8853 Prevent the retrieval of API tokens after creation (#10645)

* 8853 hide api token * 8853 hide key on edit * 8853 add key display * 8853 cleanup html * 8853 make token view accessible only once on POST * Clean up display of tokens in views * Honor ALLOW_TOKEN_RETRIEVAL in API serializer * Add docs & tweak default setting * Include token key when provisioning with user credentials Co-authored-by: jeremystretch <jstretch@ns1.com>
2024-05-10 07:54:54 +00:00 · 2022-11-02 09:45:00 -07:00
parent 484efdaf75
commit 816fedb78d
12 changed files with 116 additions and 12 deletions
--- a/netbox/users/views.py
+++ b/netbox/users/views.py
@ -273,6 +273,7 @@ class TokenEditView(LoginRequiredMixin, View):
            form = TokenForm(request.POST)

        if form.is_valid():
+
            token = form.save(commit=False)
            token.user = request.user
            token.save()
@ -280,7 +281,13 @@ class TokenEditView(LoginRequiredMixin, View):
            msg = f"Modified token {token}" if pk else f"Created token {token}"
            messages.success(request, msg)

-            if '_addanother' in request.POST:
+            if not pk and not settings.ALLOW_TOKEN_RETRIEVAL:
+                return render(request, 'users/api_token.html', {
+                    'object': token,
+                    'key': token.key,
+                    'return_url': reverse('users:token_list'),
+                })
+            elif '_addanother' in request.POST:
                return redirect(request.path)
            else:
                return redirect('users:token_list')
@ -289,6 +296,7 @@ class TokenEditView(LoginRequiredMixin, View):
            'object': token,
            'form': form,
            'return_url': reverse('users:token_list'),
+            'disable_addanother': not settings.ALLOW_TOKEN_RETRIEVAL
        })