Fixes #5841: Disallow the creation of available prefixes/IP addresses in violation of assigned permission constraints

2025-07-22 12:06:53 -06:00 · 2021-02-24 14:21:42 -05:00 · 2021-02-24 14:21:42 -05:00 · b392502b9b
commit b392502b9b
parent a301c974e4
2 changed files with 15 additions and 2 deletions
--- a/docs/release-notes/version-2.10.md
+++ b/docs/release-notes/version-2.10.md
@ -10,6 +10,7 @@
 * [#5718](https://github.com/netbox-community/netbox/issues/5718) - Fix bulk editing of services when no port(s) are defined
 * [#5735](https://github.com/netbox-community/netbox/issues/5735) - Ensure consistent treatment of duplicate IP addresses
 * [#5738](https://github.com/netbox-community/netbox/issues/5738) - Fix redirect to device components view after disconnecting a cable
+* [#5841](https://github.com/netbox-community/netbox/issues/5841) - Disallow the creation of available prefixes/IP addresses in violation of assigned permission constraints

 ---

--- a/netbox/ipam/api/views.py
+++ b/netbox/ipam/api/views.py
@ -1,4 +1,6 @@
 from django.conf import settings
+from django.core.exceptions import ObjectDoesNotExist, PermissionDenied
+from django.db import transaction
 from django.shortcuts import get_object_or_404
 from django_pglocks import advisory_lock
 from drf_yasg.utils import swagger_auto_schema
@ -162,7 +164,12 @@ class PrefixViewSet(CustomFieldModelViewSet):

            # Create the new Prefix(es)
            if serializer.is_valid():
-                serializer.save()
+                try:
+                    with transaction.atomic():
+                        created = serializer.save()
+                        self._validate_objects(created)
+                except ObjectDoesNotExist:
+                    raise PermissionDenied()
                return Response(serializer.data, status=status.HTTP_201_CREATED)

            return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
@ -225,7 +232,12 @@ class PrefixViewSet(CustomFieldModelViewSet):

            # Create the new IP address(es)
            if serializer.is_valid():
-                serializer.save()
+                try:
+                    with transaction.atomic():
+                        created = serializer.save()
+                        self._validate_objects(created)
+                except ObjectDoesNotExist:
+                    raise PermissionDenied()
                return Response(serializer.data, status=status.HTTP_201_CREATED)

            return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)