Enforce view permissions for API views

2025-07-15 19:52:52 -06:00 · 2019-04-11 17:40:46 -04:00 · 2019-04-11 17:40:46 -04:00 · 43a569d18a
commit 43a569d18a
parent e710ccb0e6
1 changed files with 15 additions and 0 deletions
--- a/netbox/netbox/api.py
+++ b/netbox/netbox/api.py
@ -55,16 +55,31 @@ class TokenPermissions(DjangoModelPermissions):
    Custom permissions handler which extends the built-in DjangoModelPermissions to validate a Token's write ability
    for unsafe requests (POST/PUT/PATCH/DELETE).
    """
+    # Override the stock perm_map to enforce view permissions
+    perms_map = {
+        'GET': ['%(app_label)s.view_%(model_name)s'],
+        'OPTIONS': [],
+        'HEAD': ['%(app_label)s.view_%(model_name)s'],
+        'POST': ['%(app_label)s.add_%(model_name)s'],
+        'PUT': ['%(app_label)s.change_%(model_name)s'],
+        'PATCH': ['%(app_label)s.change_%(model_name)s'],
+        'DELETE': ['%(app_label)s.delete_%(model_name)s'],
+    }
+
    def __init__(self):
+
        # LOGIN_REQUIRED determines whether read-only access is provided to anonymous users.
        self.authenticated_users_only = settings.LOGIN_REQUIRED
+
        super().__init__()

    def has_permission(self, request, view):
+
        # If token authentication is in use, verify that the token allows write operations (for unsafe methods).
        if request.method not in SAFE_METHODS and isinstance(request.auth, Token):
            if not request.auth.write_enabled:
                return False
+
        return super().has_permission(request, view)