From 9fd8cedbfa8e1a7c4d48e0f230ee9b18e77751d5 Mon Sep 17 00:00:00 2001 From: Marc 'risson' Schmitt Date: Wed, 20 Dec 2023 11:08:17 +0100 Subject: [PATCH] use permissions for settings api Signed-off-by: Marc 'risson' Schmitt --- .../0003_alter_systempermission_options.py | 29 +++++++++++++++++++ authentik/rbac/models.py | 2 ++ authentik/tenants/api.py | 13 +++++++-- 3 files changed, 42 insertions(+), 2 deletions(-) create mode 100644 authentik/rbac/migrations/0003_alter_systempermission_options.py diff --git a/authentik/rbac/migrations/0003_alter_systempermission_options.py b/authentik/rbac/migrations/0003_alter_systempermission_options.py new file mode 100644 index 000000000..8320edcae --- /dev/null +++ b/authentik/rbac/migrations/0003_alter_systempermission_options.py @@ -0,0 +1,29 @@ +# Generated by Django 4.2.8 on 2023-12-20 10:02 + +from django.db import migrations + + +class Migration(migrations.Migration): + dependencies = [ + ("authentik_rbac", "0002_systempermission"), + ] + + operations = [ + migrations.AlterModelOptions( + name="systempermission", + options={ + "default_permissions": (), + "managed": False, + "permissions": [ + ("view_system_info", "Can view system info"), + ("view_system_tasks", "Can view system tasks"), + ("run_system_tasks", "Can run system tasks"), + ("access_admin_interface", "Can access admin interface"), + ("view_system_settings", "Can view system settings"), + ("edit_system_settings", "Can edit system settings"), + ], + "verbose_name": "System permission", + "verbose_name_plural": "System permissions", + }, + ), + ] diff --git a/authentik/rbac/models.py b/authentik/rbac/models.py index fe6096f7d..b3ff7e493 100644 --- a/authentik/rbac/models.py +++ b/authentik/rbac/models.py @@ -70,4 +70,6 @@ class SystemPermission(models.Model): ("view_system_tasks", _("Can view system tasks")), ("run_system_tasks", _("Can run system tasks")), ("access_admin_interface", _("Can access admin interface")), + ("view_system_settings", _("Can view system settings")), + ("edit_system_settings", _("Can edit system settings")), ] diff --git a/authentik/tenants/api.py b/authentik/tenants/api.py index 1fc423c77..006153f4d 100644 --- a/authentik/tenants/api.py +++ b/authentik/tenants/api.py @@ -6,7 +6,7 @@ from rest_framework import permissions from rest_framework.authentication import get_authorization_header from rest_framework.filters import OrderingFilter, SearchFilter from rest_framework.generics import RetrieveUpdateAPIView -from rest_framework.permissions import IsAdminUser +from rest_framework.permissions import SAFE_METHODS, IsAdminUser from rest_framework.request import Request from rest_framework.serializers import ModelSerializer from rest_framework.views import View @@ -14,6 +14,7 @@ from rest_framework.viewsets import ModelViewSet from authentik.api.authentication import validate_auth from authentik.lib.config import CONFIG +from authentik.rbac.permissions import HasPermission from authentik.tenants.models import Domain, Tenant @@ -117,9 +118,17 @@ class SettingsView(RetrieveUpdateAPIView): queryset = Tenant.objects.filter(ready=True) serializer_class = SettingsSerializer - permission_classes = [IsAdminUser] filter_backends = [] + def get_permissions(self): + return [ + HasPermission( + "authentik_rbac.view_system_settings" + if self.request.method in SAFE_METHODS + else "authentik_rbac.edit_system_settings" + )() + ] + def get_object(self): obj = self.request.tenant self.check_object_permissions(self.request, obj)