From 966ea450504a7f8cdcb7390978df33d4639dea4e Mon Sep 17 00:00:00 2001 From: Jeremy Stretch Date: Wed, 6 Jul 2016 17:22:10 -0400 Subject: [PATCH] #68: Improved permissions-related error handling --- netbox/secrets/api/views.py | 18 ++++---- netbox/secrets/templatetags/__init__.py | 0 netbox/secrets/templatetags/secret_helpers.py | 12 +++++ netbox/templates/secrets/inc/secret_tr.html | 19 +++++--- netbox/templates/secrets/secret.html | 46 +++++++++++-------- 5 files changed, 62 insertions(+), 33 deletions(-) create mode 100644 netbox/secrets/templatetags/__init__.py create mode 100644 netbox/secrets/templatetags/secret_helpers.py diff --git a/netbox/secrets/api/views.py b/netbox/secrets/api/views.py index 08d1be8f4..869739e32 100644 --- a/netbox/secrets/api/views.py +++ b/netbox/secrets/api/views.py @@ -4,6 +4,7 @@ from django.shortcuts import get_object_or_404 from rest_framework import generics from rest_framework import status +from rest_framework.exceptions import PermissionDenied from rest_framework.permissions import IsAuthenticated from rest_framework.renderers import JSONRenderer from rest_framework.response import Response @@ -108,14 +109,15 @@ class SecretDetailView(generics.GenericAPIView): {'error': ERR_USERKEY_INACTIVE}, status=status.HTTP_400_BAD_REQUEST ) - if secret.decryptable_by(request.user): - master_key = uk.get_master_key(private_key) - if master_key is None: - return Response( - {'error': ERR_PRIVKEY_INVALID}, - status=status.HTTP_400_BAD_REQUEST - ) - secret.decrypt(master_key) + if not secret.decryptable_by(request.user): + raise PermissionDenied(detail="You do not have permission to decrypt this secret.") + master_key = uk.get_master_key(private_key) + if master_key is None: + return Response( + {'error': ERR_PRIVKEY_INVALID}, + status=status.HTTP_400_BAD_REQUEST + ) + secret.decrypt(master_key) serializer = self.get_serializer(secret) return Response(serializer.data) diff --git a/netbox/secrets/templatetags/__init__.py b/netbox/secrets/templatetags/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/netbox/secrets/templatetags/secret_helpers.py b/netbox/secrets/templatetags/secret_helpers.py new file mode 100644 index 000000000..142c0d2cb --- /dev/null +++ b/netbox/secrets/templatetags/secret_helpers.py @@ -0,0 +1,12 @@ +from django import template + + +register = template.Library() + + +@register.filter() +def decryptable_by(secret, user): + """ + Determine whether a given User is permitted to decrypt a Secret. + """ + return secret.decryptable_by(user) diff --git a/netbox/templates/secrets/inc/secret_tr.html b/netbox/templates/secrets/inc/secret_tr.html index cc97a6eb0..b64b334e8 100644 --- a/netbox/templates/secrets/inc/secret_tr.html +++ b/netbox/templates/secrets/inc/secret_tr.html @@ -1,13 +1,20 @@ +{% load secret_helpers %} {{ secret.role }} {{ secret.name }} ******** - - + {% if secret|decryptable_by:request.user %} + + + {% else %} + + {% endif %} diff --git a/netbox/templates/secrets/secret.html b/netbox/templates/secrets/secret.html index 950ce3120..e98030c9a 100644 --- a/netbox/templates/secrets/secret.html +++ b/netbox/templates/secrets/secret.html @@ -1,5 +1,6 @@ {% extends '_base.html' %} {% load static from staticfiles %} +{% load secret_helpers %} {% block title %}Secret: {{ secret }}{% endblock %} @@ -67,28 +68,35 @@
-
-
- Secret Data -
-
-
- {% csrf_token %} -
-
-
Secret
-
********
-
- - + {% if secret|decryptable_by:request.user %} +
+
+ Secret Data +
+
+
+ {% csrf_token %} +
+
+
Secret
+
********
+
+ + +
-
+ {% else %} +
+ + You do not have permission to decrypt this secret. +
+ {% endif %}