ReactivateUserGrant(ctx context.Context, req *mgmt_pb.ReactivateUserGrantRequest) (*mgmt_pb.ReactivateUserGrantResponse, error) {
objectDetails, err := s.command.ReactivateUserGrant(ctx, req.GrantId, authz.GetCtxData(ctx).OrgID, nil)
if err != nil {
return nil, err
}
return &mgmt_pb.ReactivateUserGrantResponse{
Details: obj_grpc.DomainToChangeDetailsPb(objectDetails),
}, nil
}
func (s *Server) RemoveUserGrant(ctx context.Context, req *mgmt_pb.RemoveUserGrantRequest) (*mgmt_pb.RemoveUserGrantResponse, error) {
objectDetails, err := s.command.RemoveUserGrant(ctx, req.GrantId, authz.GetCtxData(ctx).OrgID, false, nil)
if err != nil {
return nil, err
}
return &mgmt_pb.RemoveUserGrantResponse{
Details: obj_grpc.DomainToChangeDetailsPb(objectDetails),
}, nil
}
func (s *Server) BulkRemoveUserGrant(ctx context.Context, req *mgmt_pb.BulkRemoveUserGrantRequest) (*mgmt_pb.BulkRemoveUserGrantResponse, error) {
err := s.command.BulkRemoveUserGrant(ctx, req.GrantId, authz.GetCtxData(ctx).OrgID)
if err != nil {
return nil, err
}
return &mgmt_pb.BulkRemoveUserGrantResponse{}, nil
}
Reference in New Issue View Git Blame Copy Permalink