*: handle PermissionError when saving files, ensure permission bits are set correctly

closes #3817

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

authentik/core/api/applications.py

@@ -232,7 +232,11 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
             return Response({})
         if icon:
             app.meta_icon = icon
-            app.save()
+            try:
+                app.save()
+            except PermissionError as exc:
+                LOGGER.warning("Failed to save icon", exc=exc)
+                return HttpResponseBadRequest()
             return Response({})
         return HttpResponseBadRequest()
 

authentik/flows/api/flows.py

@@ -239,7 +239,11 @@ class FlowViewSet(UsedByMixin, ModelViewSet):
             return Response({})
         if background:
             flow.background = background
-            flow.save()
+            try:
+                flow.save()
+            except PermissionError as exc:
+                LOGGER.warning("Failed to save icon", exc=exc)
+                return HttpResponseBadRequest()
             return Response({})
         return HttpResponseBadRequest()
 

lifecycle/ak

@@ -27,8 +27,10 @@ function check_if_root {
         GROUP_NAME=$(getent group $DOCKER_GID | sed 's/:/\n/g' | head -1)
         GROUP="authentik:${GROUP_NAME}"
     fi
-    # Fix permissions of backups and media
+    # Fix permissions of certs and media
     chown -R authentik:authentik /media /certs
+    chmod ug+rwx /media
+    chmod ug+rx /certs
     exec chpst -u authentik:$GROUP env HOME=/authentik $1
 }
 

website/docs/troubleshooting/image_upload.md

@@ -15,4 +15,6 @@ To fix these issues, run these commands in the folder of your docker-compose fil
 ```shell
 sudo chown 1000:1000 media/
 sudo chown 1000:1000 custom-templates/
+sudo chmod ug+rwx media/
+sudo chmod ug+rx certs/
 ```