From f909b86338c90eb5ee2a2d163431814434546522 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Tue, 19 Jul 2022 16:41:34 +0000
Subject: [PATCH] stages/consent: fix permimssions for consent API (allow owner
 to delete)

---
 authentik/stages/consent/api.py | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/authentik/stages/consent/api.py b/authentik/stages/consent/api.py
index 5a25b1db0..fa6f7f938 100644
--- a/authentik/stages/consent/api.py
+++ b/authentik/stages/consent/api.py
@@ -5,6 +5,7 @@ from rest_framework import mixins
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.viewsets import GenericViewSet, ModelViewSet
 
+from authentik.api.authorization import OwnerFilter, OwnerSuperuserPermissions
 from authentik.core.api.applications import ApplicationSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.users import UserSerializer
@@ -56,12 +57,9 @@ class UserConsentViewSet(
     serializer_class = UserConsentSerializer
     filterset_fields = ["user", "application"]
     ordering = ["application", "expires"]
-    filter_backends = [
-        DjangoFilterBackend,
-        OrderingFilter,
-        SearchFilter,
-    ]
     search_fields = ["user__username"]
+    permission_classes = [OwnerSuperuserPermissions]
+    filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
 
     def get_queryset(self):
         user = self.request.user if self.request else get_anonymous_user()