Enforce view permissions for UI views

2026-01-13 23:32:17 -06:00 · 2019-04-11 17:27:38 -04:00
parent ea6815b9bb
commit e710ccb0e6
16 changed files with 257 additions and 168 deletions
--- a/netbox/secrets/tests/test_views.py
+++ b/netbox/secrets/tests/test_views.py
@@ -1,25 +1,19 @@
 import urllib.parse

-from django.contrib.auth import get_user_model
 from django.test import Client, TestCase
 from django.urls import reverse

 from dcim.models import Device, DeviceRole, DeviceType, Manufacturer, Site
 from secrets.models import Secret, SecretRole
+from utilities.testing import create_test_user


 class SecretRoleTestCase(TestCase):

    def setUp(self):
-
-        TEST_USERNAME = 'testuser'
-        TEST_PASSWORD = 'testpassword'
-
-        User = get_user_model()
-        User.objects.create(username=TEST_USERNAME, email='testuser@example.com', password=TEST_PASSWORD)
-
+        user = create_test_user(permissions=['secrets.view_secretrole'])
        self.client = Client()
-        self.client.login(username=TEST_USERNAME, password=TEST_PASSWORD)
+        self.client.force_login(user)

        SecretRole.objects.bulk_create([
            SecretRole(name='Secret Role 1', slug='secret-role-1'),
@@ -29,7 +23,7 @@ class SecretRoleTestCase(TestCase):

    def test_secretrole_list(self):

-        url = reverse('secrets:secret_list')
+        url = reverse('secrets:secretrole_list')

        response = self.client.get(url, follow=True)
        self.assertEqual(response.status_code, 200)
@@ -38,8 +32,9 @@ class SecretRoleTestCase(TestCase):
 class SecretTestCase(TestCase):

    def setUp(self):
-
+        user = create_test_user(permissions=['secrets.view_secret'])
        self.client = Client()
+        self.client.force_login(user)

        site = Site(name='Site 1', slug='site-1')
        site.save()
@@ -75,7 +70,7 @@ class SecretTestCase(TestCase):
        response = self.client.get('{}?{}'.format(url, urllib.parse.urlencode(params)), follow=True)
        self.assertEqual(response.status_code, 200)

-    def test_configcontext(self):
+    def test_secret(self):

        secret = Secret.objects.first()
        response = self.client.get(secret.get_absolute_url(), follow=True)
--- a/netbox/secrets/views.py
+++ b/netbox/secrets/views.py
@@ -32,7 +32,8 @@ def get_session_key(request):
 # Secret roles
 #

-class SecretRoleListView(ObjectListView):
+class SecretRoleListView(PermissionRequiredMixin, ObjectListView):
+    permission_required = 'secrets.view_secretrole'
    queryset = SecretRole.objects.annotate(secret_count=Count('secrets'))
    table = tables.SecretRoleTable
    template_name = 'secrets/secretrole_list.html'
@@ -67,8 +68,8 @@ class SecretRoleBulkDeleteView(PermissionRequiredMixin, BulkDeleteView):
 # Secrets
 #

-@method_decorator(login_required, name='dispatch')
-class SecretListView(ObjectListView):
+class SecretListView(PermissionRequiredMixin, ObjectListView):
+    permission_required = 'secrets.view_secret'
    queryset = Secret.objects.select_related('role', 'device')
    filter = filters.SecretFilter
    filter_form = forms.SecretFilterForm
@@ -76,8 +77,8 @@ class SecretListView(ObjectListView):
    template_name = 'secrets/secret_list.html'


-@method_decorator(login_required, name='dispatch')
-class SecretView(View):
+class SecretView(PermissionRequiredMixin, View):
+    permission_required = 'secrets.view_secret'

    def get(self, request, pk):

@@ -198,7 +199,7 @@ class SecretDeleteView(PermissionRequiredMixin, ObjectDeleteView):


 class SecretBulkImportView(BulkImportView):
-    permission_required = 'ipam.add_vlan'
+    permission_required = 'secrets.add_secret'
    model_form = forms.SecretCSVForm
    table = tables.SecretTable
    template_name = 'secrets/secret_import.html'