NeoAnd/netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2025-08-25 08:46:10 -06:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity

8853 make token view accessible only once on POST

Browse Source
This commit is contained in:
Arthur 2022-10-27 12:38:57 -07:00
parent c262593706
commit 08b965b55e
4 changed files with 20 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
netbox/templates/users/api_token.html
View File

@ -1,4 +1,5 @@
{% extends 'generic/object.html' %}
{% load form_helpers %}
{% load helpers %}
{% load plugins %}
@ -17,6 +18,7 @@
</table>
<form method="post">
{% csrf_token %}
{% render_form form %}
<div class="row my-3">
<div class="col col-md-12 text-center">
<button type="submit" name="_addanother" class="btn btn-outline-primary">

4
netbox/users/forms.py
View File

@ -127,3 +127,7 @@ class TokenForm(BootstrapMixin, forms.ModelForm):
keyfield.disabled = True
keyfield.required = False
keyfield.widget = forms.HiddenInput()
class TokenViewForm(BootstrapMixin, forms.Form):
view_token = forms.BooleanField(widget=forms.HiddenInput(), required=False)

1
netbox/users/urls.py
View File

@ -10,7 +10,6 @@ urlpatterns = [
path('password/', views.ChangePasswordView.as_view(), name='change_password'),
path('api-tokens/', views.TokenListView.as_view(), name='token_list'),
path('api-tokens/add/', views.TokenEditView.as_view(), name='token_add'),
path('api-tokens/<int:pk>/', views.TokenKeyView.as_view(), name='token_key'),
path('api-tokens/<int:pk>/edit/', views.TokenEditView.as_view(), name='token_edit'),
path('api-tokens/<int:pk>/delete/', views.TokenDeleteView.as_view(), name='token_delete'),

36
netbox/users/views.py
View File

@ -20,7 +20,7 @@ from extras.tables import ObjectChangeTable
from netbox.authentication import get_auth_backend_display, get_saml_idps
from netbox.config import get_config
from utilities.forms import ConfirmationForm
from .forms import LoginForm, PasswordChangeForm, TokenForm, UserConfigForm
from .forms import LoginForm, PasswordChangeForm, TokenForm, TokenViewForm, UserConfigForm
from .models import Token, UserConfig
from .tables import TokenTable
@ -274,6 +274,12 @@ class TokenEditView(LoginRequiredMixin, View):
form = TokenForm(request.POST)
if form.is_valid():
if 'view_token' in request.POST and request.POST['view_token']:
if '_addanother' in request.POST:
return redirect(request.path)
else:
return redirect('users:token_list')
token = form.save(commit=False)
token.user = request.user
token.save()
@ -282,7 +288,13 @@ class TokenEditView(LoginRequiredMixin, View):
messages.success(request, msg)
if not pk and not settings.ALLOW_TOKEN_RETRIEVAL:
return redirect('users:token_key', pk=token.pk)
form = TokenViewForm(initial={'view_token': True})
return render(request, 'users/api_token.html', {
'object': token,
'form': form,
'key': token.key,
'return_url': reverse('users:token_list'),
})
elif '_addanother' in request.POST:
return redirect(request.path)
else:
@ -326,23 +338,3 @@ class TokenDeleteView(LoginRequiredMixin, View):
'form': form,
'return_url': reverse('users:token_list'),
})
class TokenKeyView(LoginRequiredMixin, View):
def get(self, request, pk):
token = get_object_or_404(Token.objects.filter(user=request.user), pk=pk)
return render(request, 'users/api_token.html', {
'object': token,
'key': token.key,
'return_url': reverse('users:token_list'),
})
def post(self, request, pk):
token = get_object_or_404(Token.objects.filter(user=request.user), pk=pk)
if '_addanother' in request.POST:
return redirect('users:token_add')
else:
return redirect('users:token_list')