trustchain-oc1-orchestral
/
authentik
Archived
10
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

core: fix CheckApplication's for_user flag not being checked correctly 

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer 2021-07-25 22:29:15 +02:00
parent 669329e49c
commit 5615613ed1
1 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
authentik/core/api/applications.py
View File

@ -114,23 +114,23 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
}, },
) )
@action(detail=True, methods=["GET"]) @action(detail=True, methods=["GET"])
# pylint: disable=unused-argument
def check_access(self, request: Request, slug: str) -> Response: def check_access(self, request: Request, slug: str) -> Response:
"""Check access to a single application by slug""" """Check access to a single application by slug"""
# Don't use self.get_object as that checks for view_application permission # Don't use self.get_object as that checks for view_application permission
# which the user might not have, even if they have access # which the user might not have, even if they have access
application = get_object_or_404(Application, slug=slug) application = get_object_or_404(Application, slug=slug)
# If the current user is superuser, they can set `for_user` # If the current user is superuser, they can set `for_user`
for_user = self.request.user for_user = request.user
if self.request.user.is_superuser and "for_user" in request.data: if request.user.is_superuser and "for_user" in request.query_params:
for_user = get_object_or_404(User, pk=request.data.get("for_user")) for_user = get_object_or_404(User, pk=request.query_params.get("for_user"))
engine = PolicyEngine(application, for_user, self.request) engine = PolicyEngine(application, for_user, request)
engine.use_cache = False
engine.build() engine.build()
result = engine.result result = engine.result
response = PolicyTestResultSerializer(PolicyResult(False)) response = PolicyTestResultSerializer(PolicyResult(False))
if result.passing: if result.passing:
response = PolicyTestResultSerializer(PolicyResult(True)) response = PolicyTestResultSerializer(PolicyResult(True))
if self.request.user.is_superuser: if request.user.is_superuser:
response = PolicyTestResultSerializer(result) response = PolicyTestResultSerializer(result)
return Response(response.data) return Response(response.data)