AWX oauth2 provider /user/:pk/personal_tokens/ always returns tokens for the current user regardless of the specified PK

[relrod]

Please confirm the following

• [X] I agree to follow this project's code of conduct.
• [X] I have checked the current issues for duplicates.
• [X] I understand that AWX is open source software provided for free and that I might not receive a timely response.
• [X] I am NOT reporting a (potential) security vulnerability. (These should be emailed to security@ansible.com instead.)

Bug Summary

Found this while reading the code working on the DAB oauth implementation.

AWX version

devel

Select the relevant components

• [ ] UI
• [ ] UI (tech preview)
• [X] API
• [ ] Docs
• [ ] Collection
• [ ] CLI
• [ ] Other

Installation method

N/A

Modifications

no

Ansible version

No response

Operating system

No response

Web browser

No response

Steps to reproduce

• Have a user which sets up some personal access tokens (i.e. oauth2 tokens with a null FK to Application)
• As the user go to /api/v2/users/PK/personal_tokens/
• Or as an admin go to a/pi/v2/users/PK/personal_tokens/ and you'll see the admin's tokens instead

Expected results

The user with the given PK's tokens (if I have permission to see them)

Actual results

My own tokens

Additional information

No response

[relrod]

class UserPersonalTokenList(SubListCreateAPIView):
    # [...]

    def get_queryset(self):
        return get_access_token_model().objects.filter(application__isnull=True, user=self.request.user)

We filter on the request user always, even though the route allows for a PK.

[TheRealHaoLiu]

assigned to @relrod

[relrod]

assigned to @TheRealHaoLiu :rofl: