From a91a8f44d3dfa9130b9f4a1c8f71dee7b8a42131 Mon Sep 17 00:00:00 2001
From: Arvindh <30824765+arvindh123@users.noreply.github.com>
Date: Thu, 19 Oct 2023 23:21:03 +0530
Subject: [PATCH] Fix: user and things authz (#1941)

Signed-off-by: Arvindh <arvindh91@gmail.com>
---
 things/service.go | 3 ++-
 users/service.go  | 8 +++++++-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/things/service.go b/things/service.go
index 0d8c8abe..83620924 100644
--- a/things/service.go
+++ b/things/service.go
@@ -25,6 +25,7 @@ const (
 
 	userType  = "user"
 	tokenKind = "token"
+	userKind  = "users"
 	thingType = "thing"
 	groupType = "group"
 )
@@ -143,7 +144,7 @@ func (svc service) ListClients(ctx context.Context, token string, reqUserID stri
 
 	switch {
 	case (reqUserID != "" && reqUserID != userID):
-		if _, err := svc.authorize(ctx, userType, tokenKind, userID, ownerPermission, userType, reqUserID); err != nil {
+		if _, err := svc.authorize(ctx, userType, userKind, userID, ownerRelation, userType, reqUserID); err != nil {
 			return mfclients.ClientsPage{}, err
 		}
 		rtids, err := svc.listClientIDs(ctx, reqUserID, pm.Permission)
diff --git a/users/service.go b/users/service.go
index 7491e147..4dac28c7 100644
--- a/users/service.go
+++ b/users/service.go
@@ -22,6 +22,7 @@ const (
 	userKind   = "users"
 	tokenKind  = "token"
 	thingsKind = "things"
+	groupsKind = "groups"
 
 	userType  = "user"
 	groupType = "group"
@@ -385,14 +386,19 @@ func (svc service) changeClientStatus(ctx context.Context, token string, client
 
 func (svc service) ListMembers(ctx context.Context, token, objectKind string, objectID string, pm mfclients.Page) (mfclients.MembersPage, error) {
 	var objectType string
+	var authzPerm string
 	switch objectKind {
 	case thingsKind:
 		objectType = thingType
+		authzPerm = pm.Permission
+	case groupsKind:
+		fallthrough
 	default:
 		objectType = groupType
+		authzPerm = auth.SwitchToPermission(pm.Permission)
 	}
 
-	if _, err := svc.authorize(ctx, userType, tokenKind, token, auth.SwitchToPermission(pm.Permission), objectType, objectID); err != nil {
+	if _, err := svc.authorize(ctx, userType, tokenKind, token, authzPerm, objectType, objectID); err != nil {
 		return mfclients.MembersPage{}, err
 	}
 	uids, err := svc.auth.ListAllSubjects(ctx, &mainflux.ListSubjectsReq{