core: prevent selecting a group as a parent of itself (#6016)

* core: prevent selecting a group as a parent of itself Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix api error when no parent is given Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-06-20 20:21:58 +02:00 · 2023-06-20 20:21:58 +02:00 · 93575a9966
parent 5e30f46772
commit 93575a9966
3 changed files with 25 additions and 0 deletions
--- a/authentik/core/api/groups.py
+++ b/authentik/core/api/groups.py
@ -1,5 +1,6 @@
 """Groups API Viewset"""
 from json import loads
+from typing import Optional

 from django.db.models.query import QuerySet
 from django.http import Http404
@ -52,6 +53,14 @@ class GroupSerializer(ModelSerializer):

    num_pk = IntegerField(read_only=True)

+    def validate_parent(self, parent: Optional[Group]):
+        """Validate group parent (if set), ensuring the parent isn't itself"""
+        if not self.instance or not parent:
+            return parent
+        if str(parent.group_uuid) == str(self.instance.group_uuid):
+            raise ValidationError("Cannot set group as parent of itself.")
+        return parent
+
    class Meta:
        model = Group
        fields = [
--- a/authentik/core/tests/test_groups_api.py
+++ b/authentik/core/tests/test_groups_api.py
@ -67,3 +67,16 @@ class TestGroupsAPI(APITestCase):
            },
        )
        self.assertEqual(res.status_code, 404)
+
+    def test_parent_self(self):
+        """Test parent"""
+        group = Group.objects.create(name=generate_id())
+        self.client.force_login(self.admin)
+        res = self.client.patch(
+            reverse("authentik_api:group-detail", kwargs={"pk": group.pk}),
+            data={
+                "pk": self.user.pk + 3,
+                "parent": group.pk,
+            },
+        )
+        self.assertEqual(res.status_code, 400)
--- a/web/src/admin/groups/GroupForm.ts
+++ b/web/src/admin/groups/GroupForm.ts
@ -95,6 +95,9 @@ export class GroupForm extends ModelForm<Group, string> {
                            args.search = query;
                        }
                        const groups = await new CoreApi(DEFAULT_CONFIG).coreGroupsList(args);
+                        if (this.instance) {
+                            return groups.results.filter((g) => g.pk !== this.instance?.pk);
+                        }
                        return groups.results;
                    }}
                    .renderElement=${(group: Group): string => {