Fix permissions evaluation for available IPs endpoint

2025-07-22 20:12:00 -06:00 · 2020-07-08 09:31:10 -04:00 · 2020-07-08 09:31:10 -04:00 · 85b284be54
commit 85b284be54
parent 02a6e2190f
2 changed files with 4 additions and 9 deletions
--- a/netbox/ipam/api/views.py
+++ b/netbox/ipam/api/views.py
@ -163,7 +163,7 @@ class PrefixViewSet(CustomFieldModelViewSet):
        The advisory lock decorator uses a PostgreSQL advisory lock to prevent this API from being
        invoked in parallel, which results in a race condition where multiple insertions can occur.
        """
-        prefix = get_object_or_404(Prefix, pk=pk)
+        prefix = get_object_or_404(Prefix.objects.restrict(request.user), pk=pk)

        # Create the next available IP within the prefix
        if request.method == 'POST':
--- a/netbox/ipam/tests/test_api.py
+++ b/netbox/ipam/tests/test_api.py
@ -276,7 +276,7 @@ class PrefixTest(APIViewTestCases.APIViewTestCase):
        vrf = VRF.objects.create(name='Test VRF 1', rd='1234')
        prefix = Prefix.objects.create(prefix=IPNetwork('192.0.2.0/30'), vrf=vrf, is_pool=True)
        url = reverse('ipam-api:prefix-available-ips', kwargs={'pk': prefix.pk})
-        self.add_permissions('ipam.add_ipaddress')
+        self.add_permissions('ipam.view_prefix', 'ipam.add_ipaddress')

        # Create all four available IPs with individual requests
        for i in range(1, 5):
@ -299,19 +299,14 @@ class PrefixTest(APIViewTestCases.APIViewTestCase):
        """
        prefix = Prefix.objects.create(prefix=IPNetwork('192.0.2.0/29'), is_pool=True)
        url = reverse('ipam-api:prefix-available-ips', kwargs={'pk': prefix.pk})
-        self.add_permissions('ipam.view_ipaddress', 'ipam.add_ipaddress')
+        self.add_permissions('ipam.view_prefix', 'ipam.add_ipaddress')

        # Try to create nine IPs (only eight are available)
-        data = [{'description': 'Test IP {}'.format(i)} for i in range(1, 10)]  # 9 IPs
+        data = [{'description': f'Test IP {i}'} for i in range(1, 10)]  # 9 IPs
        response = self.client.post(url, data, format='json', **self.header)
        self.assertHttpStatus(response, status.HTTP_204_NO_CONTENT)
        self.assertIn('detail', response.data)

-        # Verify that no IPs were created (eight are still available)
-        response = self.client.get(url, **self.header)
-        self.assertHttpStatus(response, status.HTTP_200_OK)
-        self.assertEqual(len(response.data), 8)
-
        # Create all eight available IPs in a single request
        data = [{'description': 'Test IP {}'.format(i)} for i in range(1, 9)]  # 8 IPs
        response = self.client.post(url, data, format='json', **self.header)