mirror/netbox-community-netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2024-05-10 07:54:54 +00:00
Code Activity

Exclude ObjectPermissions API endpoint from EXEMPT_VIEW_PERMISSIONS

Browse Source
This commit is contained in:
Jeremy Stretch
2020-07-21 17:39:56 -04:00
parent a3d1ee474c
commit 3e6b257fa0
4 changed files with 33 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
netbox/users/tests/test_api.py
View File

@ -1,9 +1,11 @@
from django.contrib.auth.models import Group, User
from django.contrib.contenttypes.models import ContentType
from django.test import override_settings
from django.urls import reverse
from rest_framework import status
from users.models import ObjectPermission
from utilities.testing import APIViewTestCases, APITestCase
from utilities.testing import APIViewTestCases, APITestCase, disable_warnings
class AppTest(APITestCase):
@ -72,3 +74,17 @@ class ObjectPermissionTest(APIViewTestCases.APIViewTestCase):
'constraints': {'name': 'TEST6'},
},
]
@override_settings(EXEMPT_VIEW_PERMISSIONS=['*'])
def test_list_objects_anonymous(self):
# Endpoint should never be exposed via EXEMPT_VIEW_PERMISSIONS
url = self._get_list_url()
with disable_warnings('django.request'):
self.assertHttpStatus(self.client.get(url, **self.header), status.HTTP_403_FORBIDDEN)
@override_settings(EXEMPT_VIEW_PERMISSIONS=['*'])
def test_get_object_anonymous(self):
# Endpoint should never be exposed via EXEMPT_VIEW_PERMISSIONS
url = self._get_detail_url(self._get_queryset().first())
with disable_warnings('django.request'):
self.assertHttpStatus(self.client.get(url, **self.header), status.HTTP_403_FORBIDDEN)