mirror of
https://github.com/netbox-community/netbox.git
synced 2025-07-23 04:22:01 -06:00
Add object-level support to TokenPermissions
This commit is contained in:
parent
be5962fb3a
commit
f54fb67efc
@ -2,7 +2,7 @@ from django.conf import settings
|
|||||||
from django.db.models import QuerySet
|
from django.db.models import QuerySet
|
||||||
from rest_framework import authentication, exceptions
|
from rest_framework import authentication, exceptions
|
||||||
from rest_framework.pagination import LimitOffsetPagination
|
from rest_framework.pagination import LimitOffsetPagination
|
||||||
from rest_framework.permissions import DjangoModelPermissions, SAFE_METHODS
|
from rest_framework.permissions import DjangoObjectPermissions, SAFE_METHODS
|
||||||
from rest_framework.renderers import BrowsableAPIRenderer
|
from rest_framework.renderers import BrowsableAPIRenderer
|
||||||
from rest_framework.utils import formatting
|
from rest_framework.utils import formatting
|
||||||
|
|
||||||
@ -51,7 +51,7 @@ class TokenAuthentication(authentication.TokenAuthentication):
|
|||||||
return token.user, token
|
return token.user, token
|
||||||
|
|
||||||
|
|
||||||
class TokenPermissions(DjangoModelPermissions):
|
class TokenPermissions(DjangoObjectPermissions):
|
||||||
"""
|
"""
|
||||||
Custom permissions handler which extends the built-in DjangoModelPermissions to validate a Token's write ability
|
Custom permissions handler which extends the built-in DjangoModelPermissions to validate a Token's write ability
|
||||||
for unsafe requests (POST/PUT/PATCH/DELETE).
|
for unsafe requests (POST/PUT/PATCH/DELETE).
|
||||||
@ -74,15 +74,29 @@ class TokenPermissions(DjangoModelPermissions):
|
|||||||
|
|
||||||
super().__init__()
|
super().__init__()
|
||||||
|
|
||||||
|
def _verify_write_permission(self, request):
|
||||||
|
# If token authentication is in use, verify that the token allows write operations (for unsafe methods).
|
||||||
|
if request.method in SAFE_METHODS:
|
||||||
|
return True
|
||||||
|
if isinstance(request.auth, Token) and request.auth.write_enabled:
|
||||||
|
return True
|
||||||
|
|
||||||
def has_permission(self, request, view):
|
def has_permission(self, request, view):
|
||||||
|
|
||||||
# If token authentication is in use, verify that the token allows write operations (for unsafe methods).
|
# Enforce Token write ability
|
||||||
if request.method not in SAFE_METHODS and isinstance(request.auth, Token):
|
if not self._verify_write_permission(request):
|
||||||
if not request.auth.write_enabled:
|
return False
|
||||||
return False
|
|
||||||
|
|
||||||
return super().has_permission(request, view)
|
return super().has_permission(request, view)
|
||||||
|
|
||||||
|
def has_object_permission(self, request, view, obj):
|
||||||
|
|
||||||
|
# Enforce Token write ability
|
||||||
|
if not self._verify_write_permission(request):
|
||||||
|
return False
|
||||||
|
|
||||||
|
return super().has_object_permission(request, view, obj)
|
||||||
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Pagination
|
# Pagination
|
||||||
|
Loading…
Reference in New Issue
Block a user