core: exclude anonymous user by default

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

authentik/blueprints/v1/exporter.py

@@ -4,7 +4,6 @@ from collections.abc import Iterable
 from uuid import UUID
 
 from django.apps import apps
-from django.contrib.auth import get_user_model
 from django.db.models import Model, Q, QuerySet
 from django.utils.timezone import now
 from django.utils.translation import gettext as _
@@ -47,8 +46,6 @@ class Exporter:
     def get_model_instances(self, model: type[Model]) -> QuerySet:
         """Return a queryset for `model`. Can be used to filter some
         objects on some models"""
-        if model == get_user_model():
-            return model.objects.exclude_anonymous()
         return model.objects.all()
 
     def _pre_export(self, blueprint: Blueprint):

authentik/core/api/users.py

@@ -408,7 +408,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
     filterset_class = UsersFilter
 
     def get_queryset(self):
-        base_qs = User.objects.all().exclude_anonymous()
+        base_qs = User.objects.all()
         if self.serializer_class(context={"request": self.request})._should_include_groups:
             base_qs = base_qs.prefetch_related("ak_groups")
         return base_qs

authentik/core/models.py

@@ -186,29 +186,19 @@ class Group(SerializerModel):
         ]
 
 
-class UserQuerySet(models.QuerySet):
-    """User queryset"""
-
-    def exclude_anonymous(self):
-        """Exclude anonymous user"""
-        return self.exclude(**{User.USERNAME_FIELD: settings.ANONYMOUS_USER_NAME})
-
-
 class UserManager(DjangoUserManager):
     """User manager that doesn't assign is_superuser and is_staff"""
 
     def get_queryset(self):
         """Create special user queryset"""
-        return UserQuerySet(self.model, using=self._db)
+        return QuerySet(self.model, using=self._db).exclude(
+            **{User.USERNAME_FIELD: settings.ANONYMOUS_USER_NAME}
+        )
 
     def create_user(self, username, email=None, password=None, **extra_fields):
         """User manager that doesn't assign is_superuser and is_staff"""
         return self._create_user(username, email, password, **extra_fields)
 
-    def exclude_anonymous(self) -> QuerySet:
-        """Exclude anonymous user"""
-        return self.get_queryset().exclude_anonymous()
-
 
 class User(SerializerModel, GuardianUserMixin, AbstractUser):
     """authentik User model, based on django's contrib auth user model."""

authentik/enterprise/license.py

@@ -132,7 +132,7 @@ class LicenseKey:
     @staticmethod
     def base_user_qs() -> QuerySet:
         """Base query set for all users"""
-        return User.objects.all().exclude_anonymous().exclude(is_active=False)
+        return User.objects.all().exclude(is_active=False)
 
     @staticmethod
     def get_default_user_count():

authentik/providers/scim/models.py

@@ -49,7 +49,7 @@ class SCIMProvider(OutgoingSyncProvider, BackchannelProvider):
         if type == User:
             # Get queryset of all users with consistent ordering
             # according to the provider's settings
-            base = User.objects.all().exclude_anonymous()
+            base = User.objects.all()
             if self.exclude_users_service_account:
                 base = base.exclude(type=UserTypes.SERVICE_ACCOUNT).exclude(
                     type=UserTypes.INTERNAL_SERVICE_ACCOUNT

authentik/providers/scim/tests/test_group.py

@@ -19,7 +19,7 @@ class SCIMGroupTests(TestCase):
     def setUp(self) -> None:
         # Delete all users and groups as the mocked HTTP responses only return one ID
         # which will cause errors with multiple users
-        User.objects.all().exclude_anonymous().delete()
+        User.objects.all().delete()
         Group.objects.all().delete()
         self.provider: SCIMProvider = SCIMProvider.objects.create(
             name=generate_id(),

authentik/providers/scim/tests/test_membership.py

@@ -21,7 +21,7 @@ class SCIMMembershipTests(TestCase):
     def setUp(self) -> None:
         # Delete all users and groups as the mocked HTTP responses only return one ID
         # which will cause errors with multiple users
-        User.objects.all().exclude_anonymous().delete()
+        User.objects.all().delete()
         Group.objects.all().delete()
         Tenant.objects.update(avatars="none")
 

authentik/providers/scim/tests/test_user.py

@@ -22,7 +22,7 @@ class SCIMUserTests(TestCase):
         # Delete all users and groups as the mocked HTTP responses only return one ID
         # which will cause errors with multiple users
         Tenant.objects.update(avatars="none")
-        User.objects.all().exclude_anonymous().delete()
+        User.objects.all().delete()
         Group.objects.all().delete()
         self.provider: SCIMProvider = SCIMProvider.objects.create(
             name=generate_id(),

tests/e2e/test_source_saml.py

@@ -161,7 +161,6 @@ class TestSourceSAML(SeleniumTestCase):
         self.assert_user(
             User.objects.exclude(username="akadmin")
             .exclude(username__startswith="ak-outpost")
-            .exclude_anonymous()
             .exclude(pk=self.user.pk)
             .first()
         )
@@ -244,7 +243,6 @@ class TestSourceSAML(SeleniumTestCase):
         self.assert_user(
             User.objects.exclude(username="akadmin")
             .exclude(username__startswith="ak-outpost")
-            .exclude_anonymous()
             .exclude(pk=self.user.pk)
             .first()
         )
@@ -314,7 +312,6 @@ class TestSourceSAML(SeleniumTestCase):
         self.assert_user(
             User.objects.exclude(username="akadmin")
             .exclude(username__startswith="ak-outpost")
-            .exclude_anonymous()
             .exclude(pk=self.user.pk)
             .first()
         )