Incorporate requested changes

Co-authored-by: Julian Koberg <[email protected]>
Co-authored-by: Ralf Haferkamp <[email protected]>
Co-authored-by: Michael Barz <[email protected]>
Signed-off-by: Christian Richter <[email protected]>

services/graph/pkg/service/v0/users.go

@@ -319,8 +319,6 @@ func (g Graph) PostUser(w http.ResponseWriter, r *http.Request) {
 		u.SetUserType("Member")
 	}
 
-	userLang := u.GetPreferredLanguage()
-
 	logger.Debug().Interface("user", u).Msg("calling create user on backend")
 	if u, err = g.identityBackend.CreateUser(r.Context(), *u); err != nil {
 		logger.Error().Err(err).Msg("could not create user: backend error")
@@ -343,28 +341,6 @@ func (g Graph) PostUser(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
-	if userLang != "" {
-		_, err = g.valueService.SaveValue(r.Context(), &settings.SaveValueRequest{
-			Value: &settingsmsg.Value{
-				BundleId:    defaults.BundleUUIDProfile,
-				SettingId:   defaults.SettingUUIDProfileLanguage,
-				AccountUuid: u.GetId(),
-				Resource: &settingsmsg.Resource{
-					Type: settingsmsg.Resource_TYPE_USER,
-				},
-				Value: &settingsmsg.Value_ListValue{
-					ListValue: &settingsmsg.ListValue{Values: []*settingsmsg.ListOptionValue{
-						{
-							Option: &settingsmsg.ListOptionValue_StringValue{
-								StringValue: userLang,
-							},
-						},
-					}},
-				},
-			},
-		})
-	}
-
 	e := events.UserCreated{UserID: *u.Id}
 	if currentUser, ok := revactx.ContextGetUser(r.Context()); ok {
 		e.Executant = currentUser.GetId()
@@ -713,6 +689,12 @@ func (g Graph) PatchUser(w http.ResponseWriter, r *http.Request) {
 			fmt.Sprintf("invalid request body: %s", err.Error()))
 		return
 	}
+	if _, ok := changes.GetPreferredLanguageOk(); ok {
+		logger.Info().Interface("user", changes).Msg("could not update user: user is not allowed to change other users language")
+		errorcode.InvalidRequest.Render(w, r, http.StatusBadRequest, "user is not allowed to change other users language")
+		return
+	}
+
 	g.patchUser(w, r, nameOrID, changes)
 }
 

services/settings/pkg/service/v0/service.go

@@ -274,8 +274,7 @@ func (g Service) RemoveSettingFromBundle(ctx context.Context, req *settingssvc.R
 // SaveValue implements the ValueServiceHandler interface
 func (g Service) SaveValue(ctx context.Context, req *settingssvc.SaveValueRequest, res *settingssvc.SaveValueResponse) error {
 	req.Value.AccountUuid = getValidatedAccountUUID(ctx, req.Value.AccountUuid)
-	ctxUser, _ := metadata.Get(ctx, middleware.AccountID)
-	if !g.isCurrentUser(ctx, req.Value.AccountUuid) && !g.isAdmin(ctxUser) {
+	if !g.isCurrentUser(ctx, req.Value.AccountUuid) {
 		return merrors.Forbidden(g.id, "can't save value for another user")
 	}
 
@@ -296,20 +295,6 @@ func (g Service) SaveValue(ctx context.Context, req *settingssvc.SaveValueReques
 	return nil
 }
 
-func (g Service) isAdmin(userId string) bool {
-	assignedRoles, err := g.manager.ListRoleAssignments(userId)
-	if err != nil {
-		return false
-	}
-	for _, role := range assignedRoles {
-		if role.RoleId == defaults.BundleUUIDRoleAdmin {
-			return true
-		}
-	}
-	return false
-
-}
-
 // GetValue implements the ValueServiceHandler interface
 func (g Service) GetValue(ctx context.Context, req *settingssvc.GetValueRequest, res *settingssvc.GetValueResponse) error {
 	if validationError := validateGetValue(req); validationError != nil {
@@ -330,8 +315,7 @@ func (g Service) GetValue(ctx context.Context, req *settingssvc.GetValueRequest,
 // GetValueByUniqueIdentifiers implements the ValueService interface
 func (g Service) GetValueByUniqueIdentifiers(ctx context.Context, req *settingssvc.GetValueByUniqueIdentifiersRequest, res *settingssvc.GetValueResponse) error {
 	req.AccountUuid = getValidatedAccountUUID(ctx, req.AccountUuid)
-	ctxUser, _ := metadata.Get(ctx, middleware.AccountID)
-	if !g.isCurrentUser(ctx, req.AccountUuid) && !g.isAdmin(ctxUser) {
+	if !g.isCurrentUser(ctx, req.AccountUuid) {
 		return merrors.Forbidden(g.id, "can't get value of another user")
 	}
 	if validationError := validateGetValueByUniqueIdentifiers(req); validationError != nil {