providers/rac: fixes prompt data not being merged with connection_settings (cherry-pick #15037)

[gcp-cherry-pick-bot]

Cherry-picked providers/rac: fixes prompt data not being merged with connection_settings (#15037)

• Fixes line that pulls in prompt data

• fallback to old settings

Signed-off-by: Jens Langhammer jens@goauthentik.io

---

Signed-off-by: Jens Langhammer jens@goauthentik.io
Co-authored-by: Jens Langhammer jens@goauthentik.io

[netlify]

❌ Deploy Preview for authentik-docs failed. Why did it fail? →

Name	Link
🔨 Latest commit	42a27d1
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-docs/deploys/684c585c05686900087c185b

[codecov]

❌ 6 Tests Failed:

Tests completed	Failed	Passed	Skipped
1810	6	1804	2

View the top 3 failed test(s) by shortest run time

authentik.core.tests.test_source_api.TestSourceAPI::test_builtin_source_used_by

Stack Traces | 0.624s run time

self = <unittest.case._Outcome object at 0x7fc388372350>
test_case = <authentik.core.tests.test_source_api.TestSourceAPI testMethod=test_builtin_source_used_by>
subTest = False

    @contextlib.contextmanager
    def testPartExecutor(self, test_case, subTest=False):
        old_success = self.success
        self.success = True
        try:
>           yield

.../hostedtoolcache/Python/3.13.4........./x64/lib/python3.13/unittest/case.py:58: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.core.tests.test_source_api.TestSourceAPI testMethod=test_builtin_source_used_by>
result = <TestCaseFunction test_builtin_source_used_by>

    def run(self, result=None):
        if result is None:
            result = self.defaultTestResult()
            startTestRun = getattr(result, 'startTestRun', None)
            stopTestRun = getattr(result, 'stopTestRun', None)
            if startTestRun is not None:
                startTestRun()
        else:
            stopTestRun = None
    
        result.startTest(self)
        try:
            testMethod = getattr(self, self._testMethodName)
            if (getattr(self.__class__, "__unittest_skip__", False) or
                getattr(testMethod, "__unittest_skip__", False)):
                # If the class or method was skipped.
                skip_why = (getattr(self.__class__, '__unittest_skip_why__', '')
                            or getattr(testMethod, '__unittest_skip_why__', ''))
                _addSkip(result, self, skip_why)
                return result
    
            expecting_failure = (
                getattr(self, "__unittest_expecting_failure__", False) or
                getattr(testMethod, "__unittest_expecting_failure__", False)
            )
            outcome = _Outcome(result)
            start_time = time.perf_counter()
            try:
                self._outcome = outcome
    
                with outcome.testPartExecutor(self):
                    self._callSetUp()
                if outcome.success:
                    outcome.expecting_failure = expecting_failure
                    with outcome.testPartExecutor(self):
>                       self._callTestMethod(testMethod)

.../hostedtoolcache/Python/3.13.4........./x64/lib/python3.13/unittest/case.py:651: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.core.tests.test_source_api.TestSourceAPI testMethod=test_builtin_source_used_by>
method = <bound method TestSourceAPI.test_builtin_source_used_by of <authentik.core.tests.test_source_api.TestSourceAPI testMethod=test_builtin_source_used_by>>

    def _callTestMethod(self, method):
>       if method() is not None:

.../hostedtoolcache/Python/3.13.4........./x64/lib/python3.13/unittest/case.py:606: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.core.tests.test_source_api.TestSourceAPI testMethod=test_builtin_source_used_by>

    def test_builtin_source_used_by(self):
        """Test Providers's types endpoint"""
        apps.get_app_config("authentik_core").source_inbuilt()
>       response = self.client.get(
            reverse("authentik_api:source-used-by", kwargs={"slug": "authentik-built-in"}),
        )

.../core/tests/test_source_api.py:16: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <rest_framework.test.APIClient object at 0x7fc38669b8b0>
path = '.../all/authentik-built-in/used_by/', data = None
follow = False, extra = {}

    def get(self, path, data=None, follow=False, **extra):
>       response = super().get(path, data=data, **extra)

.venv/lib/python3.13.............../site-packages/rest_framework/test.py:292: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <rest_framework.test.APIClient object at 0x7fc38669b8b0>
path = '.../all/authentik-built-in/used_by/', data = None
extra = {}, r = {'QUERY_STRING': ''}

    def get(self, path, data=None, **extra):
        r = {
            'QUERY_STRING': urlencode(data or {}, doseq=True),
        }
        if not data and '?' in path:
            # Fix to support old behavior where you have the arguments in the
            # url. See #1461.
            query_string = force_bytes(path.split('?')[1])
            query_string = query_string.decode('iso-8859-1')
            r['QUERY_STRING'] = query_string
        r.update(extra)
>       return self.generic('GET', path, **r)

.venv/lib/python3.13.............../site-packages/rest_framework/test.py:209: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <rest_framework.test.APIClient object at 0x7fc38669b8b0>, method = 'GET'
path = '.../all/authentik-built-in/used_by/', data = ''
content_type = 'application/octet-stream', secure = False
extra = {'CONTENT_TYPE': 'application/octet-stream', 'QUERY_STRING': ''}

    def generic(self, method, path, data='',
                content_type='application/octet-stream', secure=False, **extra):
        # Include the CONTENT_TYPE, regardless of whether or not data is empty.
        if content_type is not None:
            extra['CONTENT_TYPE'] = str(content_type)
    
>       return super().generic(
            method, path, data, content_type, secure, **extra)

.venv/lib/python3.13.............../site-packages/rest_framework/test.py:237: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <rest_framework.test.APIClient object at 0x7fc38669b8b0>, method = 'GET'
path = '.../all/authentik-built-in/used_by/', data = b''
content_type = 'application/octet-stream', secure = False, headers = None
query_params = None
extra = {'CONTENT_TYPE': 'application/octet-stream', 'QUERY_STRING': ''}
parsed = ParseResult(scheme='', netloc='', path='.../all/authentik-built-in/used_by/', params='', query='', fragment='')
r = {'CONTENT_TYPE': 'application/octet-stream', 'PATH_INFO': '.../all/authentik-built-in/used_by/', 'QUERY_STRING': '', 'REQUEST_METHOD': 'GET', ...}
query_string = ''

    def generic(
        self,
        method,
        path,
        data="",
        content_type="application/octet-stream",
        secure=False,
        *,
        headers=None,
        query_params=None,
        **extra,
    ):
        """Construct an arbitrary HTTP request."""
        parsed = urlparse(str(path))  # path can be lazy
        data = force_bytes(data, settings.DEFAULT_CHARSET)
        r = {
            "PATH_INFO": self._get_path(parsed),
            "REQUEST_METHOD": method,
            "SERVER_PORT": "443" if secure else "80",
            "wsgi.url_scheme": "https" if secure else "http",
        }
        if data:
            r.update(
                {
                    "CONTENT_LENGTH": str(len(data)),
                    "CONTENT_TYPE": content_type,
                    "wsgi.input": FakePayload(data),
                }
            )
        if headers:
            extra.update(HttpHeaders.to_wsgi_names(headers))
        if query_params:
            extra["QUERY_STRING"] = urlencode(query_params, doseq=True)
        r.update(extra)
        # If QUERY_STRING is absent or empty, we want to extract it from the URL.
        if not r.get("QUERY_STRING"):
            # WSGI requires latin-1 encoded strings. See get_path_info().
            query_string = parsed[4].encode().decode("iso-8859-1")
            r["QUERY_STRING"] = query_string
>       return self.request(**r)

.venv/lib/python3.13.../django/test/client.py:676: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <rest_framework.test.APIClient object at 0x7fc38669b8b0>
kwargs = {'CONTENT_TYPE': 'application/octet-stream', 'PATH_INFO': '.../all/authentik-built-in/used_by/', 'QUERY_STRING': '', 'REQUEST_METHOD': 'GET', ...}

    def request(self, **kwargs):
        # Ensure that any credentials set get added to every request.
        kwargs.update(self._credentials)
>       return super().request(**kwargs)

.venv/lib/python3.13.............../site-packages/rest_framework/test.py:289: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <rest_framework.test.APIClient object at 0x7fc38669b8b0>
kwargs = {'CONTENT_TYPE': 'application/octet-stream', 'PATH_INFO': '.../all/authentik-built-in/used_by/', 'QUERY_STRING': '', 'REQUEST_METHOD': 'GET', ...}

    def request(self, **kwargs):
>       request = super().request(**kwargs)

.venv/lib/python3.13.............../site-packages/rest_framework/test.py:241: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <rest_framework.test.APIClient object at 0x7fc38669b8b0>
request = {'CONTENT_TYPE': 'application/octet-stream', 'PATH_INFO': '.../all/authentik-built-in/used_by/', 'QUERY_STRING': '', 'REQUEST_METHOD': 'GET', ...}
environ = {'CONTENT_TYPE': 'application/octet-stream', 'HTTP_COOKIE': 'authentik_session=syyi48y8gudz73cgxxgrgejny4kc7fxp', 'PATH_INFO': '.../all/authentik-built-in/used_by/', 'QUERY_STRING': '', ...}
data = {'context': [[{'True': True, 'False': False, 'None': None}, {'csrf_token': <SimpleLazyObject: <function csrf.<locals>....se/ske...">, <Template template_string="{% load static %}{%...">, <Template template_string="{% load i18n %}{% g...">]}
on_template_render = functools.partial(<function store_rendered_templates at 0x7fc39185cd60>, {'templates': [<Template template_string="{% ...<IncludeNode: template=<FilterExpression '"base/header_js.html"'>>, <TextNode: '\n'>]>}, {'LANGUAGE_CODE': 'en-us'}]]})
signal_uid = 'template-render-140477747975552'
exception_uid = 'request-exception-140477747975552'
response = <ServerErrorTemplateResponse status_code=500, "text/html; charset=utf-8">

    def request(self, **request):
        """
        Make a generic request. Compose the environment dictionary and pass
        to the handler, return the result of the handler. Assume defaults for
        the query environment, which can be overridden using the arguments to
        the request.
        """
        environ = self._base_environ(**request)
    
        # Curry a data dictionary into an instance of the template renderer
        # callback function.
        data = {}
        on_template_render = partial(store_rendered_templates, data)
        signal_uid = "template-render-%s" % id(request)
        signals.template_rendered.connect(on_template_render, dispatch_uid=signal_uid)
        # Capture exceptions created by the handler.
        exception_uid = "request-exception-%s" % id(request)
        got_request_exception.connect(self.store_exc_info, dispatch_uid=exception_uid)
        try:
            response = self.handler(environ)
        finally:
            signals.template_rendered.disconnect(dispatch_uid=signal_uid)
            got_request_exception.disconnect(dispatch_uid=exception_uid)
        # Check for signaled exceptions.
>       self.check_exception(response)

.venv/lib/python3.13.../django/test/client.py:1092: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <rest_framework.test.APIClient object at 0x7fc38669b8b0>
response = <ServerErrorTemplateResponse status_code=500, "text/html; charset=utf-8">

    def check_exception(self, response):
        """
        Look for a signaled exception, clear the current context exception
        data, re-raise the signaled exception, and clear the signaled exception
        from the local cache.
        """
        response.exc_info = self.exc_info
        if self.exc_info:
            _, exc_value, _ = self.exc_info
            self.exc_info = None
            if self.raise_request_exception:
>               raise exc_value

.venv/lib/python3.13.../django/test/client.py:805: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

request = <WSGIRequest: GET '.../all/authentik-built-in/used_by/'>

    @wraps(get_response)
    def inner(request):
        try:
>           response = get_response(request)

.venv/lib/python3.13.../core/handlers/exception.py:55: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <rest_framework.test.ForceAuthClientHandler object at 0x7fc3856220d0>
request = <WSGIRequest: GET '.../all/authentik-built-in/used_by/'>

    def _get_response(self, request):
        """
        Resolve and call the view, then apply view, exception, and
        template_response middleware. This method is everything that happens
        inside the request/response middleware.
        """
        response = None
        callback, callback_args, callback_kwargs = self.resolve_request(request)
    
        # Apply view middleware
        for middleware_method in self._view_middleware:
            response = middleware_method(
                request, callback, callback_args, callback_kwargs
            )
            if response:
                break
    
        if response is None:
            wrapped_callback = self.make_view_atomic(callback)
            # If it is an asynchronous view, run it in a subthread.
            if iscoroutinefunction(wrapped_callback):
                wrapped_callback = async_to_sync(wrapped_callback)
            try:
>               response = wrapped_callback(request, *callback_args, **callback_kwargs)

.venv/lib/python3.13.../core/handlers/base.py:197: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

request = <WSGIRequest: GET '.../all/authentik-built-in/used_by/'>
args = (), kwargs = {'slug': 'authentik-built-in'}
current_scope = <Scope id=0x7fc397383220 name=None type=ScopeType.CURRENT>
sentry_scope = <Scope id=0x7fc397382ce0 name=None type=ScopeType.ISOLATION>

    @functools.wraps(callback)
    def sentry_wrapped_callback(request, *args, **kwargs):
        # type: (Any, *Any, **Any) -> Any
        current_scope = sentry_sdk.get_current_scope()
        if current_scope.transaction is not None:
            current_scope.transaction.update_active_thread()
    
        sentry_scope = sentry_sdk.get_isolation_scope()
        # set the active thread id to the handler thread for sync views
        # this isn't necessary for async views since that runs on main
        if sentry_scope.profile is not None:
            sentry_scope.profile.update_active_thread_id()
    
        with sentry_sdk.start_span(
            op=OP.VIEW_RENDER,
            name=request.resolver_match.view_name,
            origin=DjangoIntegration.origin,
        ):
>           return callback(request, *args, **kwargs)

.venv/lib/python3.13.../integrations/django/views.py:94: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

request = <WSGIRequest: GET '.../all/authentik-built-in/used_by/'>
args = (), kwargs = {'slug': 'authentik-built-in'}

    def _view_wrapper(request, *args, **kwargs):
>       return view_func(request, *args, **kwargs)

.venv/lib/python3.13.../views/decorators/csrf.py:65: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

request = <WSGIRequest: GET '.../all/authentik-built-in/used_by/'>
args = (), kwargs = {'slug': 'authentik-built-in'}
self = <authentik.core.api.sources.SourceViewSet object at 0x7fc386fcf0e0>
method = 'head', action = 'used_by'
handler = <bound method UsedByMixin.used_by of <authentik.core.api.sources.SourceViewSet object at 0x7fc386fcf0e0>>

    def view(request, *args, **kwargs):
        self = cls(**initkwargs)
    
        if 'get' in actions and 'head' not in actions:
            actions['head'] = actions['get']
    
        # We also store the mapping of request methods to actions,
        # so that we can later set the action attribute.
        # eg. `self.action = 'list'` on an incoming GET request.
        self.action_map = actions
    
        # Bind methods to actions
        # This is the bit that's different to a standard view
        for method, action in actions.items():
            handler = getattr(self, action)
            setattr(self, method, handler)
    
        self.request = request
        self.args = args
        self.kwargs = kwargs
    
        # And continue as usual
>       return self.dispatch(request, *args, **kwargs)

.venv/lib/python3.13.../site-packages/rest_framework/viewsets.py:125: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.core.api.sources.SourceViewSet object at 0x7fc386fcf0e0>
request = <rest_framework.request.Request: GET '.../all/authentik-built-in/used_by/'>
args = (), kwargs = {'slug': 'authentik-built-in'}
handler = <bound method UsedByMixin.used_by of <authentik.core.api.sources.SourceViewSet object at 0x7fc386fcf0e0>>

    def dispatch(self, request, *args, **kwargs):
        """
        `.dispatch()` is pretty much the same as Django's regular dispatch,
        but with extra hooks for startup, finalize, and exception handling.
        """
        self.args = args
        self.kwargs = kwargs
        request = self.initialize_request(request, *args, **kwargs)
        self.request = request
        self.headers = self.default_response_headers  # deprecate?
    
        try:
            self.initial(request, *args, **kwargs)
    
            # Get the appropriate handler method
            if request.method.lower() in self.http_method_names:
                handler = getattr(self, request.method.lower(),
                                  self.http_method_not_allowed)
            else:
                handler = self.http_method_not_allowed
    
            response = handler(request, *args, **kwargs)
    
        except Exception as exc:
>           response = self.handle_exception(exc)

.venv/lib/python3.13............/site-packages/rest_framework/views.py:515: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.core.api.sources.SourceViewSet object at 0x7fc386fcf0e0>
exc = MixedContentTypeError('Content type for given perms and klass differs')

    def handle_exception(self, exc):
        """
        Handle any exception that occurs, by returning an appropriate response,
        or re-raising the error.
        """
        if isinstance(exc, (exceptions.NotAuthenticated,
                            exceptions.AuthenticationFailed)):
            # WWW-Authenticate header for 401 responses, else coerce to 403
            auth_header = self.get_authenticate_header(self.request)
    
            if auth_header:
                exc.auth_header = auth_header
            else:
                exc.status_code = status.HTTP_403_FORBIDDEN
    
        exception_handler = self.get_exception_handler()
    
        context = self.get_exception_handler_context()
        response = exception_handler(exc, context)
    
        if response is None:
>           self.raise_uncaught_exception(exc)

.venv/lib/python3.13............/site-packages/rest_framework/views.py:475: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.core.api.sources.SourceViewSet object at 0x7fc386fcf0e0>
exc = MixedContentTypeError('Content type for given perms and klass differs')

    def raise_uncaught_exception(self, exc):
        if settings.DEBUG:
            request = self.request
            renderer_format = getattr(request.accepted_renderer, 'format')
            use_plaintext_traceback = renderer_format not in ('html', 'api', 'admin')
            request.force_plaintext_errors(use_plaintext_traceback)
>       raise exc

.venv/lib/python3.13............/site-packages/rest_framework/views.py:486: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.core.api.sources.SourceViewSet object at 0x7fc386fcf0e0>
request = <rest_framework.request.Request: GET '.../all/authentik-built-in/used_by/'>
args = (), kwargs = {'slug': 'authentik-built-in'}
handler = <bound method UsedByMixin.used_by of <authentik.core.api.sources.SourceViewSet object at 0x7fc386fcf0e0>>

    def dispatch(self, request, *args, **kwargs):
        """
        `.dispatch()` is pretty much the same as Django's regular dispatch,
        but with extra hooks for startup, finalize, and exception handling.
        """
        self.args = args
        self.kwargs = kwargs
        request = self.initialize_request(request, *args, **kwargs)
        self.request = request
        self.headers = self.default_response_headers  # deprecate?
    
        try:
            self.initial(request, *args, **kwargs)
    
            # Get the appropriate handler method
            if request.method.lower() in self.http_method_names:
                handler = getattr(self, request.method.lower(),
                                  self.http_method_not_allowed)
            else:
                handler = self.http_method_not_allowed
    
>           response = handler(request, *args, **kwargs)

.venv/lib/python3.13............/site-packages/rest_framework/views.py:512: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.core.api.sources.SourceViewSet object at 0x7fc386fcf0e0>
request = <rest_framework.request.Request: GET '.../all/authentik-built-in/used_by/'>
args = (), kwargs = {'slug': 'authentik-built-in'}
model = <Source: authentik Built-in>, used_by = [], shadows = []
attr_name = 'bindings'
manager = <django.db.models.fields.related_descriptors.create_reverse_many_to_one_manager.<locals>.RelatedManager object at 0x7fc386645400>
app = 'authentik_policies', model_name = 'policybinding'
delete_action = 'cascade', first_object = True

    @extend_schema(
        responses={200: UsedBySerializer(many=True)},
    )
    @action(detail=True, pagination_class=None, filter_backends=[ObjectFilter])
    def used_by(self, request: Request, *args, **kwargs) -> Response:
        """Get a list of all objects that use this object"""
        model: Model = self.get_object()
        used_by = []
        shadows = []
        for attr_name, manager in getmembers(model, lambda x: isinstance(x, Manager)):
            if attr_name == "objects":  # pragma: no cover
                continue
            manager: Manager
            if manager.model._meta.abstract:
                continue
            app = manager.model._meta.app_label
            model_name = manager.model._meta.model_name
            delete_action = get_delete_action(manager)
    
            # To make sure we only apply shadows when there are any objects,
            # but so we only apply them once, have a simple flag for the first object
            first_object = True
    
            # TODO: This will only return the used-by references that the user can see
            # Either we have to leak model information here to not make the list
            # useless if the user doesn't have all permissions, or we need to double
            # query and check if there is a difference between modes the user can see
            # and can't see and add a warning
>           for obj in get_objects_for_user(
                request.user, f"{app}.view_{model_name}", manager
            ).all():

.../core/api/used_by.py:82: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

user = <SimpleLazyObject: <User: amzkLR1Kk7xiNzfQ3qJJ>>
perms = ['authentik_policies.view_policybinding']
klass = <django.db.models.fields.related_descriptors.create_reverse_many_to_one_manager.<locals>.RelatedManager object at 0x7fc386645400>
use_groups = True, any_perm = False, with_superuser = True
accept_global_perms = True

    def get_objects_for_user(
        user: Any,
        perms: Union[str, list[str]],
        klass: Union[Model, Manager, QuerySet, None] = None,
        use_groups: bool = True,
        any_perm: bool = False,
        with_superuser: bool = True,
        accept_global_perms: bool = True,
    ) -> list[Model]:
        """Get objects that a user has *all* the supplied permissions for.
    
