#68: Improved permissions-related error handling

netbox/secrets/api/views.py

@@ -4,6 +4,7 @@ from django.shortcuts import get_object_or_404
 
 from rest_framework import generics
 from rest_framework import status
+from rest_framework.exceptions import PermissionDenied
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.renderers import JSONRenderer
 from rest_framework.response import Response
@@ -108,7 +109,8 @@ class SecretDetailView(generics.GenericAPIView):
                     {'error': ERR_USERKEY_INACTIVE},
                     status=status.HTTP_400_BAD_REQUEST
                 )
-            if secret.decryptable_by(request.user):
+            if not secret.decryptable_by(request.user):
+                raise PermissionDenied(detail="You do not have permission to decrypt this secret.")
             master_key = uk.get_master_key(private_key)
             if master_key is None:
                 return Response(

netbox/secrets/templatetags/secret_helpers.py

@@ -0,0 +1,12 @@
+from django import template
+
+
+register = template.Library()
+
+
+@register.filter()
+def decryptable_by(secret, user):
+    """
+    Determine whether a given User is permitted to decrypt a Secret.
+    """
+    return secret.decryptable_by(user)

netbox/templates/secrets/inc/secret_tr.html

@@ -1,13 +1,20 @@
+{% load secret_helpers %}
 <tr>
     <td><a href="{% url 'secrets:secret' pk=secret.pk %}">{{ secret.role }}</a></td>
     <td>{{ secret.name }}</td>
     <td id="secret_{{ secret.pk }}">********</td>
     <td class="text-right">
+        {% if secret|decryptable_by:request.user %}
             <button class="btn btn-xs btn-success unlock-secret" secret-id="{{ secret.pk }}">
                 <i class="fa fa-lock"></i> Unlock
             </button>
             <button class="btn btn-xs btn-danger lock-secret collapse" secret-id="{{ secret.pk }}">
                 <i class="fa fa-unlock-alt"></i> Lock
             </button>
+        {% else %}
+            <button class="btn btn-xs btn-default" disabled="disabled" title="Permission denied">
+                <i class="fa fa-lock"></i> Unlock
+            </button>
+        {% endif %}
     </td>
 </tr>

netbox/templates/secrets/secret.html

@@ -1,5 +1,6 @@
 {% extends '_base.html' %}
 {% load static from staticfiles %}
+{% load secret_helpers %}
 
 {% block title %}Secret: {{ secret }}{% endblock %}
 
@@ -67,6 +68,7 @@
         </div>
 	</div>
 	<div class="col-md-6">
+        {% if secret|decryptable_by:request.user %}
             <div class="panel panel-default">
                 <div class="panel-heading">
                     <strong>Secret Data</strong>
@@ -89,6 +91,12 @@
                     </div>
                 </div>
             </div>
+        {% else %}
+            <div class="alert alert-warning">
+                <i class="glyphicon glyphicon-exclamation-sign" aria-hidden="true"></i>
+                You do not have permission to decrypt this secret.
+            </div>
+        {% endif %}
     </div>
 </div>