From 19824d693cad2800d38e49bb45035feb3e151239 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sat, 12 Dec 2020 21:00:35 +0100
Subject: [PATCH] core: fix permission check for applications API

---
 authentik/core/api/applications.py | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/authentik/core/api/applications.py b/authentik/core/api/applications.py
index 8dab69299..b528fac54 100644
--- a/authentik/core/api/applications.py
+++ b/authentik/core/api/applications.py
@@ -1,7 +1,10 @@
 """Application API Views"""
 from django.db.models import QuerySet
+from django.http.response import Http404
+from guardian.shortcuts import get_objects_for_user
 from rest_framework.decorators import action
 from rest_framework.fields import SerializerMethodField
+from rest_framework.generics import get_object_or_404
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ModelSerializer
@@ -71,8 +74,12 @@ class ApplicationViewSet(ModelViewSet):
     @action(detail=True)
     def metrics(self, request: Request, slug: str):
         """Metrics for application logins"""
-        # TODO: Check app read and audit read perms
-        app = Application.objects.get(slug=slug)
+        app = get_object_or_404(
+            get_objects_for_user(request.user, "authentik_core.view_application"),
+            slug=slug,
+        )
+        if not request.user.has_perm("authentik_audit.view_event"):
+            raise Http404
         return Response(
             get_events_per_1h(
                 action=EventAction.AUTHORIZE_APPLICATION,