rbac: exclude permissions for internal models (#12803)

Signed-off-by: Jens Langhammer <[email protected]>
goauthentik · Jan 25, 2025 · c718b4a · c718b4a
1 parent 349572b
commit c718b4a
Showing 1 changed file with 8 additions and 7 deletions.
diff --git a/authentik/rbac/api/rbac.py b/authentik/rbac/api/rbac.py
@@ -2,7 +2,7 @@
 
 from django.apps import apps
 from django.contrib.auth.models import Permission
-from django.db.models import QuerySet
+from django.db.models import Q, QuerySet
 from django_filters.filters import ModelChoiceFilter
 from django_filters.filterset import FilterSet
 from django_filters.rest_framework import DjangoFilterBackend
@@ -18,6 +18,7 @@
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.viewsets import ReadOnlyModelViewSet
 
+from authentik.blueprints.v1.importer import excluded_models
 from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.core.models import User
 from authentik.lib.validators import RequiredTogetherValidator
@@ -105,13 +106,13 @@ class RBACPermissionViewSet(ReadOnlyModelViewSet):
     ]
 
     def get_queryset(self) -> QuerySet:
-        return (
-            Permission.objects.all()
-            .select_related("content_type")
-            .filter(
-                content_type__app_label__startswith="authentik",
+        query = Q()
+        for model in excluded_models():
+            query |= Q(
+                content_type__app_label=model._meta.app_label,
+                content_type__model=model._meta.model_name,
             )
-        )
+        return Permission.objects.all().select_related("content_type").exclude(query)
 
 
 class PermissionAssignSerializer(PassiveSerializer):