mirror of
https://github.com/zitadel/zitadel.git
synced 2025-12-06 09:32:24 +00:00
fa83c39510
# Which Problems Are Solved
This PR fixes the self-management of users for metadata and own removal
and improves the corresponding permission checks.
While looking into the problems, I also noticed that there's a bug in
the metadata mapping when using `api.metadata.push` in actions v1 and
that re-adding a previously existing key after its removal was not
possible.
# How the Problems Are Solved
- Added a parameter `allowSelfManagement` to checkPermissionOnUser to
not require a permission if a user is changing its own data.
- Updated use of `NewPermissionCheckUserWrite` including prevention of
self-management for metadata.
- Pass permission check to the command side (for metadata functions) to
allow it implicitly for login v1 and actions v1.
- Use of json.Marshal for the metadata mapping (as with
`AppendMetadata`)
- Check the metadata state when comparing the value.
# Additional Changes
- added a variadic `roles` parameter to the `CreateOrgMembership`
integration test helper function to allow defining specific roles.
# Additional Context
- noted internally while testing v4.1.x
- requires backport to v4.x
- closes https://github.com/zitadel/zitadel/issues/10470
- relates to https://github.com/zitadel/zitadel/pull/10426
(cherry picked from commit 5329d50509)
61 lines
1.8 KiB
Go
61 lines
1.8 KiB
Go
package user
|
|
|
|
import (
|
|
"context"
|
|
|
|
"connectrpc.com/connect"
|
|
"google.golang.org/protobuf/types/known/timestamppb"
|
|
|
|
"github.com/zitadel/zitadel/internal/command"
|
|
"github.com/zitadel/zitadel/internal/domain"
|
|
"github.com/zitadel/zitadel/internal/eventstore/v1/models"
|
|
"github.com/zitadel/zitadel/pkg/grpc/user/v2"
|
|
)
|
|
|
|
func (s *Server) createUserTypeMachine(ctx context.Context, machinePb *user.CreateUserRequest_Machine, orgId, userName, userId string) (*connect.Response[user.CreateUserResponse], error) {
|
|
cmd := &command.Machine{
|
|
Username: userName,
|
|
Name: machinePb.Name,
|
|
Description: machinePb.GetDescription(),
|
|
AccessTokenType: domain.OIDCTokenTypeBearer,
|
|
ObjectRoot: models.ObjectRoot{
|
|
ResourceOwner: orgId,
|
|
AggregateID: userId,
|
|
},
|
|
}
|
|
details, err := s.command.AddMachine(
|
|
ctx,
|
|
cmd,
|
|
nil,
|
|
s.command.NewPermissionCheckUserWrite(ctx, true),
|
|
command.AddMachineWithUsernameToIDFallback(),
|
|
)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return connect.NewResponse(&user.CreateUserResponse{
|
|
Id: cmd.AggregateID,
|
|
CreationDate: timestamppb.New(details.EventDate),
|
|
}), nil
|
|
}
|
|
|
|
func (s *Server) updateUserTypeMachine(ctx context.Context, machinePb *user.UpdateUserRequest_Machine, userId string, userName *string) (*connect.Response[user.UpdateUserResponse], error) {
|
|
cmd := updateMachineUserToCommand(userId, userName, machinePb)
|
|
err := s.command.ChangeUserMachine(ctx, cmd)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return connect.NewResponse(&user.UpdateUserResponse{
|
|
ChangeDate: timestamppb.New(cmd.Details.EventDate),
|
|
}), nil
|
|
}
|
|
|
|
func updateMachineUserToCommand(userId string, userName *string, machine *user.UpdateUserRequest_Machine) *command.ChangeMachine {
|
|
return &command.ChangeMachine{
|
|
ID: userId,
|
|
Username: userName,
|
|
Name: machine.Name,
|
|
Description: machine.Description,
|
|
}
|
|
}
|