remove USER_ATTRIBUTE_DEBUG

Signed-off-by: Jens Langhammer <[email protected]>
goauthentik · Jan 16, 2025 · 5d28114 · 5d28114
1 parent b7c154c
commit 5d28114
Show file tree

Hide file tree

Showing 12 changed files with 84 additions and 29 deletions.
diff --git a/authentik/core/api/applications.py b/authentik/core/api/applications.py
@@ -209,7 +209,7 @@ def check_access(self, request: Request, slug: str) -> Response:
     @extend_schema(
         parameters=[
             OpenApiParameter(
-                name="superuser_full_list",
+                name="list_rbac",
                 location=OpenApiParameter.QUERY,
                 type=OpenApiTypes.BOOL,
             ),
@@ -229,10 +229,8 @@ def list(self, request: Request) -> Response:
         """Custom list method that checks Policy based access instead of guardian"""
         should_cache = request.query_params.get("search", "") == ""
 
-        superuser_full_list = (
-            str(request.query_params.get("superuser_full_list", "false")).lower() == "true"
-        )
-        if superuser_full_list and request.user.is_superuser:
+        list_rbac = str(request.query_params.get("list_rbac", "false")).lower() == "true"
+        if list_rbac:
             return super().list(request)
 
         only_with_launch_url = str(

diff --git a/authentik/core/migrations/0042_alter_user_options.py b/authentik/core/migrations/0042_alter_user_options.py
@@ -0,0 +1,55 @@
+# Generated by Django 5.0.10 on 2025-01-08 17:39
+
+from django.db import migrations
+from django.apps.registry import Apps
+from django.db.backends.base.schema import BaseDatabaseSchemaEditor
+
+
+def migrate_user_debug_attribute(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
+    from django.apps import apps as real_apps
+    from django.contrib.auth.management import create_permissions
+
+    User = apps.get_model("authentik_core", "User")
+    USER_ATTRIBUTE_DEBUG = "goauthentik.io/user/debug"
+
+    # Permissions are only created _after_ migrations are run
+    # - https://github.com/django/django/blob/43cdfa8b20e567a801b7d0a09ec67ddd062d5ea4/django/contrib/auth/apps.py#L19
+    # - https://stackoverflow.com/a/72029063/1870445
+    create_permissions(real_apps.get_app_config("authentik_core"), using=db_alias)
+
+    Permission = apps.get_model("auth", "Permission")
+
+    new_prem = Permission.objects.using(db_alias).get(codename="user_view_debug")
+
+    db_alias = schema_editor.connection.alias
+    for user in User.objects.using(db_alias).filter(
+        **{f"attributes__{USER_ATTRIBUTE_DEBUG}": True}
+    ):
+        user.permissions.add(new_prem)
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0041_applicationentitlement"),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name="user",
+            options={
+                "permissions": [
+                    ("reset_user_password", "Reset Password"),
+                    ("impersonate", "Can impersonate other users"),
+                    ("assign_user_permissions", "Can assign permissions to users"),
+                    ("unassign_user_permissions", "Can unassign permissions from users"),
+                    ("preview_user", "Can preview user data sent to providers"),
+                    ("view_user_applications", "View applications the user has access to"),
+                    ("user_view_debug", "User receives additional details for error messages"),
+                ],
+                "verbose_name": "User",
+                "verbose_name_plural": "Users",
+            },
+        ),
+        migrations.RunPython(migrate_user_debug_attribute),
+    ]
diff --git a/authentik/core/models.py b/authentik/core/models.py
@@ -41,7 +41,6 @@
 from authentik.tenants.utils import get_current_tenant, get_unique_identifier
 
 LOGGER = get_logger()
-USER_ATTRIBUTE_DEBUG = "goauthentik.io/user/debug"
 USER_ATTRIBUTE_GENERATED = "goauthentik.io/user/generated"
 USER_ATTRIBUTE_EXPIRES = "goauthentik.io/user/expires"
 USER_ATTRIBUTE_DELETE_ON_LOGOUT = "goauthentik.io/user/delete-on-logout"
@@ -282,6 +281,7 @@ class Meta:
             ("unassign_user_permissions", _("Can unassign permissions from users")),
             ("preview_user", _("Can preview user data sent to providers")),
             ("view_user_applications", _("View applications the user has access to")),
+            ("user_view_debug", _("User receives additional details for error messages")),
         ]
         indexes = [
             models.Index(fields=["last_login"]),

diff --git a/authentik/enterprise/providers/rac/api/endpoints.py b/authentik/enterprise/providers/rac/api/endpoints.py
@@ -96,7 +96,7 @@ def _get_allowed_endpoints(self, queryset: QuerySet) -> list[Endpoint]:
                 OpenApiTypes.STR,
             ),
             OpenApiParameter(
-                name="superuser_full_list",
+                name="list_rbac",
                 location=OpenApiParameter.QUERY,
                 type=OpenApiTypes.BOOL,
             ),
@@ -110,8 +110,8 @@ def list(self, request: Request, *args, **kwargs) -> Response:
         """List accessible endpoints"""
         should_cache = request.GET.get("search", "") == ""
 
