Gayathri Vijayan 196eaa84d2 fix(user): auth option while listing user metadata (#10968) ...

# Which Problems Are Solved

A user from `org A` with `ORG_USER_MANAGER` role in `org B` is unable to
list user metadata for a user in `org B`.

# How the Problems Are Solved

The `auth.option` is set to a specific permission (`user.read`) in the
API definition of `ListUserMetadata`, which causes the interceptors to
check for this specific permission. In this case, there is no specific
check for org membership of a user (from org A) in a target organization
(org B), and hence the call fails even though the user has the necessary
permissions.

This has been fixed by setting the `auth.option` to `authenticated`, and
the necessary [permission checks are handled in the
query-layer](https://github.com/zitadel/zitadel/blob/main/internal/query/user_metadata.go#L173).

# Additional Changes
N/A

# Additional Context
- Closes #10925

---------

Co-authored-by: Marco A. <marco@zitadel.com>

2025-10-28 11:24:50 +00:00

..

v2

fix(user): auth option while listing user metadata (#10968)

2025-10-28 11:24:50 +00:00

v2beta

chore: rehaul DevX (#10571)

2025-10-08 10:27:02 +02:00

converter.go

feat: api v2beta to api v2 (#8283)

2024-07-26 22:39:55 +02:00

membership.go

refactor: rename package errors to zerrors (#7039)

2023-12-08 15:30:55 +01:00

personal_access_token.go

chore(v2): move to new org (#3499)

2022-04-26 23:01:45 +00:00

query.go

fix(api): correct mapping of user state queries (#9956)

2025-05-26 13:23:38 +02:00

refresh_token.go

chore(v2): move to new org (#3499)

2022-04-26 23:01:45 +00:00

session.go

fix: return absolute url for avatar in user sessions (#3724)

2022-05-30 11:27:52 +00:00

user_grant.go

fix: add InUserIDs query to query of user grants (#10741)

2025-10-07 04:56:20 +00:00