diff --git a/apps/authentication/api/sso.py b/apps/authentication/api/sso.py index 801a15a7d..bb0aedbb7 100644 --- a/apps/authentication/api/sso.py +++ b/apps/authentication/api/sso.py @@ -14,7 +14,6 @@ from rest_framework.response import Response from authentication.errors import ACLError from common.api import JMSGenericViewSet from common.const.http import POST, GET -from common.permissions import OnlySuperUser from common.serializers import EmptySerializer from common.utils import reverse, safe_next_url from common.utils.timezone import utc_now @@ -38,8 +37,11 @@ class SSOViewSet(AuthMixin, JMSGenericViewSet): 'login_url': SSOTokenSerializer, 'login': EmptySerializer } - - @action(methods=[POST], detail=False, permission_classes=[OnlySuperUser], url_path='login-url') + rbac_perms = { + 'login_url': 'authentication.add_ssotoken', + } + + @action(methods=[POST], detail=False, url_path='login-url') def login_url(self, request, *args, **kwargs): if not settings.AUTH_SSO: raise SSOAuthClosed() diff --git a/apps/rbac/const.py b/apps/rbac/const.py index c47c22dba..172682924 100644 --- a/apps/rbac/const.py +++ b/apps/rbac/const.py @@ -24,7 +24,7 @@ exclude_permissions = ( ('authentication', 'privatetoken', '*', '*'), ('authentication', 'connectiontoken', 'delete,change', 'connectiontoken'), ('authentication', 'connectiontoken', 'view', 'connectiontokensecret'), - ('authentication', 'ssotoken', '*', '*'), + ('authentication', 'ssotoken', 'change,delete', 'ssotoken'), ('authentication', 'superconnectiontoken', 'change,delete', 'superconnectiontoken'), ('authentication', 'temptoken', 'delete', 'temptoken'), ('users', 'userpasswordhistory', '*', '*'), @@ -148,6 +148,7 @@ only_system_permissions = ( ('authentication', 'superconnectiontoken', '*', '*'), ('authentication', 'temptoken', '*', '*'), ('authentication', 'passkey', '*', '*'), + ('authentication', 'ssotoken', '*', '*'), ('tickets', '*', '*', '*'), ('orgs', 'organization', 'view', 'rootorg'), ('terminal', 'applet', '*', '*'),