rbac: fix invitations listing with restricted permissions (#8227)

* rbac: fix missing permission definition for list Signed-off-by: Jens Langhammer <jens@goauthentik.io> * core: fix users's system_permissions not including role permissions Signed-off-by: Jens Langhammer <jens@goauthentik.io> * core: don't require permissions for users/me/ Signed-off-by: Jens Langhammer <jens@goauthentik.io> * web/admin: catch error when listing stages on invitation page fails Signed-off-by: Jens Langhammer <jens@goauthentik.io> * Revert "rbac: fix missing permission definition for list" This reverts commit fd7572e699. * Revert "core: don't require permissions for users/me/" This reverts commit 9df0dbda8a. --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2024-01-18 23:08:29 +01:00
parent abf1f0e348
commit 02791e765f
2 changed files with 21 additions and 17 deletions
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -227,9 +227,9 @@ class UserSelfSerializer(ModelSerializer):
    def get_system_permissions(self, user: User) -> list[str]:
        """Get all system permissions assigned to the user"""
        return list(
-            user.user_permissions.filter(
+            x.split(".", maxsplit=1)[1]
-                content_type__app_label="authentik_rbac", content_type__model="systempermission"
+            for x in user.get_all_permissions()
-            ).values_list("codename", flat=True)
+            if x.startswith("authentik_rbac")
        )
    class Meta:
--- a/web/src/admin/stages/invitation/InvitationListPage.ts
+++ b/web/src/admin/stages/invitation/InvitationListPage.ts
@ -62,20 +62,24 @@ export class InvitationListPage extends TablePage<Invitation> {
    multipleEnrollmentFlows = false;
    async apiEndpoint(page: number): Promise<PaginatedResponse<Invitation>> {
-        // Check if any invitation stages exist
+        try {
-        const stages = await new StagesApi(DEFAULT_CONFIG).stagesInvitationStagesList({
+            // Check if any invitation stages exist
-            noFlows: false,
+            const stages = await new StagesApi(DEFAULT_CONFIG).stagesInvitationStagesList({
-        });
+                noFlows: false,
-        this.invitationStageExists = stages.pagination.count > 0;
+            });
-        this.expandable = this.invitationStageExists;
+            this.invitationStageExists = stages.pagination.count > 0;
-        stages.results.forEach((stage) => {
+            this.expandable = this.invitationStageExists;
-            const enrollmentFlows = (stage.flowSet || []).filter(
+            stages.results.forEach((stage) => {
-                (flow) => flow.designation === FlowDesignationEnum.Enrollment,
+                const enrollmentFlows = (stage.flowSet || []).filter(
-            );
+                    (flow) => flow.designation === FlowDesignationEnum.Enrollment,
-            if (enrollmentFlows.length > 1) {
+                );
-                this.multipleEnrollmentFlows = true;
+                if (enrollmentFlows.length > 1) {
-            }
+                    this.multipleEnrollmentFlows = true;
-        });
+                }
            });
        } catch {
            // assuming we can't fetch stages, ignore the error
        }
        return new StagesApi(DEFAULT_CONFIG).stagesInvitationInvitationsList({
            ordering: this.order,
            page: page,