core: fix view_token permission not being assigned on token creation for non-admin user

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-01-31 20:00:30 +01:00 · 2022-01-31 20:00:30 +01:00 · a5adc4f8ed
parent a6baed9753
commit a5adc4f8ed
2 changed files with 5 additions and 2 deletions
--- a/authentik/core/api/tokens.py
+++ b/authentik/core/api/tokens.py
@ -3,7 +3,7 @@ from typing import Any

 from django_filters.rest_framework import DjangoFilterBackend
 from drf_spectacular.utils import OpenApiResponse, extend_schema
-from guardian.shortcuts import get_anonymous_user
+from guardian.shortcuts import assign_perm, get_anonymous_user
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
 from rest_framework.fields import CharField
@ -95,10 +95,12 @@ class TokenViewSet(UsedByMixin, ModelViewSet):

    def perform_create(self, serializer: TokenSerializer):
        if not self.request.user.is_superuser:
-            return serializer.save(
+            instance = serializer.save(
                user=self.request.user,
                expiring=self.request.user.attributes.get(USER_ATTRIBUTE_TOKEN_EXPIRING, True),
            )
+            assign_perm("authentik_core.view_token_key", self.request.user, instance)
+            return instance
        return super().perform_create(serializer)

    @permission_required("authentik_core.view_token_key")
--- a/authentik/core/tests/test_token_api.py
+++ b/authentik/core/tests/test_token_api.py
@ -30,6 +30,7 @@ class TestTokenAPI(APITestCase):
        self.assertEqual(token.user, self.user)
        self.assertEqual(token.intent, TokenIntents.INTENT_API)
        self.assertEqual(token.expiring, True)
+        self.assertTrue(self.user.has_perm("authentik_core.view_token_key", token))

    def test_token_create_invalid(self):
        """Test token creation endpoint (invalid data)"""