core: prevent selecting a group as a parent of itself (#6016)

* core: prevent selecting a group as a parent of itself

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix api error when no parent is given

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
Jens L 2023-06-20 20:21:58 +02:00 committed by GitHub
parent 5e30f46772
commit 93575a9966
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 25 additions and 0 deletions

View file

@ -1,5 +1,6 @@
"""Groups API Viewset"""
from json import loads
from typing import Optional
from django.db.models.query import QuerySet
from django.http import Http404
@ -52,6 +53,14 @@ class GroupSerializer(ModelSerializer):
num_pk = IntegerField(read_only=True)
def validate_parent(self, parent: Optional[Group]):
"""Validate group parent (if set), ensuring the parent isn't itself"""
if not self.instance or not parent:
return parent
if str(parent.group_uuid) == str(self.instance.group_uuid):
raise ValidationError("Cannot set group as parent of itself.")
return parent
class Meta:
model = Group
fields = [

View file

@ -67,3 +67,16 @@ class TestGroupsAPI(APITestCase):
},
)
self.assertEqual(res.status_code, 404)
def test_parent_self(self):
"""Test parent"""
group = Group.objects.create(name=generate_id())
self.client.force_login(self.admin)
res = self.client.patch(
reverse("authentik_api:group-detail", kwargs={"pk": group.pk}),
data={
"pk": self.user.pk + 3,
"parent": group.pk,
},
)
self.assertEqual(res.status_code, 400)

View file

@ -95,6 +95,9 @@ export class GroupForm extends ModelForm<Group, string> {
args.search = query;
}
const groups = await new CoreApi(DEFAULT_CONFIG).coreGroupsList(args);
if (this.instance) {
return groups.results.filter((g) => g.pk !== this.instance?.pk);
}
return groups.results;
}}
.renderElement=${(group: Group): string => {