diff --git a/internal/daemon/controller/handlers/groups/group_service.go b/internal/daemon/controller/handlers/groups/group_service.go index 3b9ba62986..2e2dc62c02 100644 --- a/internal/daemon/controller/handlers/groups/group_service.go +++ b/internal/daemon/controller/handlers/groups/group_service.go @@ -114,10 +114,6 @@ func (s Service) ListGroups(ctx context.Context, req *pbs.ListGroupsRequest) (*p if err != nil { return nil, err } - // If no scopes match, return an empty response - if len(scopeIds) == 0 { - return &pbs.ListGroupsResponse{}, nil - } pageSize := int(s.maxPageSize) // Use the requested page size only if it is smaller than diff --git a/internal/daemon/controller/handlers/groups/group_service_test.go b/internal/daemon/controller/handlers/groups/group_service_test.go index 434ebe20ce..0418b7a915 100644 --- a/internal/daemon/controller/handlers/groups/group_service_test.go +++ b/internal/daemon/controller/handlers/groups/group_service_test.go @@ -801,6 +801,28 @@ func TestListPagination(t *testing.T) { protocmp.IgnoreFields(&pbs.ListGroupsResponse{}, "list_token"), ), ) + + // Create unauthenticated user + unauthAt := authtoken.TestAuthToken(t, conn, kms, oWithGroups.GetPublicId()) + unauthR := iam.TestRole(t, conn, pWithGroups.GetPublicId()) + _ = iam.TestUserRole(t, conn, unauthR.GetPublicId(), unauthAt.GetIamUserId()) + + // Make a request with the unauthenticated user, + // ensure the response is 403 forbidden. + requestInfo = authpb.RequestInfo{ + TokenFormat: uint32(auth.AuthTokenTypeBearer), + PublicId: unauthAt.GetPublicId(), + Token: unauthAt.GetToken(), + } + requestContext = context.WithValue(context.Background(), requests.ContextRequestInformationKey, &requests.RequestContext{}) + ctx = auth.NewVerifierContext(requestContext, iamRepoFn, tokenRepoFn, serversRepoFn, kms, &requestInfo) + + _, err = a.ListGroups(ctx, &pbs.ListGroupsRequest{ + ScopeId: "global", + Recursive: true, + }) + require.Error(t, err) + assert.Equal(t, handlers.ForbiddenError(), err) } func TestDelete(t *testing.T) {