api: cleanup args for @permission_required

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

authentik/api/decorators.py

@@ -7,7 +7,9 @@ from rest_framework.response import Response
 from rest_framework.viewsets import ModelViewSet
 
 
-def permission_required(perm: Optional[str] = None, *other_perms: str):
+def permission_required(
+    perm: Optional[str] = None, other_perms: Optional[list[str]] = None
+):
     """Check permissions for a single custom action"""
 
     def wrapper_outter(func: Callable):
@@ -19,6 +21,7 @@ def permission_required(perm: Optional[str] = None, *other_perms: str):
                 obj = self.get_object()
                 if not request.user.has_perm(perm, obj):
                     return self.permission_denied(request)
+            if other_perms:
                 for other_perm in other_perms:
                     if not request.user.has_perm(other_perm):
                         return self.permission_denied(request)

authentik/core/api/users.py

@@ -131,7 +131,7 @@ class UserViewSet(ModelViewSet):
         serializer.is_valid()
         return Response(serializer.data)
 
-    @permission_required("authentik_core.view_user", "authentik_events.view_event")
+    @permission_required("authentik_core.view_user", ["authentik_events.view_event"])
     @swagger_auto_schema(responses={200: UserMetricsSerializer(many=False)})
     @action(detail=False)
     def metrics(self, request: Request) -> Response:

authentik/crypto/api.py

@@ -113,7 +113,7 @@ class CertificateKeyPairViewSet(ModelViewSet):
     queryset = CertificateKeyPair.objects.all()
     serializer_class = CertificateKeyPairSerializer
 
-    @permission_required(None, "authentik_crypto.add_certificatekeypair")
+    @permission_required(None, ["authentik_crypto.add_certificatekeypair"])
     @swagger_auto_schema(
         request_body=CertificateGenerationSerializer(),
         responses={200: CertificateKeyPairSerializer},