Closes #16681: Introduce render_config permission for configuration rendering

Add a new custom permission action `render_config` for rendering device and virtual machine configurations via the REST API. This allows users to render configurations without requiring the `add` permission. Changes: - Add permission check to RenderConfigMixin.render_config() for devices and VMs - Update API tests to use render_config permission instead of add - Add tests verifying permission enforcement (403 without render_config) - Document new permission requirement in configuration-rendering.md Note: Currently requires both render_config AND add permissions due to the automatic POST='add' filter in BaseViewSet.initial(). Removing the add requirement will be addressed in a follow-up commit.
2026-01-23 12:08:43 -06:00 · 2025-10-12 20:26:34 -05:00
parent a91af996d5
commit 7de62418c5
4 changed files with 45 additions and 0 deletions
--- a/docs/features/configuration-rendering.md
+++ b/docs/features/configuration-rendering.md
@@ -90,3 +90,6 @@ http://netbox:8000/api/extras/config-templates/123/render/ \
  "bar": 123
 }'
 ```
+
+!!! note "Permissions"
+    Rendering device or virtual machine configurations via the REST API requires the `render_config` permission for the relevant object type. For example, to render a device's configuration via `/api/dcim/devices/{id}/render-config/`, a user must be assigned a permission for the "DCIM > Device" object type with the `render_config` action.
--- a/netbox/dcim/tests/test_api.py
+++ b/netbox/dcim/tests/test_api.py
@@ -1486,12 +1486,29 @@ class DeviceTest(APIViewTestCases.APIViewTestCase):
        device.config_template = configtemplate
        device.save()

+        self.add_permissions('dcim.render_config_device')
        self.add_permissions('dcim.add_device')
        url = reverse('dcim-api:device-detail', kwargs={'pk': device.pk}) + 'render-config/'
        response = self.client.post(url, {}, format='json', **self.header)
        self.assertHttpStatus(response, status.HTTP_200_OK)
        self.assertEqual(response.data['content'], f'Config for device {device.name}')

+    def test_render_config_without_permission(self):
+        configtemplate = ConfigTemplate.objects.create(
+            name='Config Template 1',
+            template_code='Config for device {{ device.name }}'
+        )
+
+        device = Device.objects.first()
+        device.config_template = configtemplate
+        device.save()
+
+        # No permissions added - user has no render_config permission
+        self.add_permissions('dcim.add_device')
+        url = reverse('dcim-api:device-detail', kwargs={'pk': device.pk}) + 'render-config/'
+        response = self.client.post(url, {}, format='json', **self.header)
+        self.assertHttpStatus(response, status.HTTP_403_FORBIDDEN)
+

 class ModuleTest(APIViewTestCases.APIViewTestCase):
    model = Module
--- a/netbox/extras/api/mixins.py
+++ b/netbox/extras/api/mixins.py
@@ -1,10 +1,12 @@
 from jinja2.exceptions import TemplateError
 from rest_framework.decorators import action
+from rest_framework.exceptions import PermissionDenied
 from rest_framework.renderers import JSONRenderer
 from rest_framework.response import Response
 from rest_framework.status import HTTP_400_BAD_REQUEST

 from netbox.api.renderers import TextRenderer
+from utilities.permissions import get_permission_for_model
 from .serializers import ConfigTemplateSerializer

 __all__ = (
@@ -70,6 +72,12 @@ class RenderConfigMixin(ConfigTemplateRenderMixin):
        Resolve and render the preferred ConfigTemplate for this Device.
        """
        instance = self.get_object()
+
+        # Check render_config permission
+        perm = get_permission_for_model(instance, 'render_config')
+        if not request.user.has_perm(perm, obj=instance):
+            raise PermissionDenied("This user does not have permission to render device configurations.")
+
        object_type = instance._meta.model_name
        configtemplate = instance.get_config_template()
        if not configtemplate:
--- a/netbox/virtualization/tests/test_api.py
+++ b/netbox/virtualization/tests/test_api.py
@@ -281,12 +281,29 @@ class VirtualMachineTest(APIViewTestCases.APIViewTestCase):
        vm.config_template = configtemplate
        vm.save()

+        self.add_permissions('virtualization.render_config_virtualmachine')
        self.add_permissions('virtualization.add_virtualmachine')
        url = reverse('virtualization-api:virtualmachine-detail', kwargs={'pk': vm.pk}) + 'render-config/'
        response = self.client.post(url, {}, format='json', **self.header)
        self.assertHttpStatus(response, status.HTTP_200_OK)
        self.assertEqual(response.data['content'], f'Config for virtual machine {vm.name}')

+    def test_render_config_without_permission(self):
+        configtemplate = ConfigTemplate.objects.create(
+            name='Config Template 1',
+            template_code='Config for virtual machine {{ virtualmachine.name }}'
+        )
+
+        vm = VirtualMachine.objects.first()
+        vm.config_template = configtemplate
+        vm.save()
+
+        # No permissions added - user has no render_config permission
+        self.add_permissions('virtualization.add_virtualmachine')
+        url = reverse('virtualization-api:virtualmachine-detail', kwargs={'pk': vm.pk}) + 'render-config/'
+        response = self.client.post(url, {}, format='json', **self.header)
+        self.assertHttpStatus(response, status.HTTP_403_FORBIDDEN)
+

 class VMInterfaceTest(APIViewTestCases.APIViewTestCase):
    model = VMInterface