NextJS B2B Example: Alice able to view/manage user from another organization
Hi, I followed this example, and everything works mostly. (Doc doesn't include ZITADEL_CLIENT_SECRET in the .env, which is needed)
https://zitadel.com/docs/examples/login/nextjs-b2b
However, I have now set up a second project within Demo-Vendor named 'Client A', that has a user that was created on the Demo-Vendor organization. When logging into the provided NextJS application ( https://github.com/zitadel/zitadel-nextjs-b2b) as Alice (who is a user of the Demo-Customer organization) and going to 'Manage Team', she is able to see the name of this project and the user listed below, which she can edit. This project was not granted to her and sits within a separate organization.
I went through the code and get to this API call requesting user grants for Alice's organization. For some reason this API call that uses Alice's organization ID returns the user in the Demo Vendor organization
Line 48 of components > UserGrantsTable.tsx:
const { data: userGrantsResponse, error: orgError } = useSWR(org?.id ? /api/usergrants?orgId=${org.id} : null, (url) =>
fetcher(url),
);
Can someone please explain why the user grants API returns a user that is not part of the Organization making the call?
ThanksZITADEL Docs
This is our ZITADEL Next.js B2B template. It shows how to authenticate as a user with multiple organizations. The application shows your users roles on the selected organizations, other projects your organization is allowed to use and other users having a grant to use the application.
2 Replies
Hi @JamesKaz, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.
Answer
I wasn't able to find a direct answer, here are some relevant sources:
1. Retrieve User Roles in ZITADEL : This guide explains how user grants work across organizations and projects, including how Project Grants can expose a project's roles to another organization (1) .
2. API call to get all users of an organization with access to a project : Shows an example where users from one organization can have access to projects from another organization through grants, which might explain the cross-organizational visibility you're experiencing (2) .
To learn more, see the sources I considered:
[1] Retrieve User Roles in ZITADEL
[2] API call to get all users of an organization with access to a project
Feel free to tag @Ask Inkeep with additional questions.
The header for usergrants.ts uses 'x-zitadel-org' instead of ''x-zitadel-orgid'', so the I think it was just defaulting and using the requesting user, which is the Service User who is part of the Demo-Vendor organization. This explains why projects and users from this organization are showing.
If correct, you should either update or remove the NextJS project