From 02791e765f897c62a5d1930e2d75abe562d1d660 Mon Sep 17 00:00:00 2001
From: Jens L <jens@goauthentik.io>
Date: Thu, 18 Jan 2024 23:08:29 +0100
Subject: [PATCH] rbac: fix invitations listing with restricted permissions
 (#8227)

* rbac: fix missing permission definition for list

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* core: fix users's system_permissions not including role permissions

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* core: don't require permissions for users/me/

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* web/admin: catch error when listing stages on invitation page fails

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* Revert "rbac: fix missing permission definition for list"

This reverts commit fd7572e699c0f466fc38624d6e46741b58417c2c.

* Revert "core: don't require permissions for users/me/"

This reverts commit 9df0dbda8a5f3cdf4ed8cf84070b34ad78ddf162.

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---
 authentik/core/api/users.py                   |  6 ++--
 .../stages/invitation/InvitationListPage.ts   | 32 +++++++++++--------
 2 files changed, 21 insertions(+), 17 deletions(-)

diff --git a/authentik/core/api/users.py b/authentik/core/api/users.py
index 5b6a4a1990..2bb18e0c62 100644
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@@ -227,9 +227,9 @@ class UserSelfSerializer(ModelSerializer):
     def get_system_permissions(self, user: User) -> list[str]:
         """Get all system permissions assigned to the user"""
         return list(
-            user.user_permissions.filter(
-                content_type__app_label="authentik_rbac", content_type__model="systempermission"
-            ).values_list("codename", flat=True)
+            x.split(".", maxsplit=1)[1]
+            for x in user.get_all_permissions()
+            if x.startswith("authentik_rbac")
         )
 
     class Meta:
diff --git a/web/src/admin/stages/invitation/InvitationListPage.ts b/web/src/admin/stages/invitation/InvitationListPage.ts
index 2288b06918..1eb1367361 100644
--- a/web/src/admin/stages/invitation/InvitationListPage.ts
+++ b/web/src/admin/stages/invitation/InvitationListPage.ts
@@ -62,20 +62,24 @@ export class InvitationListPage extends TablePage<Invitation> {
     multipleEnrollmentFlows = false;
 
     async apiEndpoint(page: number): Promise<PaginatedResponse<Invitation>> {
-        // Check if any invitation stages exist
-        const stages = await new StagesApi(DEFAULT_CONFIG).stagesInvitationStagesList({
-            noFlows: false,
-        });
-        this.invitationStageExists = stages.pagination.count > 0;
-        this.expandable = this.invitationStageExists;
-        stages.results.forEach((stage) => {
-            const enrollmentFlows = (stage.flowSet || []).filter(
-                (flow) => flow.designation === FlowDesignationEnum.Enrollment,
-            );
-            if (enrollmentFlows.length > 1) {
-                this.multipleEnrollmentFlows = true;
-            }
-        });
+        try {
+            // Check if any invitation stages exist
+            const stages = await new StagesApi(DEFAULT_CONFIG).stagesInvitationStagesList({
+                noFlows: false,
+            });
+            this.invitationStageExists = stages.pagination.count > 0;
+            this.expandable = this.invitationStageExists;
+            stages.results.forEach((stage) => {
+                const enrollmentFlows = (stage.flowSet || []).filter(
+                    (flow) => flow.designation === FlowDesignationEnum.Enrollment,
+                );
+                if (enrollmentFlows.length > 1) {
+                    this.multipleEnrollmentFlows = true;
+                }
+            });
+        } catch {
+            // assuming we can't fetch stages, ignore the error
+        }
         return new StagesApi(DEFAULT_CONFIG).stagesInvitationInvitationsList({
             ordering: this.order,
             page: page,