-        superuser_full_list = str(request.GET.get("superuser_full_list", "false")).lower() == "true"
-        if superuser_full_list and request.user.is_superuser:
+        list_rbac = str(request.GET.get("list_rbac", "false")).lower() == "true"
+        if list_rbac:
             return super().list(request)
 
         queryset = self._filter_queryset_for_list(self.get_queryset())

diff --git a/authentik/flows/challenge.py b/authentik/flows/challenge.py
@@ -97,12 +97,9 @@ def __init__(self, request: Request | None = None, error: Exception | None = Non
         if not request or not error:
             return
         self.initial_data["request_id"] = request.request_id
-        from authentik.core.models import USER_ATTRIBUTE_DEBUG
 
         if request.user and request.user.is_authenticated:
-            if request.user.is_superuser or request.user.group_attributes(request).get(
-                USER_ATTRIBUTE_DEBUG, False
-            ):
+            if request.user.has_perm("authentik_core.user_view_debug"):
                 self.initial_data["error"] = str(error)
                 self.initial_data["traceback"] = exception_to_string(error)
 

diff --git a/authentik/policies/denied.py b/authentik/policies/denied.py
@@ -7,7 +7,7 @@
 from django.urls import reverse
 from django.utils.translation import gettext as _
 
-from authentik.core.models import USER_ATTRIBUTE_DEBUG
+from authentik.core.models import User
 from authentik.policies.types import PolicyResult
 
 
@@ -31,12 +31,11 @@ def resolve_context(self, context: dict[str, Any] | None) -> dict[str, Any] | No
         if self.error_message:
             context["error"] = self.error_message
         # Only show policy result if user is authenticated and
-        # either superuser or has USER_ATTRIBUTE_DEBUG set
+        # has permissions to see them
         if self.policy_result:
             if self._request.user and self._request.user.is_authenticated:
-                if self._request.user.is_superuser or self._request.user.group_attributes(
-                    self._request
-                ).get(USER_ATTRIBUTE_DEBUG, False):
+                user: User = self._request.user
+                if user.has_perm("authentik_core.user_view_debug"):
                     context["policy_result"] = self.policy_result
         context["cancel"] = reverse("authentik_flows:cancel")
         return context
diff --git a/blueprints/schema.json b/blueprints/schema.json
@@ -6445,6 +6445,7 @@
                             "authentik_core.remove_user_from_group",
                             "authentik_core.reset_user_password",
                             "authentik_core.unassign_user_permissions",
+                            "authentik_core.user_view_debug",
                             "authentik_core.view_application",
                             "authentik_core.view_applicationentitlement",
                             "authentik_core.view_authenticatedsession",
@@ -12694,6 +12695,7 @@
                             "authentik_core.remove_user_from_group",
                             "authentik_core.reset_user_password",
                             "authentik_core.unassign_user_permissions",
+                            "authentik_core.user_view_debug",
                             "authentik_core.view_application",
                             "authentik_core.view_applicationentitlement",
                             "authentik_core.view_authenticatedsession",
@@ -13202,6 +13204,7 @@
                             "unassign_user_permissions",
                             "preview_user",
                             "view_user_applications",
+                            "user_view_debug",
                             "add_user",
                             "change_user",
                             "delete_user",

diff --git a/pyproject.toml b/pyproject.toml
@@ -4,6 +4,9 @@ version = "2024.12.2"
 description = ""
 authors = ["authentik Team <[email protected]>"]
 
+[tool.poetry.requires-plugins]
+poetry-plugin-export = ">1.8"
+
 [tool.black]
 line-length = 100
 target-version = ['py312']

diff --git a/schema.yml b/schema.yml
@@ -3391,6 +3391,10 @@ paths:
         name: group
         schema:
           type: string
+      - in: query
+        name: list_rbac
+        schema:
+          type: boolean
       - in: query
         name: meta_description
         schema:
@@ -3439,10 +3443,6 @@ paths:
         name: slug
         schema:
           type: string
-      - in: query
-        name: superuser_full_list
-        schema:
-          type: boolean
       tags:
       - core
       security:
@@ -23204,6 +23204,10 @@ paths:
       operationId: rac_endpoints_list
       description: List accessible endpoints
       parameters:
+      - in: query
+        name: list_rbac
+        schema:
+          type: boolean
       - in: query
         name: name
         schema:
@@ -23234,10 +23238,6 @@ paths:
         name: search
         schema:
           type: string
-      - in: query
-        name: superuser_full_list
-        schema:
-          type: boolean
       tags:
       - rac
       security:

diff --git a/web/src/admin/applications/ApplicationListPage.ts b/web/src/admin/applications/ApplicationListPage.ts
@@ -66,7 +66,7 @@ export class ApplicationListPage extends WithBrandConfig(TablePage<Application>)
     async apiEndpoint(): Promise<PaginatedResponse<Application>> {
         return new CoreApi(DEFAULT_CONFIG).coreApplicationsList({
             ...(await this.defaultEndpointConfig()),
-            superuserFullList: true,
+            listRbac: true,
         });
     }
 

diff --git a/web/src/admin/brands/BrandForm.ts b/web/src/admin/brands/BrandForm.ts
@@ -156,7 +156,7 @@ export class BrandForm extends ModelForm<Brand, string> {
                             .fetchObjects=${async (query?: string): Promise<Application[]> => {
                                 const args: CoreApplicationsListRequest = {
                                     ordering: "name",
-                                    superuserFullList: true,
+                                    listRbac: true,
                                 };
                                 if (query !== undefined) {
                                     args.search = query;

diff --git a/web/src/admin/providers/rac/EndpointList.ts b/web/src/admin/providers/rac/EndpointList.ts
@@ -46,7 +46,7 @@ export class EndpointListPage extends Table<Endpoint> {
         return new RacApi(DEFAULT_CONFIG).racEndpointsList({
             ...(await this.defaultEndpointConfig()),
             provider: this.provider?.pk,
-            superuserFullList: true,
+            listRbac: true,
         });
     }