refine permissions

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
goauthentik · Nov 26, 2024 · 32684fe · 32684fe
1 parent fb05434
commit 32684fe
Show file tree

Hide file tree

Showing 2 changed files with 57 additions and 0 deletions.
diff --git a/authentik/core/api/application_entitlements.py b/authentik/core/api/application_entitlements.py
@@ -1,17 +1,30 @@
 """Application Roles API Viewset"""
 
+from django.utils.translation import gettext_lazy as _
+from rest_framework.exceptions import ValidationError
 from rest_framework.viewsets import ModelViewSet
 
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer
 from authentik.core.models import (
+    Application,
     ApplicationEntitlement,
+    User,
 )
 
 
 class ApplicationEntitlementSerializer(ModelSerializer):
     """ApplicationEntitlement Serializer"""
 
+    def validate_app(self, app: Application) -> Application:
+        """Ensure user has permission to view"""
+        user: User = self._context["request"].user
+        if user.has_perm("view_application", app) or user.has_perm(
+            "authentik_core.view_application"
+        ):
+            return app
+        raise ValidationError(_("User does not have access to application."), code="invalid")
+
     class Meta:
         model = ApplicationEntitlement
         fields = [

diff --git a/authentik/core/tests/test_application_entitlements.py b/authentik/core/tests/test_application_entitlements.py
@@ -1,5 +1,7 @@
 """Test Application Entitlements API"""
 
+from django.urls import reverse
+from guardian.shortcuts import assign_perm
 from rest_framework.test import APITestCase
 
 from authentik.core.models import Application, ApplicationEntitlement, Group
@@ -70,3 +72,45 @@ def test_negate_group(self):
         ents = self.user.app_entitlements(self.app)
         self.assertEqual(len(ents), 1)
         self.assertEqual(ents[0].name, ent.name)
+
+    def test_api_perms_global(self):
+        """Test API creation with global permissions"""
+        assign_perm("authentik_core.add_applicationentitlement", self.user)
+        assign_perm("authentik_core.view_application", self.user)
+        self.client.force_login(self.user)
+        res = self.client.post(
+            reverse("authentik_api:applicationentitlement-list"),
+            data={
+                "name": generate_id(),
+                "app": self.app.pk,
+            },
+        )
+        self.assertEqual(res.status_code, 201)
+
+    def test_api_perms_scoped(self):
+        """Test API creation with scoped permissions"""
+        assign_perm("authentik_core.add_applicationentitlement", self.user)
+        assign_perm("authentik_core.view_application", self.user, self.app)
+        self.client.force_login(self.user)
+        res = self.client.post(
+            reverse("authentik_api:applicationentitlement-list"),
+            data={
+                "name": generate_id(),
+                "app": self.app.pk,
+            },
+        )
+        self.assertEqual(res.status_code, 201)
+
+    def test_api_perms_missing(self):
+        """Test API creation with no permissions"""
+        assign_perm("authentik_core.add_applicationentitlement", self.user)
+        self.client.force_login(self.user)
+        res = self.client.post(
+            reverse("authentik_api:applicationentitlement-list"),
+            data={
+                "name": generate_id(),
+                "app": self.app.pk,
+            },
+        )
+        self.assertEqual(res.status_code, 400)
+        self.assertJSONEqual(res.content, {"app": ["User does not have access to application."]})