fix(core): Use gettext_lazy in data.py

Replace `gettext()` with `gettext_lazy()` to avoid locale-dependent model serialization (and false-positive pending migration warnings). Also make a missing `ValidationError` message translatable and format-safe. Fixes #21175
Update source translation strings
2026-01-15 08:12:18 -06:00 · 2026-01-15 13:43:13 +01:00 · 2026-01-15 05:05:36 +00:00 · 2026-01-14 12:50:35 -08:00
7 changed files with 61 additions and 105 deletions
--- a/netbox/core/api/serializers_/data.py
+++ b/netbox/core/api/serializers_/data.py
@@ -44,4 +44,3 @@ class DataFileSerializer(NetBoxModelSerializer):
            'id', 'url', 'display_url', 'display', 'source', 'path', 'last_updated', 'size', 'hash',
        ]
        brief_fields = ('id', 'url', 'display', 'path')
-        read_only_fields = ['path', 'last_updated', 'size', 'hash']
--- a/netbox/core/models/data.py
+++ b/netbox/core/models/data.py
@@ -12,7 +12,7 @@ from django.core.validators import RegexValidator
 from django.db import models
 from django.urls import reverse
 from django.utils import timezone
-from django.utils.translation import gettext as _
+from django.utils.translation import gettext_lazy as _

 from netbox.constants import CENSOR_TOKEN, CENSOR_TOKEN_CHANGED
 from netbox.models import PrimaryModel
@@ -128,7 +128,9 @@ class DataSource(JobsMixin, PrimaryModel):
        # Ensure URL scheme matches selected type
        if self.backend_class.is_local and self.url_scheme not in ('file', ''):
            raise ValidationError({
-                'source_url': "URLs for local sources must start with file:// (or specify no scheme)"
+                'source_url': _("URLs for local sources must start with {scheme} (or specify no scheme)").format(
+                    scheme='file://'
+                )
            })

    def save(self, *args, **kwargs):
--- a/netbox/extras/api/serializers_/configcontexts.py
+++ b/netbox/extras/api/serializers_/configcontexts.py
@@ -28,7 +28,7 @@ class ConfigContextProfileSerializer(PrimaryModelSerializer):
    )
    data_file = DataFileSerializer(
        nested=True,
-        required=False
+        read_only=True
    )

    class Meta:
@@ -143,7 +143,7 @@ class ConfigContextSerializer(OwnerMixin, ChangeLogMessageSerializer, ValidatedM
    )
    data_file = DataFileSerializer(
        nested=True,
-        required=False
+        read_only=True
    )

    class Meta:
--- a/netbox/extras/tests/test_api.py
+++ b/netbox/extras/tests/test_api.py
@@ -1,5 +1,4 @@
 import datetime
-import hashlib

 from django.contrib.contenttypes.models import ContentType
 from django.urls import reverse
@@ -8,7 +7,7 @@ from rest_framework import status

 from core.choices import ManagedFileRootPathChoices
 from core.events import *
-from core.models import DataFile, DataSource, ObjectType
+from core.models import ObjectType
 from dcim.models import Device, DeviceRole, DeviceType, Manufacturer, Rack, Location, RackRole, Site
 from extras.choices import *
 from extras.models import *
@@ -732,51 +731,6 @@ class ConfigContextProfileTest(APIViewTestCases.APIViewTestCase):
        )
        ConfigContextProfile.objects.bulk_create(profiles)

-    def test_update_data_source_and_data_file(self):
-        """
-        Regression test: Ensure data_source and data_file can be assigned via the API.
-
-        This specifically covers PATCHing a ConfigContext with integer IDs for both fields.
-        """
-        self.add_permissions(
-            'core.view_datafile',
-            'core.view_datasource',
-            'extras.view_configcontextprofile',
-            'extras.change_configcontextprofile',
-        )
-        config_context_profile = ConfigContextProfile.objects.first()
-
-        # Create a data source and file
-        datasource = DataSource.objects.create(
-            name='Data Source 1',
-            type='local',
-            source_url='file:///tmp/netbox-datasource/',
-        )
-        # Generate a valid dummy YAML file
-        file_data = b'profile: configcontext\n'
-        datafile = DataFile.objects.create(
-            source=datasource,
-            path='dir1/file1.yml',
-            last_updated=now(),
-            size=len(file_data),
-            hash=hashlib.sha256(file_data).hexdigest(),
-            data=file_data,
-        )
-
-        url = self._get_detail_url(config_context_profile)
-        payload = {
-            'data_source': datasource.pk,
-            'data_file': datafile.pk,
-        }
-        response = self.client.patch(url, payload, format='json', **self.header)
-        self.assertHttpStatus(response, status.HTTP_200_OK)
-
-        config_context_profile.refresh_from_db()
-        self.assertEqual(config_context_profile.data_source_id, datasource.pk)
-        self.assertEqual(config_context_profile.data_file_id, datafile.pk)
-        self.assertEqual(response.data['data_source']['id'], datasource.pk)
-        self.assertEqual(response.data['data_file']['id'], datafile.pk)
-

 class ConfigContextTest(APIViewTestCases.APIViewTestCase):
    model = ConfigContext
@@ -858,51 +812,6 @@ class ConfigContextTest(APIViewTestCases.APIViewTestCase):
        rendered_context = device.get_config_context()
        self.assertEqual(rendered_context['bar'], 456)

