Support permission attribute assignment via REMOTE_AUTH_DEFAULT_PERMISSIONS

docs/configuration/optional-settings.md

@@ -416,9 +416,9 @@ The list of groups to assign a new user account when created using remote authen
 
 ## REMOTE_AUTH_DEFAULT_PERMISSIONS
 
-Default: `[]` (Empty list)
+Default: `{}` (Empty dictionary)
 
-The list of permissions to assign a new user account when created using remote authentication. (Requires `REMOTE_AUTH_ENABLED`.)
+A mapping of permissions to assign a new user account when created using remote authentication. Each key in the dictionary should be set to a dictionary of the attributes to be applied to the permission, or `None` to allow all objects. (Requires `REMOTE_AUTH_ENABLED`.)
 
 ---
 

netbox/netbox/authentication.py

@@ -112,18 +112,18 @@ class RemoteUserBackend(_RemoteUserBackend):
 
         # Assign default object permissions to the user
         permissions_list = []
-        for permission_name in settings.REMOTE_AUTH_DEFAULT_PERMISSIONS:
+        for permission_name, attrs in settings.REMOTE_AUTH_DEFAULT_PERMISSIONS.items():
             try:
                 content_type, action = resolve_permission(permission_name)
                 # TODO: Merge multiple actions into a single ObjectPermission per content type
-                obj_perm = ObjectPermission(actions=[action])
+                obj_perm = ObjectPermission(actions=[action], attrs=attrs)
                 obj_perm.save()
                 obj_perm.users.add(user)
                 obj_perm.content_types.add(content_type)
                 permissions_list.append(permission_name)
             except ValueError:
                 logging.error(
-                    "Invalid permission name: '{permission_name}'. Permissions must be in the form "
+                    f"Invalid permission name: '{permission_name}'. Permissions must be in the form "
                     "<app>.<action>_<model>. (Example: dcim.add_site)"
                 )
         if permissions_list:

netbox/netbox/configuration.example.py

@@ -209,7 +209,7 @@ REMOTE_AUTH_BACKEND = 'netbox.authentication.RemoteUserBackend'
 REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER'
 REMOTE_AUTH_AUTO_CREATE_USER = True
 REMOTE_AUTH_DEFAULT_GROUPS = []
-REMOTE_AUTH_DEFAULT_PERMISSIONS = []
+REMOTE_AUTH_DEFAULT_PERMISSIONS = {}
 
 # This determines how often the GitHub API is called to check the latest release of NetBox. Must be at least 1 hour.
 RELEASE_CHECK_TIMEOUT = 24 * 3600

netbox/netbox/settings.py

@@ -99,7 +99,7 @@ PREFER_IPV4 = getattr(configuration, 'PREFER_IPV4', False)
 REMOTE_AUTH_AUTO_CREATE_USER = getattr(configuration, 'REMOTE_AUTH_AUTO_CREATE_USER', False)
 REMOTE_AUTH_BACKEND = getattr(configuration, 'REMOTE_AUTH_BACKEND', 'netbox.authentication.RemoteUserBackend')
 REMOTE_AUTH_DEFAULT_GROUPS = getattr(configuration, 'REMOTE_AUTH_DEFAULT_GROUPS', [])
-REMOTE_AUTH_DEFAULT_PERMISSIONS = getattr(configuration, 'REMOTE_AUTH_DEFAULT_PERMISSIONS', [])
+REMOTE_AUTH_DEFAULT_PERMISSIONS = getattr(configuration, 'REMOTE_AUTH_DEFAULT_PERMISSIONS', {})
 REMOTE_AUTH_ENABLED = getattr(configuration, 'REMOTE_AUTH_ENABLED', False)
 REMOTE_AUTH_HEADER = getattr(configuration, 'REMOTE_AUTH_HEADER', 'HTTP_REMOTE_USER')
 RELEASE_CHECK_URL = getattr(configuration, 'RELEASE_CHECK_URL', None)
@@ -127,6 +127,17 @@ if RELEASE_CHECK_URL:
 if RELEASE_CHECK_TIMEOUT < 3600:
     raise ImproperlyConfigured("RELEASE_CHECK_TIMEOUT has to be at least 3600 seconds (1 hour)")
 
+# TODO: Remove in v2.10
+# Backward compatibility for REMOTE_AUTH_DEFAULT_PERMISSIONS
+if type(REMOTE_AUTH_DEFAULT_PERMISSIONS) is not dict:
+    try:
+        REMOTE_AUTH_DEFAULT_PERMISSIONS = {perm: None for perm in REMOTE_AUTH_DEFAULT_PERMISSIONS}
+        warnings.warn(
+            "REMOTE_AUTH_DEFAULT_PERMISSIONS should be a dictionary. Backward compatibility will be removed in v2.10."
+        )
+    except TypeError:
+        raise ImproperlyConfigured("REMOTE_AUTH_DEFAULT_PERMISSIONS must be a dictionary.")
+
 
 #
 # Database