From 72622a672d0795394ac222135f5c52bfee4080ac Mon Sep 17 00:00:00 2001 From: Arthur Date: Thu, 6 Apr 2023 11:12:10 -0700 Subject: [PATCH] 11091 add permission to allow user to create api tokens for other users --- netbox/users/api/serializers.py | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/netbox/users/api/serializers.py b/netbox/users/api/serializers.py index f1f1fc975..8103ef7ce 100644 --- a/netbox/users/api/serializers.py +++ b/netbox/users/api/serializers.py @@ -2,6 +2,7 @@ from django.conf import settings from django.contrib.auth.models import Group, User from django.contrib.contenttypes.models import ContentType from rest_framework import serializers +from rest_framework.exceptions import PermissionDenied from netbox.api.fields import ContentTypeField, IPNetworkSerializer, SerializedPKRelatedField from netbox.api.serializers import ValidatedModelSerializer @@ -91,6 +92,23 @@ class TokenSerializer(ValidatedModelSerializer): data['key'] = Token.generate_key() return super().to_internal_value(data) + def validate(self, data): + """ + Check that the user has permissions to grant other users a token. + """ + request = self.context.get("request") + if request and hasattr(request, "user"): + user = request.user + else: + raise PermissionDenied("Unauthorized user.") + + grant_user = data['user'] + if user != grant_user: + if not request.user.has_perm('users.grant_token'): + raise PermissionDenied("This user does not have permission to create tokens for other users.") + + return data + class TokenProvisionSerializer(serializers.Serializer): username = serializers.CharField()