        Parameters:
            user (User | AnonymousUser): user to check for permissions.
            perms (str | list[str]): permission(s) to be checked.
                If `klass` parameter is not given, those should be full permission
                names rather than only codenames (i.e. `auth.change_user`).
                If more than one permission is present within sequence, their content type **must** be
                the same or `MixedContentTypeError` exception would be raised.
            klass (Modal | Manager | QuerySet): If not provided, this parameter would be
                computed based on given `params`.
            use_groups (bool): Whether to check user's groups object permissions.
            any_perm (bool): Whether any of the provided permissions in sequence is accepted.
            with_superuser (bool): if `user.is_superuser`, whether to return the entire queryset.
                Otherwise will only return objects the user has explicit permissions.
                This must be `True` for the `accept_global_perms` parameter to have any affect.
            accept_global_perms (bool): Whether global permissions are taken into account.
                Object based permissions are taken into account if more than one permission is
                provided in in perms and at least one of these perms is not globally set.
                If `any_perm` is `False` then the intersection of matching object is returned.
                Note, that if `with_superuser` is `False`, `accept_global_perms` will be ignored,
                which means that only object permissions will be checked!
    
        Raises:
            MixedContentTypeError: when computed content type for `perms` and/or `klass` clashes.
            WrongAppError: if cannot compute app label for given `perms` or `klass`.
    
        Example:
            ```shell
            >>> from django.contrib.auth.models import User
            >>> from guardian.shortcuts import get_objects_for_user
            >>> joe = User.objects.get(username='joe')
            >>> get_objects_for_user(joe, 'auth.change_group')
            []
            >>> from guardian.shortcuts import assign_perm
            >>> group = Group.objects.create('some group')
            >>> assign_perm('auth.change_group', joe, group)
            >>> get_objects_for_user(joe, 'auth.change_group')
            [<Group some group>]
    
            # The permission string can also be an iterable. Continuing with the previous example:
    
            >>> get_objects_for_user(joe, ['auth.change_group', 'auth.delete_group'])
            []
            >>> get_objects_for_user(joe, ['auth.change_group', 'auth.delete_group'], any_perm=True)
            [<Group some group>]
            >>> assign_perm('auth.delete_group', joe, group)
            >>> get_objects_for_user(joe, ['auth.change_group', 'auth.delete_group'])
            [<Group some group>]
    
            # Take global permissions into account:
    
            >>> jack = User.objects.get(username='jack')
            >>> assign_perm('auth.change_group', jack) # this will set a global permission
            >>> get_objects_for_user(jack, 'auth.change_group')
            [<Group some group>]
            >>> group2 = Group.objects.create('other group')
            >>> assign_perm('auth.delete_group', jack, group2)
            >>> get_objects_for_user(jack, ['auth.change_group', 'auth.delete_group']) # this retrieves intersection
            [<Group other group>]
            >>> get_objects_for_user(jack, ['auth.change_group', 'auth.delete_group'], any_perm) # this retrieves union
            [<Group some group>, <Group other group>]
            ```
    
        Note:
            If `accept_global_perms` is set to `True`, then all assigned global
            permissions will also be taken into account.
    
            - Scenario 1: a user has view permissions generally defined on the model
              'books' but no object-based permission on a single book instance:
    
                - If `accept_global_perms` is `True`: A list of all books will be returned.
                - If `accept_global_perms` is `False`: The list will be empty.
    
            - Scenario 2: a user has view permissions generally defined on the model
              'books' and also has an object-based permission to view book 'Whatever':
    
                - If `accept_global_perms` is `True`: A list of all books will be returned.
                - If `accept_global_perms` is `False`: The list will only contain book 'Whatever'.
    
            - Scenario 3: a user only has object-based permission on book 'Whatever':
    
                - If `accept_global_perms` is `True`: The list will only contain book 'Whatever'.
                - If `accept_global_perms` is `False`: The list will only contain book 'Whatever'.
    
            - Scenario 4: a user does not have any permission:
    
                - If `accept_global_perms` is `True`: An empty list is returned.
                - If `accept_global_perms` is `False`: An empty list is returned.
        """
        if isinstance(perms, str):
            perms = [perms]
        ctype = None
        app_label = None
        codenames = set()
    
        # Compute codenames and set and ctype if possible
        for perm in perms:
            if "." in perm:
                new_app_label, codename = perm.split(".", 1)
                if app_label is not None and app_label != new_app_label:
                    raise MixedContentTypeError("Given perms must have same app "
                                                "label (%s != %s)" % (app_label, new_app_label))
                else:
                    app_label = new_app_label
            else:
                codename = perm
            codenames.add(codename)
            if app_label is not None:
                new_ctype = new_ctype = _get_ct_cached(app_label, codename)
                if ctype is not None and ctype != new_ctype:
                    raise MixedContentTypeError("ContentType was once computed "
                                                "to be %s and another one %s" % (ctype, new_ctype))
                else:
                    ctype = new_ctype
    
        # Compute queryset and ctype if still missing
        if ctype is None and klass is not None:
            queryset = _get_queryset(klass)
            ctype = get_content_type(queryset.model)
        elif ctype is not None and klass is None:
            queryset = _get_queryset(ctype.model_class())
        elif klass is None:
            raise WrongAppError("Cannot determine content type")
        else:
            queryset = _get_queryset(klass)
            if ctype != get_content_type(queryset.model):
>               raise MixedContentTypeError(
                    "Content type for given perms and " "klass differs"
                )
E               guardian.exceptions.MixedContentTypeError: Content type for given perms and klass differs

.venv/lib/python3.13.../site-packages/guardian/shortcuts.py:567: MixedContentTypeError

authentik.rbac.tests.test_api_filters.TestAPIPerms::test_list_denied

Stack Traces | 0.908s run time

self = <unittest.case._Outcome object at 0x7efcb8f93cb0>
test_case = <authentik.rbac.tests.test_api_filters.TestAPIPerms testMethod=test_list_denied>
subTest = False

    @contextlib.contextmanager
    def testPartExecutor(self, test_case, subTest=False):
        old_success = self.success
        self.success = True
        try:
>           yield

.../hostedtoolcache/Python/3.13.4........./x64/lib/python3.13/unittest/case.py:58: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.rbac.tests.test_api_filters.TestAPIPerms testMethod=test_list_denied>
result = <TestCaseFunction test_list_denied>

    def run(self, result=None):
        if result is None:
            result = self.defaultTestResult()
            startTestRun = getattr(result, 'startTestRun', None)
            stopTestRun = getattr(result, 'stopTestRun', None)
            if startTestRun is not None:
                startTestRun()
        else:
            stopTestRun = None
    
        result.startTest(self)
        try:
            testMethod = getattr(self, self._testMethodName)
            if (getattr(self.__class__, "__unittest_skip__", False) or
                getattr(testMethod, "__unittest_skip__", False)):
                # If the class or method was skipped.
                skip_why = (getattr(self.__class__, '__unittest_skip_why__', '')
                            or getattr(testMethod, '__unittest_skip_why__', ''))
                _addSkip(result, self, skip_why)
                return result
    
            expecting_failure = (
                getattr(self, "__unittest_expecting_failure__", False) or
                getattr(testMethod, "__unittest_expecting_failure__", False)
            )
            outcome = _Outcome(result)
            start_time = time.perf_counter()
            try:
                self._outcome = outcome
    
                with outcome.testPartExecutor(self):
                    self._callSetUp()
                if outcome.success:
                    outcome.expecting_failure = expecting_failure
                    with outcome.testPartExecutor(self):
>                       self._callTestMethod(testMethod)

.../hostedtoolcache/Python/3.13.4........./x64/lib/python3.13/unittest/case.py:651: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.rbac.tests.test_api_filters.TestAPIPerms testMethod=test_list_denied>
method = <bound method TestAPIPerms.test_list_denied of <authentik.rbac.tests.test_api_filters.TestAPIPerms testMethod=test_list_denied>>

    def _callTestMethod(self, method):
>       if method() is not None:

.../hostedtoolcache/Python/3.13.4........./x64/lib/python3.13/unittest/case.py:606: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.rbac.tests.test_api_filters.TestAPIPerms testMethod=test_list_denied>

    def test_list_denied(self):
        """Test list without adding permission"""
        self.client.force_login(self.user)
    
>       res = self.client.get(reverse("authentik_api:invitation-list"))

.../rbac/tests/test_api_filters.py:95: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <rest_framework.test.APIClient object at 0x7efcbfc5bd80>
path = '.../stages/invitation/invitations/', data = None, follow = False
extra = {}

    def get(self, path, data=None, follow=False, **extra):
>       response = super().get(path, data=data, **extra)

.venv/lib/python3.13.............../site-packages/rest_framework/test.py:292: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <rest_framework.test.APIClient object at 0x7efcbfc5bd80>
path = '.../stages/invitation/invitations/', data = None, extra = {}
r = {'QUERY_STRING': ''}

    def get(self, path, data=None, **extra):
        r = {
            'QUERY_STRING': urlencode(data or {}, doseq=True),
        }
        if not data and '?' in path:
            # Fix to support old behavior where you have the arguments in the
            # url. See #1461.
            query_string = force_bytes(path.split('?')[1])
            query_string = query_string.decode('iso-8859-1')
            r['QUERY_STRING'] = query_string
        r.update(extra)
>       return self.generic('GET', path, **r)

.venv/lib/python3.13.............../site-packages/rest_framework/test.py:209: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <rest_framework.test.APIClient object at 0x7efcbfc5bd80>, method = 'GET'
path = '.../stages/invitation/invitations/', data = ''
content_type = 'application/octet-stream', secure = False
extra = {'CONTENT_TYPE': 'application/octet-stream', 'QUERY_STRING': ''}

    def generic(self, method, path, data='',
                content_type='application/octet-stream', secure=False, **extra):
        # Include the CONTENT_TYPE, regardless of whether or not data is empty.
        if content_type is not None:
            extra['CONTENT_TYPE'] = str(content_type)
    