-    def test_update_data_source_and_data_file(self):
-        """
-        Regression test: Ensure data_source and data_file can be assigned via the API.
-
-        This specifically covers PATCHing a ConfigContext with integer IDs for both fields.
-        """
-        self.add_permissions(
-            'core.view_datafile',
-            'core.view_datasource',
-            'extras.view_configcontext',
-            'extras.change_configcontext',
-        )
-        config_context = ConfigContext.objects.first()
-
-        # Create a data source and file
-        datasource = DataSource.objects.create(
-            name='Data Source 1',
-            type='local',
-            source_url='file:///tmp/netbox-datasource/',
-        )
-        # Generate a valid dummy YAML file
-        file_data = b'context: config\n'
-        datafile = DataFile.objects.create(
-            source=datasource,
-            path='dir1/file1.yml',
-            last_updated=now(),
-            size=len(file_data),
-            hash=hashlib.sha256(file_data).hexdigest(),
-            data=file_data,
-        )
-
-        url = self._get_detail_url(config_context)
-        payload = {
-            'data_source': datasource.pk,
-            'data_file': datafile.pk,
-        }
-        response = self.client.patch(url, payload, format='json', **self.header)
-        self.assertHttpStatus(response, status.HTTP_200_OK)
-
-        config_context.refresh_from_db()
-        self.assertEqual(config_context.data_source_id, datasource.pk)
-        self.assertEqual(config_context.data_file_id, datafile.pk)
-        self.assertEqual(response.data['data_source']['id'], datasource.pk)
-        self.assertEqual(response.data['data_file']['id'], datafile.pk)
-

 class ConfigTemplateTest(APIViewTestCases.APIViewTestCase):
    model = ConfigTemplate
--- a/netbox/netbox/plugins/navigation.py
+++ b/netbox/netbox/plugins/navigation.py
@@ -37,8 +37,6 @@ class PluginMenuItem:
    Alternatively, a pre-generated url can be set on the object which will be rendered literally.
    Buttons are each specified as a list of PluginMenuButton instances.
    """
-    permissions = []
-    buttons = []
    _url = None

    def __init__(
@@ -54,10 +52,14 @@ class PluginMenuItem:
            if type(permissions) not in (list, tuple):
                raise TypeError(_("Permissions must be passed as a tuple or list."))
            self.permissions = permissions
+        else:
+            self.permissions = []
        if buttons is not None:
            if type(buttons) not in (list, tuple):
                raise TypeError(_("Buttons must be passed as a tuple or list."))
            self.buttons = buttons
+        else:
+            self.buttons = []

    @property
    def url(self):
@@ -74,7 +76,6 @@ class PluginMenuButton:
    ButtonColorChoices.
    """
    color = ButtonColorChoices.DEFAULT
-    permissions = []
    _url = None

