rbac: fix invitations listing with restricted permissions (cherry-pick #8227) (#8229)

rbac: fix invitations listing with restricted permissions (#8227) * rbac: fix missing permission definition for list * core: fix users's system_permissions not including role permissions * core: don't require permissions for users/me/ * web/admin: catch error when listing stages on invitation page fails * Revert "rbac: fix missing permission definition for list" This reverts commit fd7572e699. * Revert "core: don't require permissions for users/me/" This reverts commit 9df0dbda8a. --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L <jens@goauthentik.io>
2024-01-18 23:24:58 +01:00
parent bb9a524b53
commit 0fa8432b72
2 changed files with 21 additions and 17 deletions
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -233,9 +233,9 @@ class UserSelfSerializer(ModelSerializer):
    def get_system_permissions(self, user: User) -> list[str]:
        """Get all system permissions assigned to the user"""
        return list(
-            user.user_permissions.filter(
-                content_type__app_label="authentik_rbac", content_type__model="systempermission"
-            ).values_list("codename", flat=True)
+            x.split(".", maxsplit=1)[1]
+            for x in user.get_all_permissions()
+            if x.startswith("authentik_rbac")
        )

    class Meta:
--- a/web/src/admin/stages/invitation/InvitationListPage.ts
+++ b/web/src/admin/stages/invitation/InvitationListPage.ts
@ -62,20 +62,24 @@ export class InvitationListPage extends TablePage<Invitation> {
    multipleEnrollmentFlows = false;

    async apiEndpoint(page: number): Promise<PaginatedResponse<Invitation>> {
-        // Check if any invitation stages exist
-        const stages = await new StagesApi(DEFAULT_CONFIG).stagesInvitationStagesList({
-            noFlows: false,
-        });
-        this.invitationStageExists = stages.pagination.count > 0;
-        this.expandable = this.invitationStageExists;
-        stages.results.forEach((stage) => {
-            const enrollmentFlows = (stage.flowSet || []).filter(
-                (flow) => flow.designation === FlowDesignationEnum.Enrollment,
-            );
-            if (enrollmentFlows.length > 1) {
-                this.multipleEnrollmentFlows = true;
-            }
-        });
+        try {
+            // Check if any invitation stages exist
+            const stages = await new StagesApi(DEFAULT_CONFIG).stagesInvitationStagesList({
+                noFlows: false,
+            });
+            this.invitationStageExists = stages.pagination.count > 0;
+            this.expandable = this.invitationStageExists;
+            stages.results.forEach((stage) => {
+                const enrollmentFlows = (stage.flowSet || []).filter(
+                    (flow) => flow.designation === FlowDesignationEnum.Enrollment,
+                );
+                if (enrollmentFlows.length > 1) {
+                    this.multipleEnrollmentFlows = true;
+                }
+            });
+        } catch {
+            // assuming we can't fetch stages, ignore the error
+        }
        return new StagesApi(DEFAULT_CONFIG).stagesInvitationInvitationsList({
            ordering: this.order,
            page: page,