>       return super().generic(
            method, path, data, content_type, secure, **extra)

.venv/lib/python3.13.............../site-packages/rest_framework/test.py:237: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <rest_framework.test.APIClient object at 0x7efcbfc5bd80>, method = 'GET'
path = '.../stages/invitation/invitations/', data = b''
content_type = 'application/octet-stream', secure = False, headers = None
query_params = None
extra = {'CONTENT_TYPE': 'application/octet-stream', 'QUERY_STRING': ''}
parsed = ParseResult(scheme='', netloc='', path='.../stages/invitation/invitations/', params='', query='', fragment='')
r = {'CONTENT_TYPE': 'application/octet-stream', 'PATH_INFO': '.../stages/invitation/invitations/', 'QUERY_STRING': '', 'REQUEST_METHOD': 'GET', ...}
query_string = ''

    def generic(
        self,
        method,
        path,
        data="",
        content_type="application/octet-stream",
        secure=False,
        *,
        headers=None,
        query_params=None,
        **extra,
    ):
        """Construct an arbitrary HTTP request."""
        parsed = urlparse(str(path))  # path can be lazy
        data = force_bytes(data, settings.DEFAULT_CHARSET)
        r = {
            "PATH_INFO": self._get_path(parsed),
            "REQUEST_METHOD": method,
            "SERVER_PORT": "443" if secure else "80",
            "wsgi.url_scheme": "https" if secure else "http",
        }
        if data:
            r.update(
                {
                    "CONTENT_LENGTH": str(len(data)),
                    "CONTENT_TYPE": content_type,
                    "wsgi.input": FakePayload(data),
                }
            )
        if headers:
            extra.update(HttpHeaders.to_wsgi_names(headers))
        if query_params:
            extra["QUERY_STRING"] = urlencode(query_params, doseq=True)
        r.update(extra)
        # If QUERY_STRING is absent or empty, we want to extract it from the URL.
        if not r.get("QUERY_STRING"):
            # WSGI requires latin-1 encoded strings. See get_path_info().
            query_string = parsed[4].encode().decode("iso-8859-1")
            r["QUERY_STRING"] = query_string
>       return self.request(**r)

.venv/lib/python3.13.../django/test/client.py:676: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <rest_framework.test.APIClient object at 0x7efcbfc5bd80>
kwargs = {'CONTENT_TYPE': 'application/octet-stream', 'PATH_INFO': '.../stages/invitation/invitations/', 'QUERY_STRING': '', 'REQUEST_METHOD': 'GET', ...}

    def request(self, **kwargs):
        # Ensure that any credentials set get added to every request.
        kwargs.update(self._credentials)
>       return super().request(**kwargs)

.venv/lib/python3.13.............../site-packages/rest_framework/test.py:289: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <rest_framework.test.APIClient object at 0x7efcbfc5bd80>
kwargs = {'CONTENT_TYPE': 'application/octet-stream', 'PATH_INFO': '.../stages/invitation/invitations/', 'QUERY_STRING': '', 'REQUEST_METHOD': 'GET', ...}

    def request(self, **kwargs):
>       request = super().request(**kwargs)

.venv/lib/python3.13.............../site-packages/rest_framework/test.py:241: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <rest_framework.test.APIClient object at 0x7efcbfc5bd80>
request = {'CONTENT_TYPE': 'application/octet-stream', 'PATH_INFO': '.../stages/invitation/invitations/', 'QUERY_STRING': '', 'REQUEST_METHOD': 'GET', ...}
environ = {'CONTENT_TYPE': 'application/octet-stream', 'HTTP_COOKIE': 'authentik_session=vza9hj3b3t9tkij2zu710j3nhd9zui64', 'PATH_INFO': '.../stages/invitation/invitations/', 'QUERY_STRING': '', ...}
data = {'context': [[{'True': True, 'False': False, 'None': None}, {'csrf_token': <SimpleLazyObject: <function csrf.<locals>....se/ske...">, <Template template_string="{% load static %}{%...">, <Template template_string="{% load i18n %}{% g...">]}
on_template_render = functools.partial(<function store_rendered_templates at 0x7efcc8e14d60>, {'templates': [<Template template_string="{% ...<IncludeNode: template=<FilterExpression '"base/header_js.html"'>>, <TextNode: '\n'>]>}, {'LANGUAGE_CODE': 'en-us'}]]})
signal_uid = 'template-render-139623963991232'
exception_uid = 'request-exception-139623963991232'
response = <ServerErrorTemplateResponse status_code=500, "text/html; charset=utf-8">

    def request(self, **request):
        """
        Make a generic request. Compose the environment dictionary and pass
        to the handler, return the result of the handler. Assume defaults for
        the query environment, which can be overridden using the arguments to
        the request.
        """
        environ = self._base_environ(**request)
    
        # Curry a data dictionary into an instance of the template renderer
        # callback function.
        data = {}
        on_template_render = partial(store_rendered_templates, data)
        signal_uid = "template-render-%s" % id(request)
        signals.template_rendered.connect(on_template_render, dispatch_uid=signal_uid)
        # Capture exceptions created by the handler.
        exception_uid = "request-exception-%s" % id(request)
        got_request_exception.connect(self.store_exc_info, dispatch_uid=exception_uid)
        try:
            response = self.handler(environ)
        finally:
            signals.template_rendered.disconnect(dispatch_uid=signal_uid)
            got_request_exception.disconnect(dispatch_uid=exception_uid)
        # Check for signaled exceptions.
>       self.check_exception(response)

.venv/lib/python3.13.../django/test/client.py:1092: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <rest_framework.test.APIClient object at 0x7efcbfc5bd80>
response = <ServerErrorTemplateResponse status_code=500, "text/html; charset=utf-8">

    def check_exception(self, response):
        """
        Look for a signaled exception, clear the current context exception
        data, re-raise the signaled exception, and clear the signaled exception
        from the local cache.
        """
        response.exc_info = self.exc_info
        if self.exc_info:
            _, exc_value, _ = self.exc_info
            self.exc_info = None
            if self.raise_request_exception:
>               raise exc_value

.venv/lib/python3.13.../django/test/client.py:805: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

request = <WSGIRequest: GET '.../stages/invitation/invitations/'>

    @wraps(get_response)
    def inner(request):
        try:
>           response = get_response(request)

.venv/lib/python3.13.../core/handlers/exception.py:55: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <rest_framework.test.ForceAuthClientHandler object at 0x7efcbda27750>
request = <WSGIRequest: GET '.../stages/invitation/invitations/'>

    def _get_response(self, request):
        """
        Resolve and call the view, then apply view, exception, and
        template_response middleware. This method is everything that happens
        inside the request/response middleware.
        """
        response = None
        callback, callback_args, callback_kwargs = self.resolve_request(request)
    
        # Apply view middleware
        for middleware_method in self._view_middleware:
            response = middleware_method(
                request, callback, callback_args, callback_kwargs
            )
            if response:
                break
    
        if response is None:
            wrapped_callback = self.make_view_atomic(callback)
            # If it is an asynchronous view, run it in a subthread.
            if iscoroutinefunction(wrapped_callback):
                wrapped_callback = async_to_sync(wrapped_callback)
            try:
>               response = wrapped_callback(request, *callback_args, **callback_kwargs)

.venv/lib/python3.13.../core/handlers/base.py:197: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

request = <WSGIRequest: GET '.../stages/invitation/invitations/'>, args = ()
kwargs = {}
current_scope = <Scope id=0x7efcce5a7220 name=None type=ScopeType.CURRENT>
sentry_scope = <Scope id=0x7efcce5a6ce0 name=None type=ScopeType.ISOLATION>

    @functools.wraps(callback)
    def sentry_wrapped_callback(request, *args, **kwargs):
        # type: (Any, *Any, **Any) -> Any
        current_scope = sentry_sdk.get_current_scope()
        if current_scope.transaction is not None:
            current_scope.transaction.update_active_thread()
    
        sentry_scope = sentry_sdk.get_isolation_scope()
        # set the active thread id to the handler thread for sync views
        # this isn't necessary for async views since that runs on main
        if sentry_scope.profile is not None:
            sentry_scope.profile.update_active_thread_id()
    
        with sentry_sdk.start_span(
            op=OP.VIEW_RENDER,
            name=request.resolver_match.view_name,
            origin=DjangoIntegration.origin,
        ):
>           return callback(request, *args, **kwargs)

.venv/lib/python3.13.../integrations/django/views.py:94: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

request = <WSGIRequest: GET '.../stages/invitation/invitations/'>, args = ()
kwargs = {}

    def _view_wrapper(request, *args, **kwargs):
>       return view_func(request, *args, **kwargs)

.venv/lib/python3.13.../views/decorators/csrf.py:65: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

request = <WSGIRequest: GET '.../stages/invitation/invitations/'>, args = ()
kwargs = {}
self = <authentik.stages.invitation.api.InvitationViewSet object at 0x7efcbe5d4e20>
method = 'head', action = 'list'
handler = <bound method ListModelMixin.list of <authentik.stages.invitation.api.InvitationViewSet object at 0x7efcbe5d4e20>>

    def view(request, *args, **kwargs):
        self = cls(**initkwargs)
    
        if 'get' in actions and 'head' not in actions:
            actions['head'] = actions['get']
    
        # We also store the mapping of request methods to actions,
        # so that we can later set the action attribute.
        # eg. `self.action = 'list'` on an incoming GET request.
        self.action_map = actions
    
        # Bind methods to actions
        # This is the bit that's different to a standard view
        for method, action in actions.items():
            handler = getattr(self, action)
            setattr(self, method, handler)
    
        self.request = request
        self.args = args
        self.kwargs = kwargs
    
        # And continue as usual
>       return self.dispatch(request, *args, **kwargs)

.venv/lib/python3.13.../site-packages/rest_framework/viewsets.py:125: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.stages.invitation.api.InvitationViewSet object at 0x7efcbe5d4e20>
request = <rest_framework.request.Request: GET '.../stages/invitation/invitations/'>
args = (), kwargs = {}
handler = <bound method ListModelMixin.list of <authentik.stages.invitation.api.InvitationViewSet object at 0x7efcbe5d4e20>>

    def dispatch(self, request, *args, **kwargs):
        """
        `.dispatch()` is pretty much the same as Django's regular dispatch,
        but with extra hooks for startup, finalize, and exception handling.
        """
        self.args = args
        self.kwargs = kwargs
        request = self.initialize_request(request, *args, **kwargs)
        self.request = request
        self.headers = self.default_response_headers  # deprecate?
    
