use permissions for settings api

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
2023-12-20 11:08:17 +01:00 · 2023-12-20 11:08:17 +01:00 · 9fd8cedbfa
parent 951f9ce043
commit 9fd8cedbfa
3 changed files with 42 additions and 2 deletions
--- a/authentik/rbac/migrations/0003_alter_systempermission_options.py
+++ b/authentik/rbac/migrations/0003_alter_systempermission_options.py
@ -0,0 +1,29 @@
+# Generated by Django 4.2.8 on 2023-12-20 10:02
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("authentik_rbac", "0002_systempermission"),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name="systempermission",
+            options={
+                "default_permissions": (),
+                "managed": False,
+                "permissions": [
+                    ("view_system_info", "Can view system info"),
+                    ("view_system_tasks", "Can view system tasks"),
+                    ("run_system_tasks", "Can run system tasks"),
+                    ("access_admin_interface", "Can access admin interface"),
+                    ("view_system_settings", "Can view system settings"),
+                    ("edit_system_settings", "Can edit system settings"),
+                ],
+                "verbose_name": "System permission",
+                "verbose_name_plural": "System permissions",
+            },
+        ),
+    ]
--- a/authentik/rbac/models.py
+++ b/authentik/rbac/models.py
@ -70,4 +70,6 @@ class SystemPermission(models.Model):
            ("view_system_tasks", _("Can view system tasks")),
            ("run_system_tasks", _("Can run system tasks")),
            ("access_admin_interface", _("Can access admin interface")),
+            ("view_system_settings", _("Can view system settings")),
+            ("edit_system_settings", _("Can edit system settings")),
        ]
--- a/authentik/tenants/api.py
+++ b/authentik/tenants/api.py
@ -6,7 +6,7 @@ from rest_framework import permissions
 from rest_framework.authentication import get_authorization_header
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.generics import RetrieveUpdateAPIView
-from rest_framework.permissions import IsAdminUser
+from rest_framework.permissions import SAFE_METHODS, IsAdminUser
 from rest_framework.request import Request
 from rest_framework.serializers import ModelSerializer
 from rest_framework.views import View
@ -14,6 +14,7 @@ from rest_framework.viewsets import ModelViewSet

 from authentik.api.authentication import validate_auth
 from authentik.lib.config import CONFIG
+from authentik.rbac.permissions import HasPermission
 from authentik.tenants.models import Domain, Tenant


@ -117,9 +118,17 @@ class SettingsView(RetrieveUpdateAPIView):

    queryset = Tenant.objects.filter(ready=True)
    serializer_class = SettingsSerializer
-    permission_classes = [IsAdminUser]
    filter_backends = []

+    def get_permissions(self):
+        return [
+            HasPermission(
+                "authentik_rbac.view_system_settings"
+                if self.request.method in SAFE_METHODS
+                else "authentik_rbac.edit_system_settings"
+            )()
+        ]
+
    def get_object(self):
        obj = self.request.tenant
        self.check_object_permissions(self.request, obj)