From d6f6d0acf5acdbeee1e4740e8c9ec27d90c2cde9 Mon Sep 17 00:00:00 2001 From: Pavel Raur Date: Mon, 4 Oct 2021 11:36:29 +0200 Subject: [PATCH] Added permission check /api/dcim/connected-devices Api now checks dcim.view_device and dcim.view_interface permissions when login is required --- netbox/dcim/api/views.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/netbox/dcim/api/views.py b/netbox/dcim/api/views.py index 3d23cde5c..5d7a43582 100644 --- a/netbox/dcim/api/views.py +++ b/netbox/dcim/api/views.py @@ -8,6 +8,7 @@ from drf_yasg import openapi from drf_yasg.openapi import Parameter from drf_yasg.utils import swagger_auto_schema from rest_framework.decorators import action +from rest_framework.exceptions import PermissionDenied from rest_framework.response import Response from rest_framework.routers import APIRootView from rest_framework.viewsets import ViewSet @@ -672,6 +673,12 @@ class ConnectedDeviceViewSet(ViewSet): peer_device_name = request.query_params.get(self._device_param.name) peer_interface_name = request.query_params.get(self._interface_param.name) + # check permissions of user, if login is required + if settings.LOGIN_REQUIRED: + if not request.user.has_perm('dcim.view_device') or not request.user.has_perm('dcim.view_interface'): + raise PermissionDenied('You do not have permission to perform this action.') + + # check query parameters if not peer_device_name or not peer_interface_name: raise MissingFilterException(detail='Request must include "peer_device" and "peer_interface" filters.')