Merge branch 'main' into core/allow-token-for-other-user

core: allow creating tokens for other user without superuser
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2026-05-05 22:52:42 +02:00 · 2026-04-28 09:17:30 -07:00 · 2025-08-18 14:16:23 +01:00
1 changed files with 6 additions and 1 deletions
--- a/authentik/core/api/tokens.py
+++ b/authentik/core/api/tokens.py
@@ -2,6 +2,7 @@

 from typing import Any

+from django.http import HttpRequest
 from django.utils.timezone import now
 from drf_spectacular.utils import OpenApiResponse, extend_schema
 from rest_framework.decorators import action
@@ -46,6 +47,11 @@ class TokenSerializer(ManagedSerializer, ModelSerializer):
        if self.instance and self.instance.user_id:
            if user.pk != self.instance.user_id:
                raise ValidationError("User cannot be changed")
+        request: HttpRequest = self.context.get("request")
+        if not request.user.has_perm("change_user", user) and not request.user.has_perm(
+            "authentik_core.change_user"
+        ):
+            raise ValidationError("Cannot create token for this user")
        return user

    def validate(self, attrs: dict[Any, str]) -> dict[Any, str]:
@@ -148,7 +154,6 @@ class TokenViewSet(UsedByMixin, ModelViewSet):
    def perform_create(self, serializer: TokenSerializer):
        if not self.request.user.is_superuser:
            instance = serializer.save(
-                user=self.request.user,
                expiring=self.request.user.attributes.get(USER_ATTRIBUTE_TOKEN_EXPIRING, True),
            )
            self.request.user.assign_perms_to_managed_role(
Author	SHA1	Message	Date
Fletcher Heisler	f815efc5e2	Merge branch 'main' into core/allow-token-for-other-user	2026-04-28 09:17:30 -07:00
Jens Langhammer	1b99ec8ac5	core: allow creating tokens for other user without superuser Signed-off-by: Jens Langhammer <jens@goauthentik.io>	2025-08-18 14:16:23 +01:00