Fixes: #19669 & #18396 - Allow Token Authentication against Media view

2025-09-06 06:13:36 -06:00 · 2025-08-07 13:20:50 -05:00 · 2025-08-07 13:20:50 -05:00 · 1cb10eeb4f
commit 1cb10eeb4f
parent 122f612750
2 changed files with 20 additions and 2 deletions
--- a/netbox/netbox/views/misc.py
+++ b/netbox/netbox/views/misc.py
@ -20,7 +20,7 @@ from netbox.search.backends import search_backend
 from netbox.tables import SearchTable
 from utilities.htmx import htmx_partial
 from utilities.paginator import EnhancedPaginator, get_paginate_count
-from utilities.views import ConditionalLoginRequiredMixin
+from utilities.views import ConditionalLoginRequiredMixin, TokenConditionalLoginRequiredMixin

 __all__ = (
    'HomeView',
@ -119,7 +119,7 @@ class SearchView(ConditionalLoginRequiredMixin, View):
        })


-class MediaView(ConditionalLoginRequiredMixin, View):
+class MediaView(TokenConditionalLoginRequiredMixin, View):
    """
    Wrap Django's serve() view to enforce LOGIN_REQUIRED for static media.
    """
--- a/netbox/utilities/views.py
+++ b/netbox/utilities/views.py
@ -6,7 +6,9 @@ from django.core.exceptions import ImproperlyConfigured
 from django.urls import reverse
 from django.urls.exceptions import NoReverseMatch
 from django.utils.translation import gettext_lazy as _
+from rest_framework.exceptions import AuthenticationFailed

+from netbox.api.authentication import TokenAuthentication
 from netbox.plugins import PluginConfig
 from netbox.registry import registry
 from utilities.relations import get_related_models
@ -19,6 +21,7 @@ __all__ = (
    'GetRelatedModelsMixin',
    'GetReturnURLMixin',
    'ObjectPermissionRequiredMixin',
+    'TokenConditionalLoginRequiredMixin',
    'ViewTab',
    'get_viewname',
    'register_model_view',
@ -39,6 +42,21 @@ class ConditionalLoginRequiredMixin(AccessMixin):
        return super().dispatch(request, *args, **kwargs)


+class TokenConditionalLoginRequiredMixin(ConditionalLoginRequiredMixin):
+    def dispatch(self, request, *args, **kwargs):
+        # Attempt to authenticate the user using a DRF token, if provided
+        if settings.LOGIN_REQUIRED and not request.user.is_authenticated:
+            authenticator = TokenAuthentication()
+            try:
+                auth_info = authenticator.authenticate(request)
+                if auth_info is not None:
+                    request.user = auth_info[0]  # User object
+            except AuthenticationFailed:
+                pass
+
+        return super().dispatch(request, *args, **kwargs)
+
+
 class ContentTypePermissionRequiredMixin(ConditionalLoginRequiredMixin):
    """
    Similar to Django's built-in PermissionRequiredMixin, but extended to check model-level permission assignments.