api: allow @permission_required with no object permission

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2021-03-29 17:28:28 +02:00 · 2021-03-29 17:28:28 +02:00 · 5d37012075
parent a9db538c63
commit 5d37012075
1 changed files with 6 additions and 5 deletions
--- a/authentik/api/decorators.py
+++ b/authentik/api/decorators.py
@ -1,13 +1,13 @@
 """API Decorators"""
 from functools import wraps
-from typing import Callable
+from typing import Callable, Optional

 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import ModelViewSet


-def permission_required(perm: str, *other_perms: str):
+def permission_required(perm: Optional[str] = None, *other_perms: str):
    """Check permissions for a single custom action"""

    def wrapper_outter(func: Callable):
@ -15,9 +15,10 @@ def permission_required(perm: str, *other_perms: str):

        @wraps(func)
        def wrapper(self: ModelViewSet, request: Request, *args, **kwargs) -> Response:
-            obj = self.get_object()
-            if not request.user.has_perm(perm, obj):
-                return self.permission_denied(request)
+            if perm:
+                obj = self.get_object()
+                if not request.user.has_perm(perm, obj):
+                    return self.permission_denied(request)
            for other_perm in other_perms:
                if not request.user.has_perm(other_perm):
                    return self.permission_denied(request)