From f992d2060f930ca0b0f512ee6ccf9921c24b206c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Simonyi=20Gerg=C5=91?= <gergo@goauthentik.io>
Date: Fri, 5 Sep 2025 11:45:13 +0200
Subject: [PATCH] core: remove superuser condition on token list

This is a remnant from before we had object-level permissions.
---
 authentik/core/api/tokens.py | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/authentik/core/api/tokens.py b/authentik/core/api/tokens.py
index 1b26092905a6..676d1f9ec0a5 100644
--- a/authentik/core/api/tokens.py
+++ b/authentik/core/api/tokens.py
@@ -4,7 +4,7 @@
 
 from django.utils.timezone import now
 from drf_spectacular.utils import OpenApiResponse, extend_schema, inline_serializer
-from guardian.shortcuts import assign_perm, get_anonymous_user
+from guardian.shortcuts import assign_perm
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
 from rest_framework.fields import CharField
@@ -138,12 +138,6 @@ class TokenViewSet(UsedByMixin, ModelViewSet):
     owner_field = "user"
     rbac_allow_create_without_perm = True
 
-    def get_queryset(self):
-        user = self.request.user if self.request else get_anonymous_user()
-        if user.is_superuser:
-            return super().get_queryset()
-        return super().get_queryset().filter(user=user.pk)
-
     def perform_create(self, serializer: TokenSerializer):
         if not self.request.user.is_superuser:
             instance = serializer.save(