        try:
            self.initial(request, *args, **kwargs)
    
            # Get the appropriate handler method
            if request.method.lower() in self.http_method_names:
                handler = getattr(self, request.method.lower(),
                                  self.http_method_not_allowed)
            else:
                handler = self.http_method_not_allowed
    
            response = handler(request, *args, **kwargs)
    
        except Exception as exc:
>           response = self.handle_exception(exc)

.venv/lib/python3.13............/site-packages/rest_framework/views.py:515: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.stages.invitation.api.InvitationViewSet object at 0x7efcbe5d4e20>
exc = MixedContentTypeError('Content type for given perms and klass differs')

    def handle_exception(self, exc):
        """
        Handle any exception that occurs, by returning an appropriate response,
        or re-raising the error.
        """
        if isinstance(exc, (exceptions.NotAuthenticated,
                            exceptions.AuthenticationFailed)):
            # WWW-Authenticate header for 401 responses, else coerce to 403
            auth_header = self.get_authenticate_header(self.request)
    
            if auth_header:
                exc.auth_header = auth_header
            else:
                exc.status_code = status.HTTP_403_FORBIDDEN
    
        exception_handler = self.get_exception_handler()
    
        context = self.get_exception_handler_context()
        response = exception_handler(exc, context)
    
        if response is None:
>           self.raise_uncaught_exception(exc)

.venv/lib/python3.13............/site-packages/rest_framework/views.py:475: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.stages.invitation.api.InvitationViewSet object at 0x7efcbe5d4e20>
exc = MixedContentTypeError('Content type for given perms and klass differs')

    def raise_uncaught_exception(self, exc):
        if settings.DEBUG:
            request = self.request
            renderer_format = getattr(request.accepted_renderer, 'format')
            use_plaintext_traceback = renderer_format not in ('html', 'api', 'admin')
            request.force_plaintext_errors(use_plaintext_traceback)
>       raise exc

.venv/lib/python3.13............/site-packages/rest_framework/views.py:486: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.stages.invitation.api.InvitationViewSet object at 0x7efcbe5d4e20>
request = <rest_framework.request.Request: GET '.../stages/invitation/invitations/'>
args = (), kwargs = {}
handler = <bound method ListModelMixin.list of <authentik.stages.invitation.api.InvitationViewSet object at 0x7efcbe5d4e20>>

    def dispatch(self, request, *args, **kwargs):
        """
        `.dispatch()` is pretty much the same as Django's regular dispatch,
        but with extra hooks for startup, finalize, and exception handling.
        """
        self.args = args
        self.kwargs = kwargs
        request = self.initialize_request(request, *args, **kwargs)
        self.request = request
        self.headers = self.default_response_headers  # deprecate?
    
        try:
            self.initial(request, *args, **kwargs)
    
            # Get the appropriate handler method
            if request.method.lower() in self.http_method_names:
                handler = getattr(self, request.method.lower(),
                                  self.http_method_not_allowed)
            else:
                handler = self.http_method_not_allowed
    
>           response = handler(request, *args, **kwargs)

.venv/lib/python3.13............/site-packages/rest_framework/views.py:512: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.stages.invitation.api.InvitationViewSet object at 0x7efcbe5d4e20>
request = <rest_framework.request.Request: GET '.../stages/invitation/invitations/'>
args = (), kwargs = {}

    def list(self, request, *args, **kwargs):
>       queryset = self.filter_queryset(self.get_queryset())

.venv/lib/python3.13.../site-packages/rest_framework/mixins.py:38: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.stages.invitation.api.InvitationViewSet object at 0x7efcbe5d4e20>
queryset = <QuerySet []>

    def filter_queryset(self, queryset):
        """
        Given a queryset, filter it with whichever filter backend is in use.
    
        You are unlikely to want to override this method, although you may need
        to call it either from a list view, or from a custom `get_object`
        method if you want to apply the configured filtering backend to the
        default queryset.
        """
        for backend in list(self.filter_backends):
>           queryset = backend().filter_queryset(self.request, queryset, self)

.venv/lib/python3.13.../site-packages/rest_framework/generics.py:154: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.rbac.filters.ObjectFilter object at 0x7efcbd52e8b0>
request = <rest_framework.request.Request: GET '.../stages/invitation/invitations/'>
queryset = <QuerySet []>
view = <authentik.stages.invitation.api.InvitationViewSet object at 0x7efcbe5d4e20>

    def filter_queryset(self, request: Request, queryset: QuerySet, view: APIView) -> QuerySet:
        permission = self.perm_format % {
            "app_label": queryset.model._meta.app_label,
            "model_name": queryset.model._meta.model_name,
        }
        # having the global permission set on a user has higher priority than
        # per-object permissions
        if request.user.has_perm(permission):
            return queryset
        # User does not have permissions, but we have an owner field defined, so filter by that
        if owner_field := getattr(view, "owner_field", None):
            return queryset.filter(**{owner_field: request.user})
>       queryset = super().filter_queryset(request, queryset, view)

authentik/rbac/filters.py:32: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.rbac.filters.ObjectFilter object at 0x7efcbd52e8b0>
request = <rest_framework.request.Request: GET '.../stages/invitation/invitations/'>
queryset = <QuerySet []>
view = <authentik.stages.invitation.api.InvitationViewSet object at 0x7efcbe5d4e20>

    def filter_queryset(self, request, queryset, view):
        # We want to defer this import until runtime, rather than import-time.
        # See https://github..../django-rest-framework/issues/4608
        # (Also see #1624 for why we need to make this import explicitly)
        from guardian.shortcuts import get_objects_for_user
    
        user = request.user
        permission = self.perm_format % {
            'app_label': queryset.model._meta.app_label,
            'model_name': queryset.model._meta.model_name,
        }
    
>       return get_objects_for_user(
            user, permission, queryset,
            **self.shortcut_kwargs)

.venv/lib/python3.13.../site-packages/rest_framework_guardian/filters.py:28: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

user = <SimpleLazyObject: <User: VN3UT7jjP7kOEJJocpeg>>
perms = ['authentik_stages_invitation.view_invitation'], klass = <QuerySet []>
use_groups = True, any_perm = False, with_superuser = True
accept_global_perms = False

    def get_objects_for_user(
        user: Any,
        perms: Union[str, list[str]],
        klass: Union[Model, Manager, QuerySet, None] = None,
        use_groups: bool = True,
        any_perm: bool = False,
        with_superuser: bool = True,
        accept_global_perms: bool = True,
    ) -> list[Model]:
        """Get objects that a user has *all* the supplied permissions for.
    
        Parameters:
            user (User | AnonymousUser): user to check for permissions.
            perms (str | list[str]): permission(s) to be checked.
                If `klass` parameter is not given, those should be full permission
                names rather than only codenames (i.e. `auth.change_user`).
                If more than one permission is present within sequence, their content type **must** be
                the same or `MixedContentTypeError` exception would be raised.
            klass (Modal | Manager | QuerySet): If not provided, this parameter would be
                computed based on given `params`.
            use_groups (bool): Whether to check user's groups object permissions.
            any_perm (bool): Whether any of the provided permissions in sequence is accepted.
            with_superuser (bool): if `user.is_superuser`, whether to return the entire queryset.
                Otherwise will only return objects the user has explicit permissions.
                This must be `True` for the `accept_global_perms` parameter to have any affect.
            accept_global_perms (bool): Whether global permissions are taken into account.
                Object based permissions are taken into account if more than one permission is
                provided in in perms and at least one of these perms is not globally set.
                If `any_perm` is `False` then the intersection of matching object is returned.
                Note, that if `with_superuser` is `False`, `accept_global_perms` will be ignored,
                which means that only object permissions will be checked!
    
        Raises:
            MixedContentTypeError: when computed content type for `perms` and/or `klass` clashes.
            WrongAppError: if cannot compute app label for given `perms` or `klass`.
    
        Example:
            ```shell
            >>> from django.contrib.auth.models import User
            >>> from guardian.shortcuts import get_objects_for_user
            >>> joe = User.objects.get(username='joe')
            >>> get_objects_for_user(joe, 'auth.change_group')
            []
            >>> from guardian.shortcuts import assign_perm
            >>> group = Group.objects.create('some group')
            >>> assign_perm('auth.change_group', joe, group)
            >>> get_objects_for_user(joe, 'auth.change_group')
            [<Group some group>]
    
            # The permission string can also be an iterable. Continuing with the previous example:
    
            >>> get_objects_for_user(joe, ['auth.change_group', 'auth.delete_group'])
            []
            >>> get_objects_for_user(joe, ['auth.change_group', 'auth.delete_group'], any_perm=True)
            [<Group some group>]
            >>> assign_perm('auth.delete_group', joe, group)
            >>> get_objects_for_user(joe, ['auth.change_group', 'auth.delete_group'])
            [<Group some group>]
    
            # Take global permissions into account:
    
            >>> jack = User.objects.get(username='jack')
            >>> assign_perm('auth.change_group', jack) # this will set a global permission
            >>> get_objects_for_user(jack, 'auth.change_group')
            [<Group some group>]
            >>> group2 = Group.objects.create('other group')
            >>> assign_perm('auth.delete_group', jack, group2)
            >>> get_objects_for_user(jack, ['auth.change_group', 'auth.delete_group']) # this retrieves intersection
            [<Group other group>]
            >>> get_objects_for_user(jack, ['auth.change_group', 'auth.delete_group'], any_perm) # this retrieves union
            [<Group some group>, <Group other group>]
            ```
    
        Note:
            If `accept_global_perms` is set to `True`, then all assigned global
            permissions will also be taken into account.
    
            - Scenario 1: a user has view permissions generally defined on the model
              'books' but no object-based permission on a single book instance:
    
                - If `accept_global_perms` is `True`: A list of all books will be returned.
                - If `accept_global_perms` is `False`: The list will be empty.
    
            - Scenario 2: a user has view permissions generally defined on the model
              'books' and also has an object-based permission to view book 'Whatever':
    
                - If `accept_global_perms` is `True`: A list of all books will be returned.
                - If `accept_global_perms` is `False`: The list will only contain book 'Whatever'.
    
            - Scenario 3: a user only has object-based permission on book 'Whatever':
    
                - If `accept_global_perms` is `True`: The list will only contain book 'Whatever'.
                - If `accept_global_perms` is `False`: The list will only contain book 'Whatever'.
    
