Merge release v2.4.6

2024-05-10 07:54:54 +00:00 · 2018-10-10 09:36:51 -04:00
parent 364bbdeab8 7d1f6b7049
commit 22ed4f1b53
23 changed files with 508 additions and 21 deletions
--- a/netbox/users/views.py
+++ b/netbox/users/views.py
@@ -1,8 +1,8 @@
 from django.contrib import messages
 from django.contrib.auth import login as auth_login, logout as auth_logout, update_session_auth_hash
 from django.contrib.auth.decorators import login_required
-from django.contrib.auth.mixins import LoginRequiredMixin
-from django.http import HttpResponseRedirect
+from django.contrib.auth.mixins import LoginRequiredMixin, PermissionRequiredMixin
+from django.http import HttpResponseForbidden, HttpResponseRedirect
 from django.shortcuts import get_object_or_404, redirect, render
 from django.urls import reverse
 from django.utils.decorators import method_decorator
@@ -217,8 +217,12 @@ class TokenEditView(LoginRequiredMixin, View):
    def get(self, request, pk=None):

        if pk is not None:
+            if not request.user.has_perm('users.change_token'):
+                return HttpResponseForbidden()
            token = get_object_or_404(Token.objects.filter(user=request.user), pk=pk)
        else:
+            if not request.user.has_perm('users.add_token'):
+                return HttpResponseForbidden()
            token = Token(user=request.user)

        form = TokenForm(instance=token)
@@ -260,7 +264,8 @@ class TokenEditView(LoginRequiredMixin, View):
        })


-class TokenDeleteView(LoginRequiredMixin, View):
+class TokenDeleteView(PermissionRequiredMixin, View):
+    permission_required = 'users.delete_token'

    def get(self, request, pk):