Unable to clear or change background for a specific flow #15763
Description
Describe the bug
We are unable to choose a new background or use the clear background slider to customize a flow's apperance. At some point, a flow background was set, as the text "Currently set to: /media/public/media/hrc_lobby.png" is present in the flows' apperance configuration. Trying either results in a "Response returned an error code" error message when trying to apply the changes.
To Reproduce
Steps to reproduce the behavior:
Clearing background:
- Go to Flows and Stages > Flows
- Click on Appearance settings > Clear background
- Click Update
- See error
Setting new background:
- Go to Flows and Stages > Flows
- Click on Appearance settings > Choose File
- Upload arbitrary image file with OS file picker
- Click Update
- See error
Expected behavior
Clear background: the flow's customized background should be unset, and the flow should now be using the background defined in the brand.
New background: The newly uploaded image should now be the background used for this flow, overriding the brand's background.
Screenshots
Attaching flow, brand.
Logs
Providing log snips for server, and items from event logs in UI that happen after attempting to update the flow's background.
SERVER:
{
"action": "model_updated",
"auth_via": "session",
"client_ip": "[REDACTED]",
"context": {
"asn": {
"as_org": "[REDACTED]",
"asn": [REDACTED],
"network": "[REDACTED]"
},
"geo": {
"city": "[REDACTED]",
"continent": "[REDACTED]",
"country": "[REDACTED]",
"lat": "[REDACTED]",
"long": "[REDACTED]"
},
"http_request": {
"args": {},
"method": "PUT",
"path": "/api/v3/flows/instances/[REDACTED]/",
"request_id": "[REDACTED]",
"user_agent": "[REDACTED]"
},
"model": {
"app": "authentik_flows",
"model_name": "flow",
"name": "[REDACTED]",
"pk": "[REDACTED]"
}
},
"domain_url": "[REDACTED]",
"event": "Created Event",
"host": "[REDACTED]",
"level": "info",
"logger": "authentik.events.models",
"pid": 25633,
"request_id": "[REDACTED]",
"schema_name": "public",
"timestamp": "2025-07-23T17:10:10.121620",
"user": {
"email": "[REDACTED]",
"pk": 27,
"username": "[REDACTED]"
}
}
{
"auth_via": "session",
"domain_url": "[REDACTED]",
"event": "Task published",
"host": "[REDACTED]",
"level": "info",
"logger": "authentik.root.celery",
"pid": 25633,
"request_id": "[REDACTED]",
"schema_name": "public",
"task_id": "[REDACTED]",
"task_name": "authentik.events.tasks.event_notification_handler",
"timestamp": "2025-07-23T17:10:10.155850"
}
{
"auth_via": "session",
"domain_url": "[REDACTED]",
"event": "/api/v3/flows/instances/[REDACTED]/",
"host": "[REDACTED]",
"level": "info",
"logger": "authentik.asgi",
"method": "PUT",
"pid": 25633,
"remote": "[REDACTED]",
"request_id": "[REDACTED]",
"runtime": 118,
"schema_name": "public",
"scheme": "https",
"status": 200,
"timestamp": "2025-07-23T17:10:10.171052",
"user": "[REDACTED]",
"user_agent": "[REDACTED]"
}
{
"domain_url": null,
"event": "/ws/client/",
"level": "info",
"logger": "authentik.asgi",
"pid": 28504,
"remote": "[REDACTED]",
"schema_name": "public",
"scheme": "ws",
"timestamp": "2025-07-23T17:10:10.250192",
"user_agent": "[REDACTED]"
}
EVENT LOG, SUSPICIOUS REQUEST:
{
"asn": {
"asn": 73,
"as_org": "[REDACTED]",
"network": "[REDACTED]"
},
"geo": {
"lat": "[REDACTED]",
"city": "[REDACTED]",
"long": "[REDACTED]",
"country": "[REDACTED]",
"continent": "[REDACTED]"
},