            - Scenario 4: a user does not have any permission:
    
                - If `accept_global_perms` is `True`: An empty list is returned.
                - If `accept_global_perms` is `False`: An empty list is returned.
        """
        if isinstance(perms, str):
            perms = [perms]
        ctype = None
        app_label = None
        codenames = set()
    
        # Compute codenames and set and ctype if possible
        for perm in perms:
            if "." in perm:
                new_app_label, codename = perm.split(".", 1)
                if app_label is not None and app_label != new_app_label:
                    raise MixedContentTypeError("Given perms must have same app "
                                                "label (%s != %s)" % (app_label, new_app_label))
                else:
                    app_label = new_app_label
            else:
                codename = perm
            codenames.add(codename)
            if app_label is not None:
                new_ctype = new_ctype = _get_ct_cached(app_label, codename)
                if ctype is not None and ctype != new_ctype:
                    raise MixedContentTypeError("ContentType was once computed "
                                                "to be %s and another one %s" % (ctype, new_ctype))
                else:
                    ctype = new_ctype
    
        # Compute queryset and ctype if still missing
        if ctype is None and klass is not None:
            queryset = _get_queryset(klass)
            ctype = get_content_type(queryset.model)
        elif ctype is not None and klass is None:
            queryset = _get_queryset(ctype.model_class())
        elif klass is None:
            raise WrongAppError("Cannot determine content type")
        else:
            queryset = _get_queryset(klass)
            if ctype != get_content_type(queryset.model):
>               raise MixedContentTypeError(
                    "Content type for given perms and " "klass differs"
                )
E               guardian.exceptions.MixedContentTypeError: Content type for given perms and klass differs

.venv/lib/python3.13.../site-packages/guardian/shortcuts.py:567: MixedContentTypeError

authentik.rbac.tests.test_api_filters.TestAPIPerms::test_update_simple_denied

Stack Traces | 0.91s run time

self = <unittest.case._Outcome object at 0x7efcbe5de120>
test_case = <authentik.rbac.tests.test_api_filters.TestAPIPerms testMethod=test_update_simple_denied>
subTest = False

    @contextlib.contextmanager
    def testPartExecutor(self, test_case, subTest=False):
        old_success = self.success
        self.success = True
        try:
>           yield

.../hostedtoolcache/Python/3.13.4........./x64/lib/python3.13/unittest/case.py:58: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.rbac.tests.test_api_filters.TestAPIPerms testMethod=test_update_simple_denied>
result = <TestCaseFunction test_update_simple_denied>

    def run(self, result=None):
        if result is None:
            result = self.defaultTestResult()
            startTestRun = getattr(result, 'startTestRun', None)
            stopTestRun = getattr(result, 'stopTestRun', None)
            if startTestRun is not None:
                startTestRun()
        else:
            stopTestRun = None
    
        result.startTest(self)
        try:
            testMethod = getattr(self, self._testMethodName)
            if (getattr(self.__class__, "__unittest_skip__", False) or
                getattr(testMethod, "__unittest_skip__", False)):
                # If the class or method was skipped.
                skip_why = (getattr(self.__class__, '__unittest_skip_why__', '')
                            or getattr(testMethod, '__unittest_skip_why__', ''))
                _addSkip(result, self, skip_why)
                return result
    
            expecting_failure = (
                getattr(self, "__unittest_expecting_failure__", False) or
                getattr(testMethod, "__unittest_expecting_failure__", False)
            )
            outcome = _Outcome(result)
            start_time = time.perf_counter()
            try:
                self._outcome = outcome
    
                with outcome.testPartExecutor(self):
                    self._callSetUp()
                if outcome.success:
                    outcome.expecting_failure = expecting_failure
                    with outcome.testPartExecutor(self):
>                       self._callTestMethod(testMethod)

.../hostedtoolcache/Python/3.13.4........./x64/lib/python3.13/unittest/case.py:651: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.rbac.tests.test_api_filters.TestAPIPerms testMethod=test_update_simple_denied>
method = <bound method TestAPIPerms.test_update_simple_denied of <authentik.rbac.tests.test_api_filters.TestAPIPerms testMethod=test_update_simple_denied>>

    def _callTestMethod(self, method):
>       if method() is not None:

.../hostedtoolcache/Python/3.13.4........./x64/lib/python3.13/unittest/case.py:606: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.rbac.tests.test_api_filters.TestAPIPerms testMethod=test_update_simple_denied>

    def test_update_simple_denied(self):
        """Test update without assigning permission"""
        self.client.force_login(self.user)
        inv = Invitation.objects.create(name=generate_id(), created_by=self.superuser)
>       res = self.client.patch(
            reverse("authentik_api:invitation-detail", kwargs={"pk": inv.pk}),
            data={
                "name": generate_id(),
            },
        )

.../rbac/tests/test_api_filters.py:143: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <rest_framework.test.APIClient object at 0x7efcb8bc4260>
path = '.../invitation/invitations/22756403-8582-42a5-b3f6-cedfae79dc35/'
data = {'name': 'eZ0QEe3Sr15JI8yoQS7RzzZK7vZlToPo9BRFET8v'}, format = None
content_type = None, follow = False, extra = {}

    def patch(self, path, data=None, format=None, content_type=None,
              follow=False, **extra):
>       response = super().patch(
            path, data=data, format=format, content_type=content_type, **extra)

.venv/lib/python3.13.............../site-packages/rest_framework/test.py:315: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <rest_framework.test.APIClient object at 0x7efcb8bc4260>
path = '.../invitation/invitations/22756403-8582-42a5-b3f6-cedfae79dc35/'
data = b'{"name":"eZ0QEe3Sr15JI8yoQS7RzzZK7vZlToPo9BRFET8v"}', format = None
content_type = 'application/json', extra = {}

    def patch(self, path, data=None, format=None, content_type=None, **extra):
        data, content_type = self._encode_data(data, format, content_type)
>       return self.generic('PATCH', path, data, content_type, **extra)

.venv/lib/python3.13.............../site-packages/rest_framework/test.py:221: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <rest_framework.test.APIClient object at 0x7efcb8bc4260>
method = 'PATCH'
path = '.../invitation/invitations/22756403-8582-42a5-b3f6-cedfae79dc35/'
data = b'{"name":"eZ0QEe3Sr15JI8yoQS7RzzZK7vZlToPo9BRFET8v"}'
content_type = 'application/json', secure = False
extra = {'CONTENT_TYPE': 'application/json'}

    def generic(self, method, path, data='',
                content_type='application/octet-stream', secure=False, **extra):
        # Include the CONTENT_TYPE, regardless of whether or not data is empty.
        if content_type is not None:
            extra['CONTENT_TYPE'] = str(content_type)
    
>       return super().generic(
            method, path, data, content_type, secure, **extra)

.venv/lib/python3.13.............../site-packages/rest_framework/test.py:237: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <rest_framework.test.APIClient object at 0x7efcb8bc4260>
method = 'PATCH'
path = '.../invitation/invitations/22756403-8582-42a5-b3f6-cedfae79dc35/'
data = b'{"name":"eZ0QEe3Sr15JI8yoQS7RzzZK7vZlToPo9BRFET8v"}'
content_type = 'application/json', secure = False, headers = None
query_params = None, extra = {'CONTENT_TYPE': 'application/json'}
parsed = ParseResult(scheme='', netloc='', path='.../invitation/invitations/22756403-8582-42a5-b3f6-cedfae79dc35/', params='', query='', fragment='')
r = {'CONTENT_LENGTH': '51', 'CONTENT_TYPE': 'application/json', 'PATH_INFO': '.../invitation/invitations/22756403-8582-42a5-b3f6-cedfae79dc35/', 'QUERY_STRING': '', ...}
query_string = ''

    def generic(
        self,
        method,
        path,
        data="",
        content_type="application/octet-stream",
        secure=False,
        *,
        headers=None,
        query_params=None,
        **extra,
    ):
        """Construct an arbitrary HTTP request."""
        parsed = urlparse(str(path))  # path can be lazy
        data = force_bytes(data, settings.DEFAULT_CHARSET)
        r = {
            "PATH_INFO": self._get_path(parsed),
            "REQUEST_METHOD": method,
            "SERVER_PORT": "443" if secure else "80",
            "wsgi.url_scheme": "https" if secure else "http",
        }
        if data:
            r.update(
                {
                    "CONTENT_LENGTH": str(len(data)),
                    "CONTENT_TYPE": content_type,
                    "wsgi.input": FakePayload(data),
                }
            )
        if headers:
            extra.update(HttpHeaders.to_wsgi_names(headers))
        if query_params:
            extra["QUERY_STRING"] = urlencode(query_params, doseq=True)
        r.update(extra)
        # If QUERY_STRING is absent or empty, we want to extract it from the URL.
        if not r.get("QUERY_STRING"):
            # WSGI requires latin-1 encoded strings. See get_path_info().
            query_string = parsed[4].encode().decode("iso-8859-1")
            r["QUERY_STRING"] = query_string
>       return self.request(**r)

.venv/lib/python3.13.../django/test/client.py:676: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <rest_framework.test.APIClient object at 0x7efcb8bc4260>
kwargs = {'CONTENT_LENGTH': '51', 'CONTENT_TYPE': 'application/json', 'PATH_INFO': '.../invitation/invitations/22756403-8582-42a5-b3f6-cedfae79dc35/', 'QUERY_STRING': '', ...}

    def request(self, **kwargs):
        # Ensure that any credentials set get added to every request.
        kwargs.update(self._credentials)
>       return super().request(**kwargs)

.venv/lib/python3.13.............../site-packages/rest_framework/test.py:289: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <rest_framework.test.APIClient object at 0x7efcb8bc4260>
kwargs = {'CONTENT_LENGTH': '51', 'CONTENT_TYPE': 'application/json', 'PATH_INFO': '.../invitation/invitations/22756403-8582-42a5-b3f6-cedfae79dc35/', 'QUERY_STRING': '', ...}

    def request(self, **kwargs):
>       request = super().request(**kwargs)

