revert: rbac: exclude permissions for internal models (#12803)

[BeryJu]

This reverts commit e08ccf4.

Details

revert #12803

---

Checklist

• Local tests pass (ak test authentik/)
• The code has been formatted (make lint-fix)

If an API change has been made

• The API schema has been updated (make gen-build)

If changes to the frontend have been made

• The code has been formatted (make web)

If applicable

• The documentation has been updated
• The documentation has been formatted (make website)

[netlify]

✅ Deploy Preview for authentik-storybook canceled.

Name	Link
🔨 Latest commit	d23eb6b
🔍 Latest deploy log	https://app.netlify.com/sites/authentik-storybook/deploys/67b72b7cc3fa5d0008ac1487

[netlify]

✅ Deploy Preview for authentik-docs canceled.

Name	Link
🔨 Latest commit	d23eb6b
🔍 Latest deploy log	https://app.netlify.com/sites/authentik-docs/deploys/67b72b7c79284d0008f12f6f

[codecov]

❌ 1 Tests Failed:

Tests completed	Failed	Passed	Skipped
1711	1	1710	2

View the full list of 1 ❄️ flaky tests

authentik.stages.authenticator_email.tests.TestAuthenticatorEmailStage::test_session_management

Flake rate in main: 15.69% (Passed 43 times, Failed 8 times)

Stack Traces | 1.02s run time

self = <unittest.case._Outcome object at 0x7fa2bc3a2780>
test_case = <authentik.stages.authenticator_email.tests.TestAuthenticatorEmailStage testMethod=test_session_management>
subTest = False

    @contextlib.contextmanager
    def testPartExecutor(self, test_case, subTest=False):
        old_success = self.success
        self.success = True
        try:
>           yield

.../hostedtoolcache/Python/3.12.9.............../x64/lib/python3.12/unittest/case.py:58: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.stages.authenticator_email.tests.TestAuthenticatorEmailStage testMethod=test_session_management>
result = <TestCaseFunction test_session_management>

    def run(self, result=None):
        if result is None:
            result = self.defaultTestResult()
            startTestRun = getattr(result, 'startTestRun', None)
            stopTestRun = getattr(result, 'stopTestRun', None)
            if startTestRun is not None:
                startTestRun()
        else:
            stopTestRun = None
    
        result.startTest(self)
        try:
            testMethod = getattr(self, self._testMethodName)
            if (getattr(self.__class__, "__unittest_skip__", False) or
                getattr(testMethod, "__unittest_skip__", False)):
                # If the class or method was skipped.
                skip_why = (getattr(self.__class__, '__unittest_skip_why__', '')
                            or getattr(testMethod, '__unittest_skip_why__', ''))
                _addSkip(result, self, skip_why)
                return result
    
            expecting_failure = (
                getattr(self, "__unittest_expecting_failure__", False) or
                getattr(testMethod, "__unittest_expecting_failure__", False)
            )
            outcome = _Outcome(result)
            start_time = time.perf_counter()
            try:
                self._outcome = outcome
    
                with outcome.testPartExecutor(self):
                    self._callSetUp()
                if outcome.success:
                    outcome.expecting_failure = expecting_failure
                    with outcome.testPartExecutor(self):
>                       self._callTestMethod(testMethod)

.../hostedtoolcache/Python/3.12.9.............../x64/lib/python3.12/unittest/case.py:634: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.stages.authenticator_email.tests.TestAuthenticatorEmailStage testMethod=test_session_management>
method = <bound method TestAuthenticatorEmailStage.test_session_management of <authentik.stages.authenticator_email.tests.TestAuthenticatorEmailStage testMethod=test_session_management>>

    def _callTestMethod(self, method):
>       if method() is not None:

.../hostedtoolcache/Python/3.12.9.............../x64/lib/python3.12/unittest/case.py:589: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.stages.authenticator_email.tests.TestAuthenticatorEmailStage testMethod=test_session_management>

    def test_session_management(self):
        """Test session device management"""
        # Test device creation in session
        with patch(
            "authentik.stages.authenticator_email.models.AuthenticatorEmailStage.backend_class",
            PropertyMock(return_value=EmailBackend),
        ):
            # Delete any existing devices for this test
            EmailDevice.objects.filter(user=self.user).delete()
    
            response = self.client.get(
                reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
            )
            self.assertIn(SESSION_KEY_EMAIL_DEVICE, self.client.session)
            device = self.client.session[SESSION_KEY_EMAIL_DEVICE]
            self.assertIsInstance(device, EmailDevice)
            self.assertFalse(device.confirmed)
            self.assertEqual(device.user, self.user)
    
            # Test device confirmation and cleanup
            device.confirmed = True
            device.email = "new_test@authentik.local"  # Use a different email
            self.client.session[SESSION_KEY_EMAIL_DEVICE] = device
            self.client.session.save()
            response = self.client.post(
                reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
                data={"component": "ak-stage-authenticator-email", "code": device.token},
            )
            self.assertEqual(response.status_code, 200)
            self.assertTrue(device.confirmed)
            # Session key should be removed after device is saved
            device.save()
>           self.assertNotIn(SESSION_KEY_EMAIL_DEVICE, self.client.session)

.../stages/authenticator_email/tests.py:305: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.stages.authenticator_email.tests.TestAuthenticatorEmailStage testMethod=test_session_management>
member = '.../stages/authenticator_email/email_device'
container = <django.contrib.sessions.backends.cache.SessionStore object at 0x7fa2bc6ffa40>
msg = None

    def assertNotIn(self, member, container, msg=None):
        """Just like self.assertTrue(a not in b), but with a nicer default message."""
        if member in container:
            standardMsg = '%s unexpectedly found in %s' % (safe_repr(member),
                                                        safe_repr(container))
>           self.fail(self._formatMessage(msg, standardMsg))

.../hostedtoolcache/Python/3.12.9.............../x64/lib/python3.12/unittest/case.py:1159: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.stages.authenticator_email.tests.TestAuthenticatorEmailStage testMethod=test_session_management>
msg = "'.../stages/authenticator_email/email_device' unexpectedly found in <django.contrib.sessions.backends.cache.SessionStore object at 0x7fa2bc6ffa40>"

    def fail(self, msg=None):
        """Fail immediately, with the given message."""
>       raise self.failureException(msg)
E       AssertionError: '.../stages/authenticator_email/email_device' unexpectedly found in <django.contrib.sessions.backends.cache.SessionStore object at 0x7fa2bc6ffa40>

.../hostedtoolcache/Python/3.12.9.............../x64/lib/python3.12/unittest/case.py:715: AssertionError

To view more test analytics, go to the Test Analytics Dashboard
_{📋 Got 3 mins? Take this short survey to help us improve Test Analytics.}

[github-actions]

authentik PR Installation instructions

Instructions for docker-compose

Add the following block to your .env file:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-d23eb6b38cd76ffc26a17fe6ae6bdc484db045d0
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

Afterwards, run the upgrade commands from the latest release notes.

Instructions for Kubernetes

Add the following block to your values.yml file:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
    image:
        repository: ghcr.io/goauthentik/dev-server
        tag: gh-d23eb6b38cd76ffc26a17fe6ae6bdc484db045d0

Afterwards, run the upgrade commands from the latest release notes.

[BeryJu]

/cherry-pick version-2025.2