NeoAnd/netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2025-07-24 09:28:38 -06:00
Code Issues Actions 9 Packages Projects Releases Wiki Activity

Fix permissions evaluation for session-authenticated API requests

Browse Source
This commit is contained in:
Jeremy Stretch 2020-07-08 17:51:25 -04:00
parent ccdbf820ba
commit 0a44ed1355
1 changed files with 4 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
netbox/netbox/api.py
View File

@ -75,16 +75,15 @@ class TokenPermissions(DjangoObjectPermissions):
super().__init__() super().__init__()
def _verify_write_permission(self, request): def _verify_write_permission(self, request):
# If token authentication is in use, verify that the token allows write operations (for unsafe methods). # If token authentication is in use, verify that the token allows write operations (for unsafe methods).
if request.method in SAFE_METHODS: if request.method in SAFE_METHODS or request.auth.write_enabled:
return True
if isinstance(request.auth, Token) and request.auth.write_enabled:
return True return True
def has_permission(self, request, view): def has_permission(self, request, view):
# Enforce Token write ability # Enforce Token write ability
if not self._verify_write_permission(request): if isinstance(request.auth, Token) and not self._verify_write_permission(request):
return False return False
return super().has_permission(request, view) return super().has_permission(request, view)
@ -92,7 +91,7 @@ class TokenPermissions(DjangoObjectPermissions):
def has_object_permission(self, request, view, obj): def has_object_permission(self, request, view, obj):
# Enforce Token write ability # Enforce Token write ability
if not self._verify_write_permission(request): if isinstance(request.auth, Token) and not self._verify_write_permission(request):
return False return False
return super().has_object_permission(request, view, obj) return super().has_object_permission(request, view, obj)