rbac: generate blueprint schema permissions from defined models not DB (

#10962) Signed-off-by: Jens Langhammer <[email protected]>
goauthentik · Aug 19, 2024 · eb5842f · eb5842f
1 parent 19e1db3
commit eb5842f
Show file tree

Hide file tree

Showing 2 changed files with 426 additions and 428 deletions.
diff --git a/authentik/rbac/models.py b/authentik/rbac/models.py
@@ -2,36 +2,34 @@
 
 from uuid import uuid4
 
-from django.contrib.auth.models import Permission
+from django.contrib.auth.management import _get_all_permissions
 from django.db import models
 from django.db.transaction import atomic
 from django.utils.translation import gettext_lazy as _
 from guardian.shortcuts import assign_perm
 from rest_framework.serializers import BaseSerializer
 
 from authentik.lib.models import SerializerModel
-
-
-def get_permissions():
-    return (
-        Permission.objects.all()
-        .select_related("content_type")
-        .filter(
-            content_type__app_label__startswith="authentik",
-        )
+from authentik.lib.utils.reflection import get_apps
+
+
+def get_permission_choices():
+    all_perms = []
+    for app in get_apps():
+        for model in app.get_models():
+            for perm, _desc in _get_all_permissions(model._meta):
+                all_perms.append((model, perm))
+    return sorted(
+        [
+            (
+                f"{model._meta.app_label}.{perm}",
+                f"{model._meta.app_label}.{perm}",
+            )
+            for model, perm in all_perms
+        ]
     )
 
 
-def get_permission_choices() -> list[tuple[str, str]]:
-    return [
-        (
-            f"{x.content_type.app_label}.{x.codename}",
-            f"{x.content_type.app_label}.{x.codename}",
-        )
-        for x in get_permissions()
-    ]
-
-
 class Role(SerializerModel):
     """RBAC role, which can have different permissions (both global and per-object) attached
     to it."""