From 80b0aef210b8a1cec7145fd177b08c99afcf9981 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Tue, 30 Mar 2021 15:50:41 +0200
Subject: [PATCH] core: add new permissions for tokens to view key

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 authentik/core/api/tokens.py                  |  2 ++
 .../migrations/0018_auto_20210330_1345.py     | 21 +++++++++++++++++++
 authentik/core/models.py                      |  1 +
 3 files changed, 24 insertions(+)
 create mode 100644 authentik/core/migrations/0018_auto_20210330_1345.py

diff --git a/authentik/core/api/tokens.py b/authentik/core/api/tokens.py
index 10d94b509..3a2bb4911 100644
--- a/authentik/core/api/tokens.py
+++ b/authentik/core/api/tokens.py
@@ -8,6 +8,7 @@ from rest_framework.response import Response
 from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 
+from authentik.api.decorators import permission_required
 from authentik.core.api.users import UserSerializer
 from authentik.core.api.utils import PassiveSerializer
 from authentik.core.models import Token
@@ -60,6 +61,7 @@ class TokenViewSet(ModelViewSet):
     ]
     ordering = ["expires"]
 
+    @permission_required("authentik_core.view_token_key")
     @swagger_auto_schema(responses={200: TokenViewSerializer(many=False)})
     @action(detail=True)
     # pylint: disable=unused-argument
diff --git a/authentik/core/migrations/0018_auto_20210330_1345.py b/authentik/core/migrations/0018_auto_20210330_1345.py
new file mode 100644
index 000000000..6d2756f24
--- /dev/null
+++ b/authentik/core/migrations/0018_auto_20210330_1345.py
@@ -0,0 +1,21 @@
+# Generated by Django 3.1.7 on 2021-03-30 13:45
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0017_managed"),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name="token",
+            options={
+                "permissions": (("view_token_key", "View token's key"),),
+                "verbose_name": "Token",
+                "verbose_name_plural": "Tokens",
+            },
+        ),
+    ]
diff --git a/authentik/core/models.py b/authentik/core/models.py
index 1393c7bd4..838598898 100644
--- a/authentik/core/models.py
+++ b/authentik/core/models.py
@@ -369,6 +369,7 @@ class Token(ManagedModel, ExpiringModel):
             models.Index(fields=["identifier"]),
             models.Index(fields=["key"]),
         ]
+        permissions = (("view_token_key", "View token's key"),)
 
 
 class PropertyMapping(SerializerModel, ManagedModel):