diff --git a/authentik/flows/api/bindings.py b/authentik/flows/api/bindings.py index 43fbee91a..bda3ab323 100644 --- a/authentik/flows/api/bindings.py +++ b/authentik/flows/api/bindings.py @@ -1,4 +1,7 @@ """Flow Binding API Views""" +from typing import Any + +from rest_framework.exceptions import ValidationError from rest_framework.serializers import ModelSerializer from rest_framework.viewsets import ModelViewSet @@ -12,6 +15,13 @@ class FlowStageBindingSerializer(ModelSerializer): stage_obj = StageSerializer(read_only=True, source="stage") + def validate(self, attrs: dict[str, Any]) -> dict[str, Any]: + evaluate_on_plan = attrs.get("evaluate_on_plan", False) + re_evaluate_policies = attrs.get("re_evaluate_policies", True) + if not evaluate_on_plan and not re_evaluate_policies: + raise ValidationError("Either evaluation on plan or evaluation on run must be enabled") + return super().validate(attrs) + class Meta: model = FlowStageBinding fields = [ diff --git a/authentik/flows/migrations/0025_alter_flowstagebinding_evaluate_on_plan_and_more.py b/authentik/flows/migrations/0025_alter_flowstagebinding_evaluate_on_plan_and_more.py new file mode 100644 index 000000000..82924be76 --- /dev/null +++ b/authentik/flows/migrations/0025_alter_flowstagebinding_evaluate_on_plan_and_more.py @@ -0,0 +1,26 @@ +# Generated by Django 4.1.7 on 2023-02-25 15:51 + +from django.db import migrations, models + + +class Migration(migrations.Migration): + dependencies = [ + ("authentik_flows", "0024_flow_authentication"), + ] + + operations = [ + migrations.AlterField( + model_name="flowstagebinding", + name="evaluate_on_plan", + field=models.BooleanField( + default=False, help_text="Evaluate policies during the Flow planning process." + ), + ), + migrations.AlterField( + model_name="flowstagebinding", + name="re_evaluate_policies", + field=models.BooleanField( + default=True, help_text="Evaluate policies when the Stage is present to the user." + ), + ), + ] diff --git a/authentik/flows/models.py b/authentik/flows/models.py index 598839519..7646faeb9 100644 --- a/authentik/flows/models.py +++ b/authentik/flows/models.py @@ -211,14 +211,11 @@ class FlowStageBinding(SerializerModel, PolicyBindingModel): stage = InheritanceForeignKey(Stage, on_delete=models.CASCADE) evaluate_on_plan = models.BooleanField( - default=True, - help_text=_( - "Evaluate policies during the Flow planning process. " - "Disable this for input-based policies." - ), + default=False, + help_text=_("Evaluate policies during the Flow planning process."), ) re_evaluate_policies = models.BooleanField( - default=False, + default=True, help_text=_("Evaluate policies when the Stage is present to the user."), ) diff --git a/blueprints/example/flows-enrollment-2-stage.yaml b/blueprints/example/flows-enrollment-2-stage.yaml index 6365eed00..f4afa34af 100644 --- a/blueprints/example/flows-enrollment-2-stage.yaml +++ b/blueprints/example/flows-enrollment-2-stage.yaml @@ -105,26 +105,18 @@ entries: stage: !KeyOf default-enrollment-prompt-first order: 10 model: authentik_flows.flowstagebinding - attrs: - re_evaluate_policies: false - identifiers: target: !KeyOf flow stage: !KeyOf default-enrollment-prompt-second order: 11 model: authentik_flows.flowstagebinding - attrs: - re_evaluate_policies: false - identifiers: target: !KeyOf flow stage: !KeyOf default-enrollment-user-write order: 20 model: authentik_flows.flowstagebinding - attrs: - re_evaluate_policies: false - identifiers: target: !KeyOf flow stage: !KeyOf default-enrollment-user-login order: 100 model: authentik_flows.flowstagebinding - attrs: - re_evaluate_policies: false diff --git a/blueprints/example/flows-enrollment-email-verification.yaml b/blueprints/example/flows-enrollment-email-verification.yaml index 09f1563b0..3bd8b1dca 100644 --- a/blueprints/example/flows-enrollment-email-verification.yaml +++ b/blueprints/example/flows-enrollment-email-verification.yaml @@ -123,33 +123,23 @@ entries: stage: !KeyOf default-enrollment-prompt-first order: 10 model: authentik_flows.flowstagebinding - attrs: - re_evaluate_policies: false - identifiers: target: !KeyOf flow stage: !KeyOf default-enrollment-prompt-second order: 11 model: authentik_flows.flowstagebinding - attrs: - re_evaluate_policies: false - identifiers: target: !KeyOf flow stage: !KeyOf default-enrollment-user-write order: 20 model: authentik_flows.flowstagebinding - attrs: - re_evaluate_policies: false - identifiers: target: !KeyOf flow stage: !KeyOf default-enrollment-email-verification order: 30 model: authentik_flows.flowstagebinding - attrs: - re_evaluate_policies: false - identifiers: target: !KeyOf flow stage: !KeyOf default-enrollment-user-login order: 40 model: authentik_flows.flowstagebinding - attrs: - re_evaluate_policies: false diff --git a/blueprints/example/flows-unenrollment.yaml b/blueprints/example/flows-unenrollment.yaml index 5d29dd2b9..113c7fca0 100644 --- a/blueprints/example/flows-unenrollment.yaml +++ b/blueprints/example/flows-unenrollment.yaml @@ -23,5 +23,3 @@ entries: stage: !KeyOf default-unenrollment-user-delete order: 10 model: authentik_flows.flowstagebinding - attrs: - re_evaluate_policies: false diff --git a/schema.yml b/schema.yml index c7c418bdb..a5e7e0e0d 100644 --- a/schema.yml +++ b/schema.yml @@ -28021,8 +28021,7 @@ components: readOnly: true evaluate_on_plan: type: boolean - description: Evaluate policies during the Flow planning process. Disable - this for input-based policies. + description: Evaluate policies during the Flow planning process. re_evaluate_policies: type: boolean description: Evaluate policies when the Stage is present to the user. @@ -28058,8 +28057,7 @@ components: format: uuid evaluate_on_plan: type: boolean - description: Evaluate policies during the Flow planning process. Disable - this for input-based policies. + description: Evaluate policies during the Flow planning process. re_evaluate_policies: type: boolean description: Evaluate policies when the Stage is present to the user. @@ -33754,8 +33752,7 @@ components: format: uuid evaluate_on_plan: type: boolean - description: Evaluate policies during the Flow planning process. Disable - this for input-based policies. + description: Evaluate policies during the Flow planning process. re_evaluate_policies: type: boolean description: Evaluate policies when the Stage is present to the user. diff --git a/web/src/admin/flows/StageBindingForm.ts b/web/src/admin/flows/StageBindingForm.ts index b34208462..fc8fdf251 100644 --- a/web/src/admin/flows/StageBindingForm.ts +++ b/web/src/admin/flows/StageBindingForm.ts @@ -148,17 +148,17 @@ export class StageBindingForm extends ModelForm { - ${t`Evaluate on plan`} + ${t`Evaluate when flow is planned`}

- ${t`Evaluate policies during the Flow planning process. Disable this for input-based policies. Should be used in conjunction with 'Re-evaluate policies', as with both options disabled, policies are **not** evaluated.`} + ${t`Evaluate policies during the Flow planning process.`}

@@ -166,14 +166,14 @@ export class StageBindingForm extends ModelForm { - ${t`Re-evaluate policies`} + ${t`Evaluate when stage is run`}

${t`Evaluate policies before the Stage is present to the user.`} diff --git a/website/docs/flow/examples/snippets.md b/website/docs/flow/examples/snippets.md index dcd972f0e..b9135e9ea 100644 --- a/website/docs/flow/examples/snippets.md +++ b/website/docs/flow/examples/snippets.md @@ -9,7 +9,9 @@ Requires authentik 2022.7 ::: ```python -plan = request.context["flow_plan"] +plan = request.context.get("flow_plan") +if not plan: + return False plan.redirect("https://foo.bar") return False ```