From ede072889e87053be89639d1cfb1c4d2b1293335 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Sat, 19 Jun 2021 16:17:54 +0200 Subject: [PATCH] core: deepmerge user.group_attributes, use group_attributes for user settings closes #1051 Signed-off-by: Jens Langhammer --- Pipfile | 1 + Pipfile.lock | 12 ++++++++++-- authentik/core/models.py | 5 +++-- authentik/flows/views.py | 7 +++++-- authentik/lib/utils/http.py | 2 +- authentik/policies/denied.py | 4 +++- website/docs/troubleshooting/access.md | 2 +- 7 files changed, 24 insertions(+), 9 deletions(-) diff --git a/Pipfile b/Pipfile index 876f669ae..0cf076c36 100644 --- a/Pipfile +++ b/Pipfile @@ -46,6 +46,7 @@ webauthn = "*" xmlsec = "*" duo-client = "*" ua-parser = "*" +deepmerge = "*" [requires] python_version = "3.9" diff --git a/Pipfile.lock b/Pipfile.lock index 34664222b..4b7f4447d 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -1,7 +1,7 @@ { "_meta": { "hash": { - "sha256": "4fa1ad681762c867a95410074f31ac5d00119e187e0f38982cd59fdf301cccf5" + "sha256": "f90d9fb4713eaf9c5ffe6a3858e64843670f79ab5007e7debf914c1f094c8d63" }, "pipfile-spec": 6, "requires": { @@ -324,6 +324,14 @@ "markers": "python_version >= '3.6'", "version": "==3.0.2" }, + "deepmerge": { + "hashes": [ + "sha256:87166dbe9ba1a3348a45c9d4ada6778f518d41afc0b85aa017ea3041facc3f9c", + "sha256:f6fd7f1293c535fb599e197e750dbe8674503c5d2a89759b3c72a3c46746d4fd" + ], + "index": "pypi", + "version": "==0.3.0" + }, "defusedxml": { "hashes": [ "sha256:1bb3032db185915b62d7c6209c5a8792be6a32ab2fedacc84e01b52c51aa3e69", @@ -1557,7 +1565,7 @@ "sha256:0a943902919f65c5684ac4e0154b1ad4fac6dcaa5d9f3426b732f1c8b5419be6", "sha256:2bb1680aad211e3c9944dbce1d4ba09a989f04e238296c87fe2139faa26d655d" ], - "markers": "python_version >= '3.6' and python_version < '4'", + "markers": "python_version >= '3.6' and python_version < '4.0'", "version": "==5.8.0" }, "lazy-object-proxy": { diff --git a/authentik/core/models.py b/authentik/core/models.py index fc88d10e8..7e1c377d4 100644 --- a/authentik/core/models.py +++ b/authentik/core/models.py @@ -6,6 +6,7 @@ from urllib.parse import urlencode from uuid import uuid4 import django.db.models.options as options +from deepmerge import always_merger from django.conf import settings from django.contrib.auth.models import AbstractUser from django.contrib.auth.models import UserManager as DjangoUserManager @@ -114,8 +115,8 @@ class User(GuardianUserMixin, AbstractUser): including the users attributes""" final_attributes = {} for group in self.ak_groups.all().order_by("name"): - final_attributes.update(group.attributes) - final_attributes.update(self.attributes) + always_merger.merge(final_attributes, group.attributes) + always_merger.merge(final_attributes, self.attributes) return final_attributes @cached_property diff --git a/authentik/flows/views.py b/authentik/flows/views.py index 2cfcfc06b..499338d97 100644 --- a/authentik/flows/views.py +++ b/authentik/flows/views.py @@ -365,8 +365,11 @@ class FlowErrorResponse(TemplateResponse): context = {} context["error"] = self.error if self._request.user and self._request.user.is_authenticated: - if self._request.user.is_superuser or self._request.user.attributes.get( - USER_ATTRIBUTE_DEBUG, False + if ( + self._request.user.is_superuser + or self._request.user.group_attributes().get( + USER_ATTRIBUTE_DEBUG, False + ) ): context["tb"] = "".join(format_tb(self.error.__traceback__)) return context diff --git a/authentik/lib/utils/http.py b/authentik/lib/utils/http.py index dc4c003b4..ac4ed67af 100644 --- a/authentik/lib/utils/http.py +++ b/authentik/lib/utils/http.py @@ -33,7 +33,7 @@ def _get_outpost_override_ip(request: HttpRequest) -> Optional[str]: return None if OUTPOST_REMOTE_IP_HEADER not in request.META: return None - if request.user.attributes.get(USER_ATTRIBUTE_CAN_OVERRIDE_IP, False): + if request.user.group_attributes().get(USER_ATTRIBUTE_CAN_OVERRIDE_IP, False): return None return request.META[OUTPOST_REMOTE_IP_HEADER] diff --git a/authentik/policies/denied.py b/authentik/policies/denied.py index 5da2a30ce..9ffc2a7b1 100644 --- a/authentik/policies/denied.py +++ b/authentik/policies/denied.py @@ -37,7 +37,9 @@ class AccessDeniedResponse(TemplateResponse): if self._request.user and self._request.user.is_authenticated: if ( self._request.user.is_superuser - or self._request.user.attributes.get(USER_ATTRIBUTE_DEBUG, False) + or self._request.user.group_attributes().get( + USER_ATTRIBUTE_DEBUG, False + ) ): context["policy_result"] = self.policy_result return context diff --git a/website/docs/troubleshooting/access.md b/website/docs/troubleshooting/access.md index 294ef6d01..60edbf6f8 100644 --- a/website/docs/troubleshooting/access.md +++ b/website/docs/troubleshooting/access.md @@ -4,7 +4,7 @@ title: Troubleshooting access problems ### I get an access denied error when trying to access an application. -If your user is a superuser, or has the attribute `goauthentik.io/user/debug` set to true: +If your user is a superuser, or has the attribute `goauthentik.io/user/debug` set to true (can also be set on a group level): ![](./authentik_user_debug.png)