NeoAnd/netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2025-07-22 20:12:00 -06:00
Code Issues Actions 8 Packages Projects Releases Wiki Activity

Fix permissions evaluation for session-authenticated API requests

Browse Source
This commit is contained in:
Jeremy Stretch 2020-07-08 17:51:25 -04:00
parent ccdbf820ba
commit 0a44ed1355
1 changed files with 4 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
netbox/netbox/api.py
View File

@ -75,16 +75,15 @@ class TokenPermissions(DjangoObjectPermissions):
super().__init__()
def _verify_write_permission(self, request):
# If token authentication is in use, verify that the token allows write operations (for unsafe methods).
if request.method in SAFE_METHODS:
return True
if isinstance(request.auth, Token) and request.auth.write_enabled:
if request.method in SAFE_METHODS or request.auth.write_enabled:
return True
def has_permission(self, request, view):
# Enforce Token write ability
if not self._verify_write_permission(request):
if isinstance(request.auth, Token) and not self._verify_write_permission(request):
return False
return super().has_permission(request, view)
@ -92,7 +91,7 @@ class TokenPermissions(DjangoObjectPermissions):
def has_object_permission(self, request, view, obj):
# Enforce Token write ability
if not self._verify_write_permission(request):
if isinstance(request.auth, Token) and not self._verify_write_permission(request):
return False
return super().has_object_permission(request, view, obj)