diff --git a/apps/authentication/api/sso.py b/apps/authentication/api/sso.py index 801a15a7d..7e6cd17db 100644 --- a/apps/authentication/api/sso.py +++ b/apps/authentication/api/sso.py @@ -14,7 +14,6 @@ from rest_framework.response import Response from authentication.errors import ACLError from common.api import JMSGenericViewSet from common.const.http import POST, GET -from common.permissions import OnlySuperUser from common.serializers import EmptySerializer from common.utils import reverse, safe_next_url from common.utils.timezone import utc_now @@ -38,8 +37,11 @@ class SSOViewSet(AuthMixin, JMSGenericViewSet): 'login_url': SSOTokenSerializer, 'login': EmptySerializer } + rbac_perms = { + 'login_url': 'authentication.add_ssotoken', + } - @action(methods=[POST], detail=False, permission_classes=[OnlySuperUser], url_path='login-url') + @action(methods=[POST], detail=False, url_path='login-url') def login_url(self, request, *args, **kwargs): if not settings.AUTH_SSO: raise SSOAuthClosed() diff --git a/apps/rbac/const.py b/apps/rbac/const.py index da3782944..1c81b05fe 100644 --- a/apps/rbac/const.py +++ b/apps/rbac/const.py @@ -24,7 +24,6 @@ exclude_permissions = ( ('authentication', 'privatetoken', '*', '*'), ('authentication', 'connectiontoken', 'delete,change', 'connectiontoken'), ('authentication', 'connectiontoken', 'view', 'connectiontokensecret'), - ('authentication', 'ssotoken', '*', '*'), ('authentication', 'superconnectiontoken', 'change,delete', 'superconnectiontoken'), ('authentication', 'temptoken', 'delete', 'temptoken'), ('users', 'userpasswordhistory', '*', '*'), @@ -156,6 +155,7 @@ only_system_permissions = ( ('authentication', 'superconnectiontoken', '*', '*'), ('authentication', 'temptoken', '*', '*'), ('authentication', 'passkey', '*', '*'), + ('authentication', 'ssotoken', '*', '*'), ('tickets', '*', '*', '*'), ('orgs', 'organization', 'view', 'rootorg'), ('terminal', 'applet', '*', '*'),