habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

core: fix unable to create group if no enable_group_superuser permission is given (cherry-pick #14510) (#14521)

Browse Source 
core: fix unable to create group if no enable_group_superuser permission is given (#14510)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>
This commit is contained in:
gcp-cherry-pick-bot[bot]
2025-05-15 15:05:04 +02:00
committed by GitHub
parent ed0a9d6a0a
commit 14a6430e21
2 changed files with 20 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
authentik/core/api/groups.py
View File

@ -99,18 +99,17 @@ class GroupSerializer(ModelSerializer):
if superuser if superuser
else "authentik_core.disable_group_superuser" else "authentik_core.disable_group_superuser"
) )
has_perm = user.has_perm(perm) if self.instance or superuser:
if self.instance and not has_perm: has_perm = user.has_perm(perm) or user.has_perm(perm, self.instance)
has_perm = user.has_perm(perm, self.instance) if not has_perm:
if not has_perm: raise ValidationError(
raise ValidationError( _(
_( (
( "User does not have permission to set "
"User does not have permission to set " "superuser status to {superuser_status}."
"superuser status to {superuser_status}." ).format_map({"superuser_status": superuser})
).format_map({"superuser_status": superuser}) )
) )
)
return superuser return superuser
class Meta: class Meta:

10
authentik/core/tests/test_groups_api.py
View File

@ -124,6 +124,16 @@ class TestGroupsAPI(APITestCase):
{"is_superuser": ["User does not have permission to set superuser status to True."]}, {"is_superuser": ["User does not have permission to set superuser status to True."]},
) )
def test_superuser_no_perm_no_superuser(self):
"""Test creating a group without permission and without superuser flag"""
assign_perm("authentik_core.add_group", self.login_user)
self.client.force_login(self.login_user)
res = self.client.post(
reverse("authentik_api:group-list"),
data={"name": generate_id(), "is_superuser": False},
)
self.assertEqual(res.status_code, 201)
def test_superuser_update_no_perm(self): def test_superuser_update_no_perm(self):
"""Test updating a superuser group without permission""" """Test updating a superuser group without permission"""
group = Group.objects.create(name=generate_id(), is_superuser=True) group = Group.objects.create(name=generate_id(), is_superuser=True)