core: show users and groups when user has overall user permissions

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2021-05-05 01:02:47 +02:00 · 2021-05-05 01:02:47 +02:00 · 1a02049104
parent 32934fcd38
commit 1a02049104
4 changed files with 42 additions and 4 deletions
--- a/authentik/core/api/groups.py
+++ b/authentik/core/api/groups.py
@ -1,7 +1,9 @@
 """Groups API Viewset"""
+from django.db.models.query import QuerySet
 from rest_framework.fields import JSONField
 from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
+from rest_framework_guardian.filters import ObjectPermissionsFilter

 from authentik.core.api.utils import is_dict
 from authentik.core.models import Group
@ -26,3 +28,16 @@ class GroupViewSet(ModelViewSet):
    search_fields = ["name", "is_superuser"]
    filterset_fields = ["name", "is_superuser"]
    ordering = ["name"]
+
+    def _filter_queryset_for_list(self, queryset: QuerySet) -> QuerySet:
+        """Custom filter_queryset method which ignores guardian, but still supports sorting"""
+        for backend in list(self.filter_backends):
+            if backend == ObjectPermissionsFilter:
+                continue
+            queryset = backend().filter_queryset(self.request, queryset, self)
+        return queryset
+
+    def filter_queryset(self, queryset):
+        if self.request.user.has_perm("authentik_core.view_group"):
+            return self._filter_queryset_for_list(queryset)
+        return super().filter_queryset(queryset)
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -1,6 +1,7 @@
 """User API Views"""
 from json import loads

+from django.db.models.query import QuerySet
 from django.http.response import Http404
 from django.urls import reverse_lazy
 from django.utils.http import urlencode
@ -19,6 +20,7 @@ from rest_framework.serializers import (
    ValidationError,
 )
 from rest_framework.viewsets import ModelViewSet
+from rest_framework_guardian.filters import ObjectPermissionsFilter

 from authentik.admin.api.metrics import CoordinateSerializer, get_events_per_1h
 from authentik.api.decorators import permission_required
@ -185,3 +187,16 @@ class UserViewSet(ModelViewSet):
            reverse_lazy("authentik_flows:default-recovery") + f"?{querystring}"
        )
        return Response({"link": link})
+
+    def _filter_queryset_for_list(self, queryset: QuerySet) -> QuerySet:
+        """Custom filter_queryset method which ignores guardian, but still supports sorting"""
+        for backend in list(self.filter_backends):
+            if backend == ObjectPermissionsFilter:
+                continue
+            queryset = backend().filter_queryset(self.request, queryset, self)
+        return queryset
+
+    def filter_queryset(self, queryset):
+        if self.request.user.has_perm("authentik_core.view_group"):
+            return self._filter_queryset_for_list(queryset)
+        return super().filter_queryset(queryset)
--- a/authentik/lib/config.py
+++ b/authentik/lib/config.py
@ -87,7 +87,7 @@ class ConfigLoader:
        if url.scheme == "env":
            value = os.getenv(url.netloc, url.query)
        if url.scheme == "file":
-            with open(url.netloc, 'r') as _file:
+            with open(url.netloc, "r") as _file:
                value = _file.read()
        return value

--- a/authentik/outposts/models.py
+++ b/authentik/outposts/models.py
@ -1,7 +1,7 @@
 """Outpost models"""
 from dataclasses import asdict, dataclass, field
 from datetime import datetime
-from typing import Any, Iterable, Optional, Union
+from typing import Iterable, Optional, Union
 from uuid import uuid4

 from dacite import from_dict
@ -336,7 +336,7 @@ class Outpost(models.Model):
        # the ones the user needs
        with transaction.atomic():
            UserObjectPermission.objects.filter(user=user).delete()
-            Permission.objects.filter(user=user).delete()
+            user.user_permissions.clear()
            for model_or_perm in self.get_required_objects():
                if isinstance(model_or_perm, models.Model):
                    model_or_perm: models.Model
@ -346,7 +346,15 @@ class Outpost(models.Model):
                    )
                    assign_perm(code_name, user, model_or_perm)
                else:
-                    assign_perm(model_or_perm, user)
+                    app_label, perm = model_or_perm.split(".")
+                    permission = Permission.objects.filter(
+                        codename=perm,
+                        content_type__app_label=app_label,
+                    )
+                    if not permission.exists():
+                        LOGGER.warning("permission doesn't exist", perm=model_or_perm)
+                        continue
+                    user.user_permissions.add(permission.first())
            LOGGER.debug("Updated service account's permissions")
        return user