    def __init__(self, link, title, icon_class, color=None, permissions=None):
@@ -87,6 +88,8 @@ class PluginMenuButton:
            if type(permissions) not in (list, tuple):
                raise TypeError(_("Permissions must be passed as a tuple or list."))
            self.permissions = permissions
+        else:
+            self.permissions = []
        if color is not None:
            if color not in ButtonColorChoices.values():
                raise ValueError(_("Button color must be a choice within ButtonColorChoices."))
--- a/netbox/netbox/tests/test_plugins.py
+++ b/netbox/netbox/tests/test_plugins.py
@@ -11,7 +11,7 @@ from netbox.tests.dummy_plugin import config as dummy_config
 from netbox.tests.dummy_plugin.data_backends import DummyBackend
 from netbox.tests.dummy_plugin.jobs import DummySystemJob
 from netbox.tests.dummy_plugin.webhook_callbacks import set_context
-from netbox.plugins.navigation import PluginMenu
+from netbox.plugins.navigation import PluginMenu, PluginMenuItem, PluginMenuButton
 from netbox.plugins.utils import get_plugin_config
 from netbox.graphql.schema import Query
 from netbox.registry import registry
@@ -227,3 +227,46 @@ class PluginTest(TestCase):
        Test the registration of webhook callbacks.
        """
        self.assertIn(set_context, registry['webhook_callbacks'])
+
+
+class PluginNavigationTest(TestCase):
+
+    def test_plugin_menu_item_independent_permissions(self):
+        item1 = PluginMenuItem(link='test1', link_text='Test 1')
+        item1.permissions.append('leaked_permission')
+
+        item2 = PluginMenuItem(link='test2', link_text='Test 2')
+
+        self.assertIsNot(item1.permissions, item2.permissions)
+        self.assertEqual(item1.permissions, ['leaked_permission'])
+        self.assertEqual(item2.permissions, [])
+
+    def test_plugin_menu_item_independent_buttons(self):
+        item1 = PluginMenuItem(link='test1', link_text='Test 1')
+        button = PluginMenuButton(link='button1', title='Button 1', icon_class='mdi-test')
+        item1.buttons.append(button)
+
+        item2 = PluginMenuItem(link='test2', link_text='Test 2')
+
+        self.assertIsNot(item1.buttons, item2.buttons)
+        self.assertEqual(len(item1.buttons), 1)
+        self.assertEqual(item1.buttons[0], button)
+        self.assertEqual(item2.buttons, [])
+
+    def test_plugin_menu_button_independent_permissions(self):
+        button1 = PluginMenuButton(link='button1', title='Button 1', icon_class='mdi-test')
+        button1.permissions.append('leaked_permission')
+
+        button2 = PluginMenuButton(link='button2', title='Button 2', icon_class='mdi-test')
+
+        self.assertIsNot(button1.permissions, button2.permissions)
+        self.assertEqual(button1.permissions, ['leaked_permission'])
+        self.assertEqual(button2.permissions, [])
+
+    def test_explicit_permissions_remain_independent(self):
+        item1 = PluginMenuItem(link='test1', link_text='Test 1', permissions=['explicit_permission'])
+        item2 = PluginMenuItem(link='test2', link_text='Test 2', permissions=['different_permission'])
+
+        self.assertIsNot(item1.permissions, item2.permissions)
+        self.assertEqual(item1.permissions, ['explicit_permission'])
+        self.assertEqual(item2.permissions, ['different_permission'])
--- a/netbox/translations/en/LC_MESSAGES/django.po
+++ b/netbox/translations/en/LC_MESSAGES/django.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-01-13 05:05+0000\n"
+"POT-Creation-Date: 2026-01-15 05:05+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -12489,8 +12489,8 @@ msgstr ""
 msgid "Delete Selected"
 msgstr ""

-#: netbox/netbox/plugins/navigation.py:55
-#: netbox/netbox/plugins/navigation.py:88
+#: netbox/netbox/plugins/navigation.py:53
+#: netbox/netbox/plugins/navigation.py:89
 msgid "Permissions must be passed as a tuple or list."
 msgstr ""

@@ -12498,7 +12498,7 @@ msgstr ""
 msgid "Buttons must be passed as a tuple or list."
 msgstr ""

-#: netbox/netbox/plugins/navigation.py:92
+#: netbox/netbox/plugins/navigation.py:95
 msgid "Button color must be a choice within ButtonColorChoices."
 msgstr ""
Author	SHA1	Message	Date
Martin Hauser	a2a0097996	fix(core): Use gettext_lazy in data.py Replace `gettext()` with `gettext_lazy()` to avoid locale-dependent model serialization (and false-positive pending migration warnings). Also make a missing `ValidationError` message translatable and format-safe. Fixes #21175	2026-01-15 13:43:13 +01:00
github-actions	c1bbc026e2	Update source translation strings Some checks are pending CodeQL / Analyze (actions) (push) Waiting to run Details CodeQL / Analyze (javascript-typescript) (push) Waiting to run Details CodeQL / Analyze (python) (push) Waiting to run Details	2026-01-15 05:05:36 +00:00
Jason Novinger	434334d927	Fixes #20239 : Prevent shared mutable state in PluginMenuItem and PluginMenuButton (#21099 ) Some checks failed CI / build (20.x, 3.12) (push) Waiting to run Details CI / build (20.x, 3.13) (push) Waiting to run Details CI / build (20.x, 3.14) (push) Waiting to run Details CodeQL / Analyze (actions) (push) Has been cancelled Details CodeQL / Analyze (javascript-typescript) (push) Has been cancelled Details CodeQL / Analyze (python) (push) Has been cancelled Details PluginMenuItem and PluginMenuButton classes used mutable class-level defaults for `permissions` and `buttons` attributes, causing permission leakage between instances when these attributes were modified without explicit parameters. Changed to initialize these attributes as fresh lists per instance in __init__ when not explicitly provided, following standard Python pattern for avoiding mutable default arguments.	2026-01-14 12:50:35 -08:00