From 7de62418c59b0ae691bca98cb354519878031aaa Mon Sep 17 00:00:00 2001 From: Jason Novinger Date: Sun, 12 Oct 2025 20:26:34 -0500 Subject: [PATCH] Closes #16681: Introduce render_config permission for configuration rendering Add a new custom permission action `render_config` for rendering device and virtual machine configurations via the REST API. This allows users to render configurations without requiring the `add` permission. Changes: - Add permission check to RenderConfigMixin.render_config() for devices and VMs - Update API tests to use render_config permission instead of add - Add tests verifying permission enforcement (403 without render_config) - Document new permission requirement in configuration-rendering.md Note: Currently requires both render_config AND add permissions due to the automatic POST='add' filter in BaseViewSet.initial(). Removing the add requirement will be addressed in a follow-up commit. --- docs/features/configuration-rendering.md | 3 +++ netbox/dcim/tests/test_api.py | 17 +++++++++++++++++ netbox/extras/api/mixins.py | 8 ++++++++ netbox/virtualization/tests/test_api.py | 17 +++++++++++++++++ 4 files changed, 45 insertions(+) diff --git a/docs/features/configuration-rendering.md b/docs/features/configuration-rendering.md index 44cacc684..03e88395f 100644 --- a/docs/features/configuration-rendering.md +++ b/docs/features/configuration-rendering.md @@ -90,3 +90,6 @@ http://netbox:8000/api/extras/config-templates/123/render/ \ "bar": 123 }' ``` + +!!! note "Permissions" + Rendering device or virtual machine configurations via the REST API requires the `render_config` permission for the relevant object type. For example, to render a device's configuration via `/api/dcim/devices/{id}/render-config/`, a user must be assigned a permission for the "DCIM > Device" object type with the `render_config` action. diff --git a/netbox/dcim/tests/test_api.py b/netbox/dcim/tests/test_api.py index d0a385887..e06ea0dbf 100644 --- a/netbox/dcim/tests/test_api.py +++ b/netbox/dcim/tests/test_api.py @@ -1486,12 +1486,29 @@ class DeviceTest(APIViewTestCases.APIViewTestCase): device.config_template = configtemplate device.save() + self.add_permissions('dcim.render_config_device') self.add_permissions('dcim.add_device') url = reverse('dcim-api:device-detail', kwargs={'pk': device.pk}) + 'render-config/' response = self.client.post(url, {}, format='json', **self.header) self.assertHttpStatus(response, status.HTTP_200_OK) self.assertEqual(response.data['content'], f'Config for device {device.name}') + def test_render_config_without_permission(self): + configtemplate = ConfigTemplate.objects.create( + name='Config Template 1', + template_code='Config for device {{ device.name }}' + ) + + device = Device.objects.first() + device.config_template = configtemplate + device.save() + + # No permissions added - user has no render_config permission + self.add_permissions('dcim.add_device') + url = reverse('dcim-api:device-detail', kwargs={'pk': device.pk}) + 'render-config/' + response = self.client.post(url, {}, format='json', **self.header) + self.assertHttpStatus(response, status.HTTP_403_FORBIDDEN) + class ModuleTest(APIViewTestCases.APIViewTestCase): model = Module diff --git a/netbox/extras/api/mixins.py b/netbox/extras/api/mixins.py index aafdf32d4..f28af06ba 100644 --- a/netbox/extras/api/mixins.py +++ b/netbox/extras/api/mixins.py @@ -1,10 +1,12 @@ from jinja2.exceptions import TemplateError from rest_framework.decorators import action +from rest_framework.exceptions import PermissionDenied from rest_framework.renderers import JSONRenderer from rest_framework.response import Response from rest_framework.status import HTTP_400_BAD_REQUEST from netbox.api.renderers import TextRenderer +from utilities.permissions import get_permission_for_model from .serializers import ConfigTemplateSerializer __all__ = ( @@ -70,6 +72,12 @@ class RenderConfigMixin(ConfigTemplateRenderMixin): Resolve and render the preferred ConfigTemplate for this Device. """ instance = self.get_object() + + # Check render_config permission + perm = get_permission_for_model(instance, 'render_config') + if not request.user.has_perm(perm, obj=instance): + raise PermissionDenied("This user does not have permission to render device configurations.") + object_type = instance._meta.model_name configtemplate = instance.get_config_template() if not configtemplate: diff --git a/netbox/virtualization/tests/test_api.py b/netbox/virtualization/tests/test_api.py index e07f4dc06..6d763e714 100644 --- a/netbox/virtualization/tests/test_api.py +++ b/netbox/virtualization/tests/test_api.py @@ -281,12 +281,29 @@ class VirtualMachineTest(APIViewTestCases.APIViewTestCase): vm.config_template = configtemplate vm.save() + self.add_permissions('virtualization.render_config_virtualmachine') self.add_permissions('virtualization.add_virtualmachine') url = reverse('virtualization-api:virtualmachine-detail', kwargs={'pk': vm.pk}) + 'render-config/' response = self.client.post(url, {}, format='json', **self.header) self.assertHttpStatus(response, status.HTTP_200_OK) self.assertEqual(response.data['content'], f'Config for virtual machine {vm.name}') + def test_render_config_without_permission(self): + configtemplate = ConfigTemplate.objects.create( + name='Config Template 1', + template_code='Config for virtual machine {{ virtualmachine.name }}' + ) + + vm = VirtualMachine.objects.first() + vm.config_template = configtemplate + vm.save() + + # No permissions added - user has no render_config permission + self.add_permissions('virtualization.add_virtualmachine') + url = reverse('virtualization-api:virtualmachine-detail', kwargs={'pk': vm.pk}) + 'render-config/' + response = self.client.post(url, {}, format='json', **self.header) + self.assertHttpStatus(response, status.HTTP_403_FORBIDDEN) + class VMInterfaceTest(APIViewTestCases.APIViewTestCase): model = VMInterface