Merge release v2.4.6

2025-12-20 12:22:23 -06:00 · 2018-10-10 09:36:51 -04:00
parent 364bbdeab8 7d1f6b7049
commit 22ed4f1b53
23 changed files with 508 additions and 21 deletions
--- a/netbox/users/migrations/0003_token_permissions.py
+++ b/netbox/users/migrations/0003_token_permissions.py
@@ -0,0 +1,17 @@
+# Generated by Django 2.0.8 on 2018-10-05 14:32
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('users', '0001_api_tokens_squashed_0002_unicode_literals'),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name='token',
+            options={},
+        ),
+    ]
--- a/netbox/users/models.py
+++ b/netbox/users/models.py
@@ -39,7 +39,7 @@ class Token(models.Model):
    )

    class Meta:
-        default_permissions = []
+        pass

    def __str__(self):
        # Only display the last 24 bits of the token to avoid accidental exposure.
--- a/netbox/users/views.py
+++ b/netbox/users/views.py
@@ -1,8 +1,8 @@
 from django.contrib import messages
 from django.contrib.auth import login as auth_login, logout as auth_logout, update_session_auth_hash
 from django.contrib.auth.decorators import login_required
-from django.contrib.auth.mixins import LoginRequiredMixin
-from django.http import HttpResponseRedirect
+from django.contrib.auth.mixins import LoginRequiredMixin, PermissionRequiredMixin
+from django.http import HttpResponseForbidden, HttpResponseRedirect
 from django.shortcuts import get_object_or_404, redirect, render
 from django.urls import reverse
 from django.utils.decorators import method_decorator
@@ -217,8 +217,12 @@ class TokenEditView(LoginRequiredMixin, View):
    def get(self, request, pk=None):

        if pk is not None:
+            if not request.user.has_perm('users.change_token'):
+                return HttpResponseForbidden()
            token = get_object_or_404(Token.objects.filter(user=request.user), pk=pk)
        else:
+            if not request.user.has_perm('users.add_token'):
+                return HttpResponseForbidden()
            token = Token(user=request.user)

        form = TokenForm(instance=token)
@@ -260,7 +264,8 @@ class TokenEditView(LoginRequiredMixin, View):
        })


-class TokenDeleteView(LoginRequiredMixin, View):
+class TokenDeleteView(PermissionRequiredMixin, View):
+    permission_required = 'users.delete_token'

    def get(self, request, pk):