From 007fe6a030a3d78cb57cd1419a2f8f85a687ad55 Mon Sep 17 00:00:00 2001
From: Jeremy Stretch <jstretch@digitalocean.com>
Date: Wed, 22 Mar 2017 10:49:20 -0400
Subject: [PATCH 1/2] Markdown fixes

---
 docs/api/authentication.md | 2 +-
 docs/api/overview.md       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/api/authentication.md b/docs/api/authentication.md
index a2a8648a3..cb6da3bd1 100644
--- a/docs/api/authentication.md
+++ b/docs/api/authentication.md
@@ -24,7 +24,7 @@ $ curl -H "Accept: application/json; indent=4" http://localhost/api/dcim/sites/
 }
 ```
 
-However, if the `[LOGIN_REQUIRED](../configuration/optional-settings/#login_required)` configuration setting has been set to `True`, all requests must be authenticated.
+However, if the [`LOGIN_REQUIRED`](../configuration/optional-settings/#login_required) configuration setting has been set to `True`, all requests must be authenticated.
 
 ```
 $ curl -H "Accept: application/json; indent=4" http://localhost/api/dcim/sites/
diff --git a/docs/api/overview.md b/docs/api/overview.md
index 4086d9fad..5f8e43973 100644
--- a/docs/api/overview.md
+++ b/docs/api/overview.md
@@ -120,7 +120,7 @@ Vary: Accept
 }
 ```
 
-The default page size derives from the `[PAGINATE_COUNT](../configuration/optional-settings/#paginate_count)` configuration setting, which defaults to 50. However, this can be overridden per request by specifying the desired `offset` and `limit` query parameters. For example, if you wish to retrieve a hundred devices at a time, you would make a request for:
+The default page size derives from the [`PAGINATE_COUNT`](../configuration/optional-settings/#paginate_count) configuration setting, which defaults to 50. However, this can be overridden per request by specifying the desired `offset` and `limit` query parameters. For example, if you wish to retrieve a hundred devices at a time, you would make a request for:
 
 ```
 http://localhost:8000/api/dcim/devices/?limit=100

From 0899a1052ead0aa0359d6d173259ff52fab55e8f Mon Sep 17 00:00:00 2001
From: Jeremy Stretch <jstretch@digitalocean.com>
Date: Wed, 22 Mar 2017 17:43:29 -0400
Subject: [PATCH 2/2] Only attempt to process session key if user is
 authenticated

---
 netbox/secrets/api/views.py | 39 +++++++++++++++++++------------------
 1 file changed, 20 insertions(+), 19 deletions(-)

diff --git a/netbox/secrets/api/views.py b/netbox/secrets/api/views.py
index 63476b126..4a44776c3 100644
--- a/netbox/secrets/api/views.py
+++ b/netbox/secrets/api/views.py
@@ -64,27 +64,28 @@ class SecretViewSet(WritableSerializerMixin, ModelViewSet):
 
         super(SecretViewSet, self).initial(request, *args, **kwargs)
 
-        # Read session key from HTTP cookie or header if it has been provided. The session key must be provided in order
-        # to encrypt/decrypt secrets.
-        if 'session_key' in request.COOKIES:
-            session_key = base64.b64decode(request.COOKIES['session_key'])
-        elif 'HTTP_X_SESSION_KEY' in request.META:
-            session_key = base64.b64decode(request.META['HTTP_X_SESSION_KEY'])
-        else:
-            session_key = None
+        if request.user.is_authenticated():
 
-        # We can't encrypt secret plaintext without a session key.
-        # assert False, self.action
-        if self.action in ['create', 'update'] and session_key is None:
-            raise ValidationError("A session key must be provided when creating or updating secrets.")
+            # Read session key from HTTP cookie or header if it has been provided. The session key must be provided in
+            # order to encrypt/decrypt secrets.
+            if 'session_key' in request.COOKIES:
+                session_key = base64.b64decode(request.COOKIES['session_key'])
+            elif 'HTTP_X_SESSION_KEY' in request.META:
+                session_key = base64.b64decode(request.META['HTTP_X_SESSION_KEY'])
+            else:
+                session_key = None
 
-        # Attempt to retrieve the master key for encryption/decryption if a session key has been provided.
-        if session_key is not None:
-            try:
-                sk = SessionKey.objects.get(userkey__user=request.user)
-                self.master_key = sk.get_master_key(session_key)
-            except (SessionKey.DoesNotExist, InvalidSessionKey):
-                raise ValidationError("Invalid session key.")
+            # We can't encrypt secret plaintext without a session key.
+            if self.action in ['create', 'update'] and session_key is None:
+                raise ValidationError("A session key must be provided when creating or updating secrets.")
+
+            # Attempt to retrieve the master key for encryption/decryption if a session key has been provided.
+            if session_key is not None:
+                try:
+                    sk = SessionKey.objects.get(userkey__user=request.user)
+                    self.master_key = sk.get_master_key(session_key)
+                except (SessionKey.DoesNotExist, InvalidSessionKey):
+                    raise ValidationError("Invalid session key.")
 
     def retrieve(self, request, *args, **kwargs):