Closes #2479: Add user permissions for creating/modifying API tokens

2025-12-26 07:07:46 -06:00 · 2018-10-05 11:06:59 -04:00
parent f46595f9c5
commit e70840a88d
6 changed files with 46 additions and 10 deletions
--- a/netbox/users/migrations/0003_token_permissions.py
+++ b/netbox/users/migrations/0003_token_permissions.py
@@ -0,0 +1,17 @@
+# Generated by Django 2.0.8 on 2018-10-05 14:32
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('users', '0001_api_tokens_squashed_0002_unicode_literals'),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name='token',
+            options={},
+        ),
+    ]
--- a/netbox/users/models.py
+++ b/netbox/users/models.py
@@ -43,7 +43,7 @@ class Token(models.Model):
    )

    class Meta:
-        default_permissions = []
+        pass

    def __str__(self):
        # Only display the last 24 bits of the token to avoid accidental exposure.
--- a/netbox/users/views.py
+++ b/netbox/users/views.py
@@ -3,8 +3,8 @@ from __future__ import unicode_literals
 from django.contrib import messages
 from django.contrib.auth import login as auth_login, logout as auth_logout, update_session_auth_hash
 from django.contrib.auth.decorators import login_required
-from django.contrib.auth.mixins import LoginRequiredMixin
-from django.http import HttpResponseRedirect
+from django.contrib.auth.mixins import LoginRequiredMixin, PermissionRequiredMixin
+from django.http import HttpResponseForbidden, HttpResponseRedirect
 from django.shortcuts import get_object_or_404, redirect, render
 from django.urls import reverse
 from django.utils.decorators import method_decorator
@@ -231,8 +231,12 @@ class TokenEditView(LoginRequiredMixin, View):
    def get(self, request, pk=None):

        if pk is not None:
+            if not request.user.has_perm('users.change_token'):
+                return HttpResponseForbidden()
            token = get_object_or_404(Token.objects.filter(user=request.user), pk=pk)
        else:
+            if not request.user.has_perm('users.add_token'):
+                return HttpResponseForbidden()
            token = Token(user=request.user)

        form = TokenForm(instance=token)
@@ -274,7 +278,8 @@ class TokenEditView(LoginRequiredMixin, View):
        })


-class TokenDeleteView(LoginRequiredMixin, View):
+class TokenDeleteView(PermissionRequiredMixin, View):
+    permission_required = 'users.delete_token'

    def get(self, request, pk):