fix tests and fix permission bug

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
goauthentik · Apr 14, 2024 · 101e8df · 101e8df
1 parent 61c8523
commit 101e8df
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 3 deletions.
diff --git a/authentik/core/tests/test_groups_api.py b/authentik/core/tests/test_groups_api.py
@@ -5,7 +5,7 @@
 from rest_framework.test import APITestCase
 
 from authentik.core.models import Group, User
-from authentik.core.tests.utils import create_test_admin_user, create_test_user
+from authentik.core.tests.utils import create_test_user
 from authentik.lib.generators import generate_id
 
 
@@ -81,7 +81,8 @@ def test_remove_user_404(self):
     def test_parent_self(self):
         """Test parent"""
         group = Group.objects.create(name=generate_id())
-        self.login_user = create_test_admin_user()
+        assign_perm("view_group", self.login_user, group)
+        assign_perm("change_group", self.login_user, group)
         self.client.force_login(self.login_user)
         res = self.client.patch(
             reverse("authentik_api:group-detail", kwargs={"pk": group.pk}),

diff --git a/authentik/rbac/permissions.py b/authentik/rbac/permissions.py
@@ -8,7 +8,16 @@
 class ObjectPermissions(DjangoObjectPermissions):
     """RBAC Permissions"""
 
-    def has_object_permission(self, request: Request, view, obj: Model):
+    def has_permission(self, request: Request, view) -> bool:
+        """Always grant permission for object-specific requests
+        as view permission checking is done by `ObjectFilter`,
+        and write permission checking is done by `has_object_permission`"""
+        lookup = getattr(view, "lookup_url_kwarg", None) or getattr(view, "lookup_field", None)
+        if lookup and lookup in view.kwargs:
+            return True
+        return super().has_permission(request, view)
+
+    def has_object_permission(self, request: Request, view, obj: Model) -> bool:
         queryset = self._queryset(view)
         model_cls = queryset.model
         perms = self.get_required_object_permissions(request.method, model_cls)

diff --git a/authentik/rbac/tests/test_api_filters.py b/authentik/rbac/tests/test_api_filters.py
@@ -121,3 +121,29 @@ def test_create_simple_denied(self):
             },
         )
         self.assertEqual(res.status_code, 403)
+
+    def test_update_simple(self):
+        """Test update with permission"""
+        self.client.force_login(self.user)
+        inv = Invitation.objects.create(name=generate_id(), created_by=self.superuser)
+        self.role.assign_permission("authentik_stages_invitation.view_invitation", obj=inv)
+        self.role.assign_permission("authentik_stages_invitation.change_invitation", obj=inv)
+        res = self.client.patch(
+            reverse("authentik_api:invitation-detail", kwargs={"pk": inv.pk}),
+            data={
+                "name": generate_id(),
+            },
+        )
+        self.assertEqual(res.status_code, 200)
+
+    def test_update_simple_denied(self):
+        """Test update without assigning permission"""
+        self.client.force_login(self.user)
+        inv = Invitation.objects.create(name=generate_id(), created_by=self.superuser)
+        res = self.client.patch(
+            reverse("authentik_api:invitation-detail", kwargs={"pk": inv.pk}),
+            data={
+                "name": generate_id(),
+            },
+        )
+        self.assertEqual(res.status_code, 403)