.venv/lib/python3.13.............../site-packages/rest_framework/test.py:241: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <rest_framework.test.APIClient object at 0x7efcb8bc4260>
request = {'CONTENT_LENGTH': '51', 'CONTENT_TYPE': 'application/json', 'PATH_INFO': '.../invitation/invitations/22756403-8582-42a5-b3f6-cedfae79dc35/', 'QUERY_STRING': '', ...}
environ = {'CONTENT_LENGTH': '51', 'CONTENT_TYPE': 'application/json', 'HTTP_COOKIE': 'authentik_session=c2lk3x2vnskc0g3ju08skricp2eaun22', 'PATH_INFO': '.../invitation/invitations/22756403-8582-42a5-b3f6-cedfae79dc35/', ...}
data = {}
on_template_render = functools.partial(<function store_rendered_templates at 0x7efcc8e14d60>, {})
signal_uid = 'template-render-139623893769408'
exception_uid = 'request-exception-139623893769408'
response = <HttpResponseNotAllowed [GET, HEAD, OPTIONS] status_code=405, "text/html; charset=utf-8">

    def request(self, **request):
        """
        Make a generic request. Compose the environment dictionary and pass
        to the handler, return the result of the handler. Assume defaults for
        the query environment, which can be overridden using the arguments to
        the request.
        """
        environ = self._base_environ(**request)
    
        # Curry a data dictionary into an instance of the template renderer
        # callback function.
        data = {}
        on_template_render = partial(store_rendered_templates, data)
        signal_uid = "template-render-%s" % id(request)
        signals.template_rendered.connect(on_template_render, dispatch_uid=signal_uid)
        # Capture exceptions created by the handler.
        exception_uid = "request-exception-%s" % id(request)
        got_request_exception.connect(self.store_exc_info, dispatch_uid=exception_uid)
        try:
            response = self.handler(environ)
        finally:
            signals.template_rendered.disconnect(dispatch_uid=signal_uid)
            got_request_exception.disconnect(dispatch_uid=exception_uid)
        # Check for signaled exceptions.
>       self.check_exception(response)

.venv/lib/python3.13.../django/test/client.py:1092: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <rest_framework.test.APIClient object at 0x7efcb8bc4260>
response = <HttpResponseNotAllowed [GET, HEAD, OPTIONS] status_code=405, "text/html; charset=utf-8">

    def check_exception(self, response):
        """
        Look for a signaled exception, clear the current context exception
        data, re-raise the signaled exception, and clear the signaled exception
        from the local cache.
        """
        response.exc_info = self.exc_info
        if self.exc_info:
            _, exc_value, _ = self.exc_info
            self.exc_info = None
            if self.raise_request_exception:
>               raise exc_value

.venv/lib/python3.13.../django/test/client.py:805: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

request = <WSGIRequest: PATCH '.../invitation/invitations/22756403-8582-42a5-b3f6-cedfae79dc35/'>

    @wraps(get_response)
    def inner(request):
        try:
>           response = get_response(request)

.venv/lib/python3.13.../core/handlers/exception.py:55: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <rest_framework.test.ForceAuthClientHandler object at 0x7efcbd3c7dd0>
request = <WSGIRequest: PATCH '.../invitation/invitations/22756403-8582-42a5-b3f6-cedfae79dc35/'>

    def _get_response(self, request):
        """
        Resolve and call the view, then apply view, exception, and
        template_response middleware. This method is everything that happens
        inside the request/response middleware.
        """
        response = None
        callback, callback_args, callback_kwargs = self.resolve_request(request)
    
        # Apply view middleware
        for middleware_method in self._view_middleware:
            response = middleware_method(
                request, callback, callback_args, callback_kwargs
            )
            if response:
                break
    
        if response is None:
            wrapped_callback = self.make_view_atomic(callback)
            # If it is an asynchronous view, run it in a subthread.
            if iscoroutinefunction(wrapped_callback):
                wrapped_callback = async_to_sync(wrapped_callback)
            try:
>               response = wrapped_callback(request, *callback_args, **callback_kwargs)

.venv/lib/python3.13.../core/handlers/base.py:197: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

request = <WSGIRequest: PATCH '.../invitation/invitations/22756403-8582-42a5-b3f6-cedfae79dc35/'>
args = (), kwargs = {'pk': '22756403-8582-42a5-b3f6-cedfae79dc35'}
current_scope = <Scope id=0x7efcce5a7220 name=None type=ScopeType.CURRENT>
sentry_scope = <Scope id=0x7efcce5a6ce0 name=None type=ScopeType.ISOLATION>

    @functools.wraps(callback)
    def sentry_wrapped_callback(request, *args, **kwargs):
        # type: (Any, *Any, **Any) -> Any
        current_scope = sentry_sdk.get_current_scope()
        if current_scope.transaction is not None:
            current_scope.transaction.update_active_thread()
    
        sentry_scope = sentry_sdk.get_isolation_scope()
        # set the active thread id to the handler thread for sync views
        # this isn't necessary for async views since that runs on main
        if sentry_scope.profile is not None:
            sentry_scope.profile.update_active_thread_id()
    
        with sentry_sdk.start_span(
            op=OP.VIEW_RENDER,
            name=request.resolver_match.view_name,
            origin=DjangoIntegration.origin,
        ):
>           return callback(request, *args, **kwargs)

.venv/lib/python3.13.../integrations/django/views.py:94: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

request = <WSGIRequest: PATCH '.../invitation/invitations/22756403-8582-42a5-b3f6-cedfae79dc35/'>
args = (), kwargs = {'pk': '22756403-8582-42a5-b3f6-cedfae79dc35'}

    def _view_wrapper(request, *args, **kwargs):
>       return view_func(request, *args, **kwargs)

.venv/lib/python3.13.../views/decorators/csrf.py:65: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

request = <WSGIRequest: PATCH '.../invitation/invitations/22756403-8582-42a5-b3f6-cedfae79dc35/'>
args = (), kwargs = {'pk': '22756403-8582-42a5-b3f6-cedfae79dc35'}
self = <authentik.stages.invitation.api.InvitationViewSet object at 0x7efcbec5dfd0>
method = 'head', action = 'retrieve'
handler = <bound method RetrieveModelMixin.retrieve of <authentik.stages.invitation.api.InvitationViewSet object at 0x7efcbec5dfd0>>

    def view(request, *args, **kwargs):
        self = cls(**initkwargs)
    
        if 'get' in actions and 'head' not in actions:
            actions['head'] = actions['get']
    
        # We also store the mapping of request methods to actions,
        # so that we can later set the action attribute.
        # eg. `self.action = 'list'` on an incoming GET request.
        self.action_map = actions
    
        # Bind methods to actions
        # This is the bit that's different to a standard view
        for method, action in actions.items():
            handler = getattr(self, action)
            setattr(self, method, handler)
    
        self.request = request
        self.args = args
        self.kwargs = kwargs
    
        # And continue as usual
>       return self.dispatch(request, *args, **kwargs)

.venv/lib/python3.13.../site-packages/rest_framework/viewsets.py:125: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.stages.invitation.api.InvitationViewSet object at 0x7efcbec5dfd0>
request = <rest_framework.request.Request: PATCH '.../invitation/invitations/22756403-8582-42a5-b3f6-cedfae79dc35/'>
args = (), kwargs = {'pk': '22756403-8582-42a5-b3f6-cedfae79dc35'}
handler = <bound method UpdateModelMixin.partial_update of <authentik.stages.invitation.api.InvitationViewSet object at 0x7efcbec5dfd0>>

    def dispatch(self, request, *args, **kwargs):
        """
        `.dispatch()` is pretty much the same as Django's regular dispatch,
        but with extra hooks for startup, finalize, and exception handling.
        """
        self.args = args
        self.kwargs = kwargs
        request = self.initialize_request(request, *args, **kwargs)
        self.request = request
        self.headers = self.default_response_headers  # deprecate?
    
        try:
            self.initial(request, *args, **kwargs)
    
            # Get the appropriate handler method
            if request.method.lower() in self.http_method_names:
                handler = getattr(self, request.method.lower(),
                                  self.http_method_not_allowed)
            else:
                handler = self.http_method_not_allowed
    
            response = handler(request, *args, **kwargs)
    
        except Exception as exc:
>           response = self.handle_exception(exc)

.venv/lib/python3.13............/site-packages/rest_framework/views.py:515: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.stages.invitation.api.InvitationViewSet object at 0x7efcbec5dfd0>
exc = MixedContentTypeError('Content type for given perms and klass differs')

    def handle_exception(self, exc):
        """
        Handle any exception that occurs, by returning an appropriate response,
        or re-raising the error.
        """
        if isinstance(exc, (exceptions.NotAuthenticated,
                            exceptions.AuthenticationFailed)):
            # WWW-Authenticate header for 401 responses, else coerce to 403
            auth_header = self.get_authenticate_header(self.request)
    
            if auth_header:
                exc.auth_header = auth_header
            else:
                exc.status_code = status.HTTP_403_FORBIDDEN
    
        exception_handler = self.get_exception_handler()
    
        context = self.get_exception_handler_context()
        response = exception_handler(exc, context)
    
        if response is None:
>           self.raise_uncaught_exception(exc)

.venv/lib/python3.13............/site-packages/rest_framework/views.py:475: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.stages.invitation.api.InvitationViewSet object at 0x7efcbec5dfd0>
exc = MixedContentTypeError('Content type for given perms and klass differs')

    def raise_uncaught_exception(self, exc):
        if settings.DEBUG:
            request = self.request
            renderer_format = getattr(request.accepted_renderer, 'format')
            use_plaintext_traceback = renderer_format not in ('html', 'api', 'admin')
            request.force_plaintext_errors(use_plaintext_traceback)
>       raise exc

.venv/lib/python3.13............/site-packages/rest_framework/views.py:486: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.stages.invitation.api.InvitationViewSet object at 0x7efcbec5dfd0>
request = <rest_framework.request.Request: PATCH '.../invitation/invitations/22756403-8582-42a5-b3f6-cedfae79dc35/'>
args = (), kwargs = {'pk': '22756403-8582-42a5-b3f6-cedfae79dc35'}
handler = <bound method UpdateModelMixin.partial_update of <authentik.stages.invitation.api.InvitationViewSet object at 0x7efcbec5dfd0>>

    def dispatch(self, request, *args, **kwargs):
        """
        `.dispatch()` is pretty much the same as Django's regular dispatch,
        but with extra hooks for startup, finalize, and exception handling.
        """
        self.args = args
        self.kwargs = kwargs
        request = self.initialize_request(request, *args, **kwargs)
        self.request = request
        self.headers = self.default_response_headers  # deprecate?
    
        try:
            self.initial(request, *args, **kwargs)
    
            # Get the appropriate handler method
            if request.method.lower() in self.http_method_names:
                handler = getattr(self, request.method.lower(),
                                  self.http_method_not_allowed)
            else:
                handler = self.http_method_not_allowed
    
>           response = handler(request, *args, **kwargs)

.venv/lib/python3.13............/site-packages/rest_framework/views.py:512: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.stages.invitation.api.InvitationViewSet object at 0x7efcbec5dfd0>
request = <rest_framework.request.Request: PATCH '.../invitation/invitations/22756403-8582-42a5-b3f6-cedfae79dc35/'>
args = ()
kwargs = {'partial': True, 'pk': '22756403-8582-42a5-b3f6-cedfae79dc35'}

    def partial_update(self, request, *args, **kwargs):
        kwargs['partial'] = True
>       return self.update(request, *args, **kwargs)

.venv/lib/python3.13....../site-packages/rest_framework/mixins.py:82: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.stages.invitation.api.InvitationViewSet object at 0x7efcbec5dfd0>
request = <rest_framework.request.Request: PATCH '.../invitation/invitations/22756403-8582-42a5-b3f6-cedfae79dc35/'>
args = (), kwargs = {'pk': '22756403-8582-42a5-b3f6-cedfae79dc35'}
partial = True

    def update(self, request, *args, **kwargs):
        partial = kwargs.pop('partial', False)
>       instance = self.get_object()

.venv/lib/python3.13....../site-packages/rest_framework/mixins.py:65: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.stages.invitation.api.InvitationViewSet object at 0x7efcbec5dfd0>

    def get_object(self):
        """
        Returns the object the view is displaying.
    
