From c1ea78c42293d29a9d9fc4f1a43013ee97c86aaf Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Mon, 6 Dec 2021 12:33:29 +0100 Subject: [PATCH] core: fix missing permission check for group creating when creating service account Signed-off-by: Jens Langhammer --- authentik/core/api/users.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/authentik/core/api/users.py b/authentik/core/api/users.py index cb09f0f05..13d1ad756 100644 --- a/authentik/core/api/users.py +++ b/authentik/core/api/users.py @@ -314,7 +314,7 @@ class UserViewSet(UsedByMixin, ModelViewSet): name=username, attributes={USER_ATTRIBUTE_SA: True, USER_ATTRIBUTE_TOKEN_EXPIRING: False}, ) - if create_group: + if create_group and self.request.user.has_perm("authentik_core.add_group"): group = Group.objects.create( name=username, )