Open relrod opened 2 weeks ago
class UserPersonalTokenList(SubListCreateAPIView):
# [...]
def get_queryset(self):
return get_access_token_model().objects.filter(application__isnull=True, user=self.request.user)
We filter on the request user always, even though the route allows for a PK.
assigned to @relrod
assigned to @TheRealHaoLiu :rofl:
Please confirm the following
security@ansible.com
instead.)Bug Summary
Found this while reading the code working on the DAB oauth implementation.
AWX version
devel
Select the relevant components
Installation method
N/A
Modifications
no
Ansible version
No response
Operating system
No response
Web browser
No response
Steps to reproduce
Expected results
The user with the given PK's tokens (if I have permission to see them)
Actual results
My own tokens
Additional information
No response