Merge branch 'develop' into feature

2024-05-10 07:54:54 +00:00 · 2023-04-12 17:38:16 -04:00
parent 15a615d3a3 c1c98f9883
commit 59a6b3e71b
25 changed files with 215 additions and 55 deletions
--- a/netbox/users/api/serializers.py
+++ b/netbox/users/api/serializers.py
@@ -4,6 +4,7 @@ from django.contrib.contenttypes.models import ContentType
 from drf_spectacular.utils import extend_schema_field
 from drf_spectacular.types import OpenApiTypes
 from rest_framework import serializers
+from rest_framework.exceptions import PermissionDenied

 from netbox.api.fields import ContentTypeField, IPNetworkSerializer, SerializedPKRelatedField
 from netbox.api.serializers import ValidatedModelSerializer
@@ -94,6 +95,16 @@ class TokenSerializer(ValidatedModelSerializer):
            data['key'] = Token.generate_key()
        return super().to_internal_value(data)

+    def validate(self, data):
+
+        # If the Token is being created on behalf of another user, enforce the grant_token permission.
+        request = self.context.get('request')
+        token_user = data.get('user')
+        if token_user and token_user != request.user and not request.user.has_perm('users.grant_token'):
+            raise PermissionDenied("This user does not have permission to create tokens for other users.")
+
+        return super().validate(data)
+

 class TokenProvisionSerializer(serializers.Serializer):
    username = serializers.CharField()
--- a/netbox/users/tests/test_api.py
+++ b/netbox/users/tests/test_api.py
@@ -153,6 +153,26 @@ class TokenTest(
        response = self.client.post(url, data, format='json', **self.header)
        self.assertEqual(response.status_code, 403)

+    def test_provision_token_other_user(self):
+        """
+        Test provisioning a Token for a different User with & without the grant_token permission.
+        """
+        self.add_permissions('users.add_token')
+        user2 = User.objects.create_user(username='testuser2')
+        data = {
+            'user': user2.id,
+        }
+        url = reverse('users-api:token-list')
+
+        # Attempt to create a new Token for User2 *without* the grant_token permission
+        response = self.client.post(url, data, format='json', **self.header)
+        self.assertEqual(response.status_code, 403)
+
+        # Assign grant_token permission and successfully create a new Token for User2
+        self.add_permissions('users.grant_token')
+        response = self.client.post(url, data, format='json', **self.header)
+        self.assertEqual(response.status_code, 201)
+

 class ObjectPermissionTest(
    # No GraphQL support for ObjectPermission