Fixes #4146: Fix SecretRole permissions enforcement

2024-05-10 07:54:54 +00:00 · 2020-02-12 11:13:32 -05:00
parent e4b910fe87
commit 5bf85597ed
5 changed files with 49 additions and 18 deletions
--- a/netbox/secrets/api/views.py
+++ b/netbox/secrets/api/views.py
@ -93,8 +93,8 @@ class SecretViewSet(ModelViewSet):

        secret = self.get_object()

-        # Attempt to decrypt the secret if the master key is known
-        if self.master_key is not None:
+        # Attempt to decrypt the secret if the user is permitted and the master key is known
+        if secret.decryptable_by(request.user) and self.master_key is not None:
            secret.decrypt(self.master_key)

        serializer = self.get_serializer(secret)
@ -111,7 +111,9 @@ class SecretViewSet(ModelViewSet):
            if self.master_key is not None:
                secrets = []
                for secret in page:
-                    secret.decrypt(self.master_key)
+                    # Enforce role permissions
+                    if secret.decryptable_by(request.user):
+                        secret.decrypt(self.master_key)
                    secrets.append(secret)
                serializer = self.get_serializer(secrets, many=True)
            else: