Access: Fetch fresh permissions for target GlobalOrgID in AuthorizeInOrgMiddleware (#76569)

fetch fresh permissions for global in AuthorizeInOrgMiddleware Update pkg/services/accesscontrol/authorize_in_org_test.go do not load viewer permissions in global ID
2025-02-25 18:55:37 -06:00 · 2023-10-13 20:01:47 +02:00
parent 335b73d9ae
commit 48ef88aed7
3 changed files with 50 additions and 17 deletions
--- a/pkg/services/accesscontrol/middleware.go
+++ b/pkg/services/accesscontrol/middleware.go
@@ -190,19 +190,26 @@ func AuthorizeInOrgMiddleware(ac AccessControl, service Service, cache userCache
 				return
 			}

-			if targetOrgID != GlobalOrgID && userCopy.Permissions[targetOrgID] == nil {
-				query := user.GetSignedInUserQuery{UserID: c.UserID, OrgID: targetOrgID}
-				queryResult, err := cache.GetSignedInUserWithCacheCtx(c.Req.Context(), &query)
-				if err != nil {
-					deny(c, nil, fmt.Errorf("failed to authenticate user in target org: %w", err))
-					return
+			if userCopy.OrgID != targetOrgID {
+				switch targetOrgID {
+				case GlobalOrgID:
+					userCopy.OrgID = GlobalOrgID
+					userCopy.OrgRole = org.RoleNone
+					userCopy.OrgName = ""
+				default:
+					query := user.GetSignedInUserQuery{UserID: c.UserID, OrgID: targetOrgID}
+					queryResult, err := cache.GetSignedInUserWithCacheCtx(c.Req.Context(), &query)
+					if err != nil {
+						deny(c, nil, fmt.Errorf("failed to authenticate user in target org: %w", err))
+						return
+					}
+					userCopy.OrgID = queryResult.OrgID
+					userCopy.OrgName = queryResult.OrgName
+					userCopy.OrgRole = queryResult.OrgRole
 				}
-				userCopy.OrgID = queryResult.OrgID
-				userCopy.OrgName = queryResult.OrgName
-				userCopy.OrgRole = queryResult.OrgRole
 			}

-			if userCopy.Permissions[userCopy.OrgID] == nil {
+			if userCopy.Permissions[targetOrgID] == nil {
 				permissions, err := service.GetUserPermissions(c.Req.Context(), &userCopy, Options{})
 				if err != nil {
 					deny(c, nil, fmt.Errorf("failed to authenticate user in target org: %w", err))
@@ -212,7 +219,7 @@ func AuthorizeInOrgMiddleware(ac AccessControl, service Service, cache userCache
 				if userCopy.Permissions == nil {
 					userCopy.Permissions = make(map[int64]map[string][]string)
 				}
-				userCopy.Permissions[userCopy.OrgID] = GroupScopesByAction(permissions)
+				userCopy.Permissions[targetOrgID] = GroupScopesByAction(permissions)
 			}

 			authorize(c, ac, &userCopy, evaluator)
@@ -221,7 +228,7 @@ func AuthorizeInOrgMiddleware(ac AccessControl, service Service, cache userCache
 			if c.SignedInUser.Permissions == nil {
 				c.SignedInUser.Permissions = make(map[int64]map[string][]string)
 			}
-			c.SignedInUser.Permissions[userCopy.OrgID] = userCopy.Permissions[userCopy.OrgID]
+			c.SignedInUser.Permissions[targetOrgID] = userCopy.Permissions[targetOrgID]
 		}
 	}
 }