NeoAnd/netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2025-07-25 18:08:38 -06:00
Code Issues Actions 7 Packages Projects Releases Wiki Activity

Move EXEMPT_EXCLUDE_MODELS to settings; add Group and User models

Browse Source
This commit is contained in:
Jeremy Stretch 2020-07-22 12:13:07 -04:00
parent b4cf85149b
commit 64a3bd37e7
4 changed files with 25 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
netbox/netbox/settings.py
View File

@ -382,6 +382,14 @@ LOGIN_URL = '/{}login/'.format(BASE_PATH)
CSRF_TRUSTED_ORIGINS = ALLOWED_HOSTS CSRF_TRUSTED_ORIGINS = ALLOWED_HOSTS
# Exclude potentially sensitive models from wildcard view exemption. These may still be exempted
# by specifying the model individually in the EXEMPT_VIEW_PERMISSIONS configuration parameter.
EXEMPT_EXCLUDE_MODELS = (
('auth', 'group'),
('auth', 'user'),
('users', 'objectpermission'),
)
# #
# Caching # Caching
# #

14
netbox/users/tests/test_api.py
View File

@ -128,17 +128,3 @@ class ObjectPermissionTest(APIViewTestCases.APIViewTestCase):
'constraints': {'name': 'TEST6'}, 'constraints': {'name': 'TEST6'},
}, },
] ]
@override_settings(EXEMPT_VIEW_PERMISSIONS=['*'])
def test_list_objects_anonymous(self):
# Endpoint should never be exposed via EXEMPT_VIEW_PERMISSIONS
url = self._get_list_url()
with disable_warnings('django.request'):
self.assertHttpStatus(self.client.get(url, **self.header), status.HTTP_403_FORBIDDEN)
@override_settings(EXEMPT_VIEW_PERMISSIONS=['*'])
def test_get_object_anonymous(self):
# Endpoint should never be exposed via EXEMPT_VIEW_PERMISSIONS
url = self._get_detail_url(self._get_queryset().first())
with disable_warnings('django.request'):
self.assertHttpStatus(self.client.get(url, **self.header), status.HTTP_403_FORBIDDEN)

8
netbox/utilities/permissions.py
View File

@ -1,12 +1,6 @@
from django.conf import settings from django.conf import settings
from django.contrib.contenttypes.models import ContentType from django.contrib.contenttypes.models import ContentType
# Exclude potentially sensitive models from wild view exemption. These may still be exempted
# by specifying the model individually in the EXEMPT_VIEW_PERMISSIONS configuration parameter.
EXEMPT_EXCLUDE_MODELS = (
('users', 'objectpermission'),
)
def get_permission_for_model(model, action): def get_permission_for_model(model, action):
""" """
@ -70,7 +64,7 @@ def permission_is_exempt(name):
if action == 'view': if action == 'view':
if ( if (
# All models (excluding those in EXEMPT_EXCLUDE_MODELS) are exempt from view permission enforcement # All models (excluding those in EXEMPT_EXCLUDE_MODELS) are exempt from view permission enforcement
'*' in settings.EXEMPT_VIEW_PERMISSIONS and (app_label, model_name) not in EXEMPT_EXCLUDE_MODELS '*' in settings.EXEMPT_VIEW_PERMISSIONS and (app_label, model_name) not in settings.EXEMPT_EXCLUDE_MODELS
) or ( ) or (
# This specific model is exempt from view permission enforcement # This specific model is exempt from view permission enforcement
f'{app_label}.{model_name}' in settings.EXEMPT_VIEW_PERMISSIONS f'{app_label}.{model_name}' in settings.EXEMPT_VIEW_PERMISSIONS

12
netbox/utilities/testing/api.py
View File

@ -1,3 +1,4 @@
from django.conf import settings
from django.contrib.auth.models import User from django.contrib.auth.models import User
from django.contrib.contenttypes.models import ContentType from django.contrib.contenttypes.models import ContentType
from django.urls import reverse from django.urls import reverse
@ -62,6 +63,11 @@ class APIViewTestCases:
GET a single object as an unauthenticated user. GET a single object as an unauthenticated user.
""" """
url = self._get_detail_url(self._get_queryset().first()) url = self._get_detail_url(self._get_queryset().first())
if (self.model._meta.app_label, self.model._meta.model_name) in settings.EXEMPT_EXCLUDE_MODELS:
# Models listed in EXEMPT_EXCLUDE_MODELS should not be accessible to anonymous users
with disable_warnings('django.request'):
self.assertHttpStatus(self.client.get(url, **self.header), status.HTTP_403_FORBIDDEN)
else:
response = self.client.get(url, **self.header) response = self.client.get(url, **self.header)
self.assertHttpStatus(response, status.HTTP_200_OK) self.assertHttpStatus(response, status.HTTP_200_OK)
@ -111,8 +117,12 @@ class APIViewTestCases:
GET a list of objects as an unauthenticated user. GET a list of objects as an unauthenticated user.
""" """
url = self._get_list_url() url = self._get_list_url()
if (self.model._meta.app_label, self.model._meta.model_name) in settings.EXEMPT_EXCLUDE_MODELS:
# Models listed in EXEMPT_EXCLUDE_MODELS should not be accessible to anonymous users
with disable_warnings('django.request'):
self.assertHttpStatus(self.client.get(url, **self.header), status.HTTP_403_FORBIDDEN)
else:
response = self.client.get(url, **self.header) response = self.client.get(url, **self.header)
self.assertHttpStatus(response, status.HTTP_200_OK) self.assertHttpStatus(response, status.HTTP_200_OK)
self.assertEqual(len(response.data['results']), self._get_queryset().count()) self.assertEqual(len(response.data['results']), self._get_queryset().count())