From c718b4a1f295471fb7eb032b86423627a7360866 Mon Sep 17 00:00:00 2001 From: "Jens L." Date: Sat, 25 Jan 2025 00:38:31 +0000 Subject: [PATCH] rbac: exclude permissions for internal models (#12803) Signed-off-by: Jens Langhammer --- authentik/rbac/api/rbac.py | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/authentik/rbac/api/rbac.py b/authentik/rbac/api/rbac.py index 9e6a2517f326..135d69cd248e 100644 --- a/authentik/rbac/api/rbac.py +++ b/authentik/rbac/api/rbac.py @@ -2,7 +2,7 @@ from django.apps import apps from django.contrib.auth.models import Permission -from django.db.models import QuerySet +from django.db.models import Q, QuerySet from django_filters.filters import ModelChoiceFilter from django_filters.filterset import FilterSet from django_filters.rest_framework import DjangoFilterBackend @@ -18,6 +18,7 @@ from rest_framework.permissions import IsAuthenticated from rest_framework.viewsets import ReadOnlyModelViewSet +from authentik.blueprints.v1.importer import excluded_models from authentik.core.api.utils import ModelSerializer, PassiveSerializer from authentik.core.models import User from authentik.lib.validators import RequiredTogetherValidator @@ -105,13 +106,13 @@ class RBACPermissionViewSet(ReadOnlyModelViewSet): ] def get_queryset(self) -> QuerySet: - return ( - Permission.objects.all() - .select_related("content_type") - .filter( - content_type__app_label__startswith="authentik", + query = Q() + for model in excluded_models(): + query |= Q( + content_type__app_label=model._meta.app_label, + content_type__model=model._meta.model_name, ) - ) + return Permission.objects.all().select_related("content_type").exclude(query) class PermissionAssignSerializer(PassiveSerializer):