8853 make token view accessible only once on POST

netbox/templates/users/api_token.html

@@ -1,4 +1,5 @@
 {% extends 'generic/object.html' %}
+{% load form_helpers %}
 {% load helpers %}
 {% load plugins %}
 
@@ -17,6 +18,7 @@
           </table>
           <form method="post">
             {% csrf_token %}
+            {% render_form form %}
             <div class="row my-3">
               <div class="col col-md-12 text-center">
                 <button type="submit" name="_addanother" class="btn btn-outline-primary">

netbox/users/forms.py

@@ -127,3 +127,7 @@ class TokenForm(BootstrapMixin, forms.ModelForm):
             keyfield.disabled = True
             keyfield.required = False
             keyfield.widget = forms.HiddenInput()
+
+
+class TokenViewForm(BootstrapMixin, forms.Form):
+    view_token = forms.BooleanField(widget=forms.HiddenInput(), required=False)

netbox/users/urls.py

@@ -10,7 +10,6 @@ urlpatterns = [
     path('password/', views.ChangePasswordView.as_view(), name='change_password'),
     path('api-tokens/', views.TokenListView.as_view(), name='token_list'),
     path('api-tokens/add/', views.TokenEditView.as_view(), name='token_add'),
-    path('api-tokens/<int:pk>/', views.TokenKeyView.as_view(), name='token_key'),
     path('api-tokens/<int:pk>/edit/', views.TokenEditView.as_view(), name='token_edit'),
     path('api-tokens/<int:pk>/delete/', views.TokenDeleteView.as_view(), name='token_delete'),
 

netbox/users/views.py

@@ -20,7 +20,7 @@ from extras.tables import ObjectChangeTable
 from netbox.authentication import get_auth_backend_display, get_saml_idps
 from netbox.config import get_config
 from utilities.forms import ConfirmationForm
-from .forms import LoginForm, PasswordChangeForm, TokenForm, UserConfigForm
+from .forms import LoginForm, PasswordChangeForm, TokenForm, TokenViewForm, UserConfigForm
 from .models import Token, UserConfig
 from .tables import TokenTable
 
@@ -274,6 +274,12 @@ class TokenEditView(LoginRequiredMixin, View):
             form = TokenForm(request.POST)
 
         if form.is_valid():
+            if 'view_token' in request.POST and request.POST['view_token']:
+                if '_addanother' in request.POST:
+                    return redirect(request.path)
+                else:
+                    return redirect('users:token_list')
+
             token = form.save(commit=False)
             token.user = request.user
             token.save()
@@ -282,7 +288,13 @@ class TokenEditView(LoginRequiredMixin, View):
             messages.success(request, msg)
 
             if not pk and not settings.ALLOW_TOKEN_RETRIEVAL:
-                return redirect('users:token_key', pk=token.pk)
+                form = TokenViewForm(initial={'view_token': True})
+                return render(request, 'users/api_token.html', {
+                    'object': token,
+                    'form': form,
+                    'key': token.key,
+                    'return_url': reverse('users:token_list'),
+                })
             elif '_addanother' in request.POST:
                 return redirect(request.path)
             else:
@@ -326,23 +338,3 @@ class TokenDeleteView(LoginRequiredMixin, View):
             'form': form,
             'return_url': reverse('users:token_list'),
         })
-
-
-class TokenKeyView(LoginRequiredMixin, View):
-
-    def get(self, request, pk):
-        token = get_object_or_404(Token.objects.filter(user=request.user), pk=pk)
-
-        return render(request, 'users/api_token.html', {
-            'object': token,
-            'key': token.key,
-            'return_url': reverse('users:token_list'),
-        })
-
-    def post(self, request, pk):
-        token = get_object_or_404(Token.objects.filter(user=request.user), pk=pk)
-
-        if '_addanother' in request.POST:
-            return redirect('users:token_add')
-        else:
-            return redirect('users:token_list')