core: prevent selecting a group as a parent of itself (#6016)

* core: prevent selecting a group as a parent of itself Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix api error when no parent is given Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-06-20 20:21:58 +02:00
parent 5e30f46772
commit 93575a9966
3 changed files with 25 additions and 0 deletions
--- a/authentik/core/api/groups.py
+++ b/authentik/core/api/groups.py
@ -1,5 +1,6 @@
 """Groups API Viewset"""
 from json import loads
+from typing import Optional

 from django.db.models.query import QuerySet
 from django.http import Http404
@ -52,6 +53,14 @@ class GroupSerializer(ModelSerializer):

    num_pk = IntegerField(read_only=True)

+    def validate_parent(self, parent: Optional[Group]):
+        """Validate group parent (if set), ensuring the parent isn't itself"""
+        if not self.instance or not parent:
+            return parent
+        if str(parent.group_uuid) == str(self.instance.group_uuid):
+            raise ValidationError("Cannot set group as parent of itself.")
+        return parent
+
    class Meta:
        model = Group
        fields = [