From 0a44ed135539a3f91457fa11bf00b70cfc7eb147 Mon Sep 17 00:00:00 2001
From: Jeremy Stretch <stretch@packetlife.net>
Date: Wed, 8 Jul 2020 17:51:25 -0400
Subject: [PATCH] Fix permissions evaluation for session-authenticated API
 requests

---
 netbox/netbox/api.py | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/netbox/netbox/api.py b/netbox/netbox/api.py
index a67a5d60a..28403f181 100644
--- a/netbox/netbox/api.py
+++ b/netbox/netbox/api.py
@@ -75,16 +75,15 @@ class TokenPermissions(DjangoObjectPermissions):
         super().__init__()
 
     def _verify_write_permission(self, request):
+
         # If token authentication is in use, verify that the token allows write operations (for unsafe methods).
-        if request.method in SAFE_METHODS:
-            return True
-        if isinstance(request.auth, Token) and request.auth.write_enabled:
+        if request.method in SAFE_METHODS or request.auth.write_enabled:
             return True
 
     def has_permission(self, request, view):
 
         # Enforce Token write ability
-        if not self._verify_write_permission(request):
+        if isinstance(request.auth, Token) and not self._verify_write_permission(request):
             return False
 
         return super().has_permission(request, view)
@@ -92,7 +91,7 @@ class TokenPermissions(DjangoObjectPermissions):
     def has_object_permission(self, request, view, obj):
 
         # Enforce Token write ability
-        if not self._verify_write_permission(request):
+        if isinstance(request.auth, Token) and not self._verify_write_permission(request):
             return False
 
         return super().has_object_permission(request, view, obj)