From a5adc4f8ed5ca0c8ca55bf29825210256913747f Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Mon, 31 Jan 2022 20:00:30 +0100 Subject: [PATCH] core: fix view_token permission not being assigned on token creation for non-admin user Signed-off-by: Jens Langhammer --- authentik/core/api/tokens.py | 6 ++++-- authentik/core/tests/test_token_api.py | 1 + 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/authentik/core/api/tokens.py b/authentik/core/api/tokens.py index 421efcaa3..005ed9399 100644 --- a/authentik/core/api/tokens.py +++ b/authentik/core/api/tokens.py @@ -3,7 +3,7 @@ from typing import Any from django_filters.rest_framework import DjangoFilterBackend from drf_spectacular.utils import OpenApiResponse, extend_schema -from guardian.shortcuts import get_anonymous_user +from guardian.shortcuts import assign_perm, get_anonymous_user from rest_framework.decorators import action from rest_framework.exceptions import ValidationError from rest_framework.fields import CharField @@ -95,10 +95,12 @@ class TokenViewSet(UsedByMixin, ModelViewSet): def perform_create(self, serializer: TokenSerializer): if not self.request.user.is_superuser: - return serializer.save( + instance = serializer.save( user=self.request.user, expiring=self.request.user.attributes.get(USER_ATTRIBUTE_TOKEN_EXPIRING, True), ) + assign_perm("authentik_core.view_token_key", self.request.user, instance) + return instance return super().perform_create(serializer) @permission_required("authentik_core.view_token_key") diff --git a/authentik/core/tests/test_token_api.py b/authentik/core/tests/test_token_api.py index 27d6faf1e..904e4eb0f 100644 --- a/authentik/core/tests/test_token_api.py +++ b/authentik/core/tests/test_token_api.py @@ -30,6 +30,7 @@ class TestTokenAPI(APITestCase): self.assertEqual(token.user, self.user) self.assertEqual(token.intent, TokenIntents.INTENT_API) self.assertEqual(token.expiring, True) + self.assertTrue(self.user.has_perm("authentik_core.view_token_key", token)) def test_token_create_invalid(self): """Test token creation endpoint (invalid data)"""