NeoAnd/netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2025-07-21 03:27:21 -06:00
Code Issues Actions 8 Packages Projects Releases Wiki Activity

Fixes #6073: Permit users to manage their own REST API tokens without needing explicit permission

Browse Source
This commit is contained in:
Jeremy Stretch 2021-03-31 13:25:06 -04:00
parent c8eae3a5c3
commit 6ec8ac7597
3 changed files with 19 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
docs/release-notes/version-2.10.md
View File

@ -1,5 +1,13 @@
# NetBox v2.10 # NetBox v2.10
## v2.10.9 (FUTURE)
### Bug Fixes
* [#6073](https://github.com/netbox-community/netbox/issues/6073) - Permit users to manage their own REST API tokens without needing explicit permission
---
## v2.10.8 (2021-03-26) ## v2.10.8 (2021-03-26)
### Bug Fixes ### Bug Fixes

22
netbox/templates/users/api_tokens.html
View File

@ -11,12 +11,8 @@
<div class="panel-heading"> <div class="panel-heading">
<div class="pull-right noprint"> <div class="pull-right noprint">
<a class="btn btn-xs btn-success copy-token" data-clipboard-target="#token_{{ token.pk }}">Copy</a> <a class="btn btn-xs btn-success copy-token" data-clipboard-target="#token_{{ token.pk }}">Copy</a>
{% if perms.users.change_token %} <a href="{% url 'user:token_edit' pk=token.pk %}" class="btn btn-xs btn-warning">Edit</a>
<a href="{% url 'user:token_edit' pk=token.pk %}" class="btn btn-xs btn-warning">Edit</a> <a href="{% url 'user:token_delete' pk=token.pk %}" class="btn btn-xs btn-danger">Delete</a>
{% endif %}
{% if perms.users.delete_token %}
<a href="{% url 'user:token_delete' pk=token.pk %}" class="btn btn-xs btn-danger">Delete</a>
{% endif %}
</div> </div>
<i class="mdi mdi-key"></i> <i class="mdi mdi-key"></i>
<samp><span id="token_{{ token.pk }}">{{ token.key }}</span></samp> <samp><span id="token_{{ token.pk }}">{{ token.key }}</span></samp>
@ -55,16 +51,10 @@
{% empty %} {% empty %}
<p>You do not have any API tokens.</p> <p>You do not have any API tokens.</p>
{% endfor %} {% endfor %}
{% if perms.users.add_token %} <a href="{% url 'user:token_add' %}" class="btn btn-primary">
<a href="{% url 'user:token_add' %}" class="btn btn-primary"> <span class="mdi mdi-plus-thick" aria-hidden="true"></span>
<span class="mdi mdi-plus-thick" aria-hidden="true"></span> Add a token
Add a token </a>
</a>
{% else %}
<div class="alert alert-info text-center" role="alert">
You do not have permission to create new API tokens. If needed, ask an administrator to enable token creation for your account or an assigned group.
</div>
{% endif %}
</div> </div>
</div> </div>
{% endblock %} {% endblock %}

14
netbox/users/views.py
View File

@ -6,7 +6,7 @@ from django.contrib.auth import login as auth_login, logout as auth_logout, upda
from django.contrib.auth.mixins import LoginRequiredMixin from django.contrib.auth.mixins import LoginRequiredMixin
from django.contrib.auth.models import update_last_login from django.contrib.auth.models import update_last_login
from django.contrib.auth.signals import user_logged_in from django.contrib.auth.signals import user_logged_in
from django.http import HttpResponseForbidden, HttpResponseRedirect from django.http import HttpResponseRedirect
from django.shortcuts import get_object_or_404, redirect, render from django.shortcuts import get_object_or_404, redirect, render
from django.urls import reverse from django.urls import reverse
from django.utils.decorators import method_decorator from django.utils.decorators import method_decorator
@ -282,13 +282,9 @@ class TokenEditView(LoginRequiredMixin, View):
def get(self, request, pk=None): def get(self, request, pk=None):
if pk is not None: if pk:
if not request.user.has_perm('users.change_token'):
return HttpResponseForbidden()
token = get_object_or_404(Token.objects.filter(user=request.user), pk=pk) token = get_object_or_404(Token.objects.filter(user=request.user), pk=pk)
else: else:
if not request.user.has_perm('users.add_token'):
return HttpResponseForbidden()
token = Token(user=request.user) token = Token(user=request.user)
form = TokenForm(instance=token) form = TokenForm(instance=token)
@ -302,11 +298,11 @@ class TokenEditView(LoginRequiredMixin, View):
def post(self, request, pk=None): def post(self, request, pk=None):
if pk is not None: if pk:
token = get_object_or_404(Token.objects.filter(user=request.user), pk=pk) token = get_object_or_404(Token.objects.filter(user=request.user), pk=pk)
form = TokenForm(request.POST, instance=token) form = TokenForm(request.POST, instance=token)
else: else:
token = Token() token = Token(user=request.user)
form = TokenForm(request.POST) form = TokenForm(request.POST)
if form.is_valid(): if form.is_valid():
@ -314,7 +310,7 @@ class TokenEditView(LoginRequiredMixin, View):
token.user = request.user token.user = request.user
token.save() token.save()
msg = "Modified token {}".format(token) if pk else "Created token {}".format(token) msg = f"Modified token {token}" if pk else f"Created token {token}"
messages.success(request, msg) messages.success(request, msg)
if '_addanother' in request.POST: if '_addanother' in request.POST: