From c1ea78c42293d29a9d9fc4f1a43013ee97c86aaf Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Mon, 6 Dec 2021 12:33:29 +0100
Subject: [PATCH] core: fix missing permission check for group creating when
 creating service account

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 authentik/core/api/users.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/authentik/core/api/users.py b/authentik/core/api/users.py
index cb09f0f05..13d1ad756 100644
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@@ -314,7 +314,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
                     name=username,
                     attributes={USER_ATTRIBUTE_SA: True, USER_ATTRIBUTE_TOKEN_EXPIRING: False},
                 )
-                if create_group:
+                if create_group and self.request.user.has_perm("authentik_core.add_group"):
                     group = Group.objects.create(
                         name=username,
                     )