        You may want to override this if you need to provide non-standard
        queryset lookups.  Eg if objects are referenced using multiple
        keyword arguments in the url conf.
        """
>       queryset = self.filter_queryset(self.get_queryset())

.venv/lib/python3.13....../site-packages/rest_framework/generics.py:87: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.stages.invitation.api.InvitationViewSet object at 0x7efcbec5dfd0>
queryset = <QuerySet []>

    def filter_queryset(self, queryset):
        """
        Given a queryset, filter it with whichever filter backend is in use.
    
        You are unlikely to want to override this method, although you may need
        to call it either from a list view, or from a custom `get_object`
        method if you want to apply the configured filtering backend to the
        default queryset.
        """
        for backend in list(self.filter_backends):
>           queryset = backend().filter_queryset(self.request, queryset, self)

.venv/lib/python3.13....../site-packages/rest_framework/generics.py:154: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.rbac.filters.ObjectFilter object at 0x7efcbe1cd8c0>
request = <rest_framework.request.Request: PATCH '.../invitation/invitations/22756403-8582-42a5-b3f6-cedfae79dc35/'>
queryset = <QuerySet []>
view = <authentik.stages.invitation.api.InvitationViewSet object at 0x7efcbec5dfd0>

    def filter_queryset(self, request: Request, queryset: QuerySet, view: APIView) -> QuerySet:
        permission = self.perm_format % {
            "app_label": queryset.model._meta.app_label,
            "model_name": queryset.model._meta.model_name,
        }
        # having the global permission set on a user has higher priority than
        # per-object permissions
        if request.user.has_perm(permission):
            return queryset
        # User does not have permissions, but we have an owner field defined, so filter by that
        if owner_field := getattr(view, "owner_field", None):
            return queryset.filter(**{owner_field: request.user})
>       queryset = super().filter_queryset(request, queryset, view)

authentik/rbac/filters.py:32: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.rbac.filters.ObjectFilter object at 0x7efcbe1cd8c0>
request = <rest_framework.request.Request: PATCH '.../invitation/invitations/22756403-8582-42a5-b3f6-cedfae79dc35/'>
queryset = <QuerySet []>
view = <authentik.stages.invitation.api.InvitationViewSet object at 0x7efcbec5dfd0>

    def filter_queryset(self, request, queryset, view):
        # We want to defer this import until runtime, rather than import-time.
        # See https://github..../django-rest-framework/issues/4608
        # (Also see #1624 for why we need to make this import explicitly)
        from guardian.shortcuts import get_objects_for_user
    
        user = request.user
        permission = self.perm_format % {
            'app_label': queryset.model._meta.app_label,
            'model_name': queryset.model._meta.model_name,
        }
    
>       return get_objects_for_user(
            user, permission, queryset,
            **self.shortcut_kwargs)

.venv/lib/python3.13.../site-packages/rest_framework_guardian/filters.py:28: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

user = <SimpleLazyObject: <User: 2KwJUNscRPrV2k3QyklH>>
perms = ['authentik_stages_invitation.view_invitation'], klass = <QuerySet []>
use_groups = True, any_perm = False, with_superuser = True
accept_global_perms = False

    def get_objects_for_user(
        user: Any,
        perms: Union[str, list[str]],
        klass: Union[Model, Manager, QuerySet, None] = None,
        use_groups: bool = True,
        any_perm: bool = False,
        with_superuser: bool = True,
        accept_global_perms: bool = True,
    ) -> list[Model]:
        """Get objects that a user has *all* the supplied permissions for.
    
        Parameters:
            user (User | AnonymousUser): user to check for permissions.
            perms (str | list[str]): permission(s) to be checked.
                If `klass` parameter is not given, those should be full permission
                names rather than only codenames (i.e. `auth.change_user`).
                If more than one permission is present within sequence, their content type **must** be
                the same or `MixedContentTypeError` exception would be raised.
            klass (Modal | Manager | QuerySet): If not provided, this parameter would be
                computed based on given `params`.
            use_groups (bool): Whether to check user's groups object permissions.
            any_perm (bool): Whether any of the provided permissions in sequence is accepted.
            with_superuser (bool): if `user.is_superuser`, whether to return the entire queryset.
                Otherwise will only return objects the user has explicit permissions.
                This must be `True` for the `accept_global_perms` parameter to have any affect.
            accept_global_perms (bool): Whether global permissions are taken into account.
                Object based permissions are taken into account if more than one permission is
                provided in in perms and at least one of these perms is not globally set.
                If `any_perm` is `False` then the intersection of matching object is returned.
                Note, that if `with_superuser` is `False`, `accept_global_perms` will be ignored,
                which means that only object permissions will be checked!
    
        Raises:
            MixedContentTypeError: when computed content type for `perms` and/or `klass` clashes.
            WrongAppError: if cannot compute app label for given `perms` or `klass`.
    
        Example:
            ```shell
            >>> from django.contrib.auth.models import User
            >>> from guardian.shortcuts import get_objects_for_user
            >>> joe = User.objects.get(username='joe')
            >>> get_objects_for_user(joe, 'auth.change_group')
            []
            >>> from guardian.shortcuts import assign_perm
            >>> group = Group.objects.create('some group')
            >>> assign_perm('auth.change_group', joe, group)
            >>> get_objects_for_user(joe, 'auth.change_group')
            [<Group some group>]
    
            # The permission string can also be an iterable. Continuing with the previous example:
    
            >>> get_objects_for_user(joe, ['auth.change_group', 'auth.delete_group'])
            []
            >>> get_objects_for_user(joe, ['auth.change_group', 'auth.delete_group'], any_perm=True)
            [<Group some group>]
            >>> assign_perm('auth.delete_group', joe, group)
            >>> get_objects_for_user(joe, ['auth.change_group', 'auth.delete_group'])
            [<Group some group>]
    
            # Take global permissions into account:
    
            >>> jack = User.objects.get(username='jack')
            >>> assign_perm('auth.change_group', jack) # this will set a global permission
            >>> get_objects_for_user(jack, 'auth.change_group')
            [<Group some group>]
            >>> group2 = Group.objects.create('other group')
            >>> assign_perm('auth.delete_group', jack, group2)
            >>> get_objects_for_user(jack, ['auth.change_group', 'auth.delete_group']) # this retrieves intersection
            [<Group other group>]
            >>> get_objects_for_user(jack, ['auth.change_group', 'auth.delete_group'], any_perm) # this retrieves union
            [<Group some group>, <Group other group>]
            ```
    
        Note:
            If `accept_global_perms` is set to `True`, then all assigned global
            permissions will also be taken into account.
    
            - Scenario 1: a user has view permissions generally defined on the model
              'books' but no object-based permission on a single book instance:
    
                - If `accept_global_perms` is `True`: A list of all books will be returned.
                - If `accept_global_perms` is `False`: The list will be empty.
    
            - Scenario 2: a user has view permissions generally defined on the model
              'books' and also has an object-based permission to view book 'Whatever':
    
                - If `accept_global_perms` is `True`: A list of all books will be returned.
                - If `accept_global_perms` is `False`: The list will only contain book 'Whatever'.
    
            - Scenario 3: a user only has object-based permission on book 'Whatever':
    
                - If `accept_global_perms` is `True`: The list will only contain book 'Whatever'.
                - If `accept_global_perms` is `False`: The list will only contain book 'Whatever'.
    
            - Scenario 4: a user does not have any permission:
    
                - If `accept_global_perms` is `True`: An empty list is returned.
                - If `accept_global_perms` is `False`: An empty list is returned.
        """
        if isinstance(perms, str):
            perms = [perms]
        ctype = None
        app_label = None
        codenames = set()
    
        # Compute codenames and set and ctype if possible
        for perm in perms:
            if "." in perm:
                new_app_label, codename = perm.split(".", 1)
                if app_label is not None and app_label != new_app_label:
                    raise MixedContentTypeError("Given perms must have same app "
                                                "label (%s != %s)" % (app_label, new_app_label))
                else:
                    app_label = new_app_label
            else:
                codename = perm
            codenames.add(codename)
            if app_label is not None:
                new_ctype = new_ctype = _get_ct_cached(app_label, codename)
                if ctype is not None and ctype != new_ctype:
                    raise MixedContentTypeError("ContentType was once computed "
                                                "to be %s and another one %s" % (ctype, new_ctype))
                else:
                    ctype = new_ctype
    
        # Compute queryset and ctype if still missing
        if ctype is None and klass is not None:
            queryset = _get_queryset(klass)
            ctype = get_content_type(queryset.model)
        elif ctype is not None and klass is None:
            queryset = _get_queryset(ctype.model_class())
        elif klass is None:
            raise WrongAppError("Cannot determine content type")
        else:
            queryset = _get_queryset(klass)
            if ctype != get_content_type(queryset.model):
>               raise MixedContentTypeError(
                    "Content type for given perms and " "klass differs"
                )
E               guardian.exceptions.MixedContentTypeError: Content type for given perms and klass differs

.venv/lib/python3.13.../site-packages/guardian/shortcuts.py:567: MixedContentTypeError

To view more test analytics, go to the Test Analytics Dashboard
_{📋 Got 3 mins? Take this short survey to help us improve Test Analytics.}