"message": "Traceback (most recent call last):\n File \"/ak-root/.venv/lib/python3.13/site-packages/asgiref/sync.py\", line 518, in thread_handler\n raise exc_info[1]\n File \"/ak-root/.venv/lib/python3.13/site-packages/django/core/handlers/base.py\", line 253, in _get_response_async\n response = await wrapped_callback(\n ^^^^^^^^^^^^^^^^^^^^^^^\n request, *callback_args, **callback_kwargs\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n )\n ^\n File \"/ak-root/.venv/lib/python3.13/site-packages/asgiref/sync.py\", line 468, in __call__\n ret = await asyncio.shield(exec_coro)\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File \"/ak-root/.venv/lib/python3.13/site-packages/asgiref/current_thread_executor.py\", line 40, in run\n result = self.fn(*self.args, **self.kwargs)\n File \"/ak-root/.venv/lib/python3.13/site-packages/asgiref/sync.py\", line 522, in thread_handler\n return func(*args, **kwargs)\n File \"/ak-root/.venv/lib/python3.13/site-packages/django/views/decorators/csrf.py\", line 65, in _view_wrapper\n return view_func(request, *args, **kwargs)\n File \"/ak-root/.venv/lib/python3.13/site-packages/rest_framework/viewsets.py\", line 125, in view\n return self.dispatch(request, *args, **kwargs)\n ~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^\n File \"/ak-root/.venv/lib/python3.13/site-packages/rest_framework/views.py\", line 515, in dispatch\n response = self.handle_exception(exc)\n File \"/ak-root/.venv/lib/python3.13/site-packages/rest_framework/views.py\", line 475, in handle_exception\n self.raise_uncaught_exception(exc)\n ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^\n File \"/ak-root/.venv/lib/python3.13/site-packages/rest_framework/views.py\", line 486, in raise_uncaught_exception\n raise exc\n File \"/ak-root/.venv/lib/python3.13/site-packages/rest_framework/views.py\", line 512, in dispatch\n response = handler(request, *args, **kwargs)\n File \"/authentik/rbac/decorators.py\", line 39, in wrapper\n return func(self, request, *args, **kwargs)\n File \"/authentik/flows/api/flows.py\", line 258, in set_background\n return set_file(request, flow, \"background\")\n File \"/authentik/lib/utils/file.py\", line 35, in set_file\n field.delete()\n ~~~~~~~~~~~~^^\n File \"/ak-root/.venv/lib/python3.13/site-packages/django/db/models/fields/files.py\", line 118, in delete\n self.storage.delete(self.name)\n ~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^\n File \"/ak-root/.venv/lib/python3.13/site-packages/django/core/files/storage/filesystem.py\", line 183, in delete\n name = self.path(name)\n File \"/ak-root/.venv/lib/python3.13/site-packages/django/core/files/storage/filesystem.py\", line 220, in path\n return safe_join(self.location, name)\n File \"/ak-root/.venv/lib/python3.13/site-packages/django/utils/_os.py\", line 31, in safe_join\n raise SuspiciousFileOperation(\n ...<2 lines>...\n )\ndjango.core.exceptions.SuspiciousFileOperation: The joined path (/media/hrc_lobby.png) is located outside of the base path component (/media/public)",
"http_request": {
"args": {},
"path": "/api/v3/flows/instances/[REDACTED]/set_background/",
"method": "POST",
"request_id": "[REDACTED]",
"user_agent": "[REDACTED]"
}
}
User
{
"pk": 27,
"email": "[REDACTED]",
"username": "[REDACTED]"
}
EVENT LOG: MODEL UPDATED:
UID
[REDACTED]
Name
[REDACTED]
App
authentik_flows
Model Name
flow
Context
{
"asn": {
"asn": 73,
"as_org": "[REDACTED]",
"network": "[REDACTED]"
},
"geo": {
"lat": "[REDACTED]",
"city": "[REDACTED]",
"long": "[REDACTED]",
"country": "[REDACTED]",
"continent": "[REDACTED]"
},
"model": {
"pk": "13d2e76a34614712b1ec238a50a89027",
"app": "authentik_flows",
"name": "[REDACTED]",
"model_name": "flow"
},
"http_request": {
"args": {},
"path": "/api/v3/flows/instances/[REDACTED]/",
"method": "PUT",
"request_id": "[REDACTED]",
"user_agent": "[REDACTED]"
}
}
User
{
"pk": 27,
"email": "[REDACTED]",
"username": "[REDACTED]"
}
Version and Deployment (please complete the following information):
- authentik version: 2025.6.4
- Deployment: helm, media files on azurefile-csi