#68: Improved permissions-related error handling

2024-05-10 07:54:54 +00:00 · 2016-07-06 17:22:10 -04:00
parent e7f21dea4b
commit 966ea45050
5 changed files with 62 additions and 33 deletions
--- a/netbox/secrets/api/views.py
+++ b/netbox/secrets/api/views.py
@ -4,6 +4,7 @@ from django.shortcuts import get_object_or_404

 from rest_framework import generics
 from rest_framework import status
+from rest_framework.exceptions import PermissionDenied
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.renderers import JSONRenderer
 from rest_framework.response import Response
@ -108,7 +109,8 @@ class SecretDetailView(generics.GenericAPIView):
                    {'error': ERR_USERKEY_INACTIVE},
                    status=status.HTTP_400_BAD_REQUEST
                )
-            if secret.decryptable_by(request.user):
+            if not secret.decryptable_by(request.user):
+                raise PermissionDenied(detail="You do not have permission to decrypt this secret.")
            master_key = uk.get_master_key(private_key)
            if master_key is None:
                return Response(
--- a/netbox/secrets/templatetags/init.py
+++ b/netbox/secrets/templatetags/init.py
--- a/netbox/secrets/templatetags/secret_helpers.py
+++ b/netbox/secrets/templatetags/secret_helpers.py
@ -0,0 +1,12 @@
+from django import template
+
+
+register = template.Library()
+
+
+@register.filter()
+def decryptable_by(secret, user):
+    """
+    Determine whether a given User is permitted to decrypt a Secret.
+    """
+    return secret.decryptable_by(user)
--- a/netbox/templates/secrets/inc/secret_tr.html
+++ b/netbox/templates/secrets/inc/secret_tr.html
@ -1,13 +1,20 @@
+{% load secret_helpers %}
 <tr>
    <td><a href="{% url 'secrets:secret' pk=secret.pk %}">{{ secret.role }}</a></td>
    <td>{{ secret.name }}</td>
    <td id="secret_{{ secret.pk }}">********</td>
    <td class="text-right">
+        {% if secret|decryptable_by:request.user %}
            <button class="btn btn-xs btn-success unlock-secret" secret-id="{{ secret.pk }}">
                <i class="fa fa-lock"></i> Unlock
            </button>
            <button class="btn btn-xs btn-danger lock-secret collapse" secret-id="{{ secret.pk }}">
                <i class="fa fa-unlock-alt"></i> Lock
            </button>
+        {% else %}
+            <button class="btn btn-xs btn-default" disabled="disabled" title="Permission denied">
+                <i class="fa fa-lock"></i> Unlock
+            </button>
+        {% endif %}
    </td>
 </tr>
--- a/netbox/templates/secrets/secret.html
+++ b/netbox/templates/secrets/secret.html
@ -1,5 +1,6 @@
 {% extends '_base.html' %}
 {% load static from staticfiles %}
+{% load secret_helpers %}

 {% block title %}Secret: {{ secret }}{% endblock %}

@ -67,6 +68,7 @@
        </div>
 	</div>
 	<div class="col-md-6">
+        {% if secret|decryptable_by:request.user %}
            <div class="panel panel-default">
                <div class="panel-heading">
                    <strong>Secret Data</strong>
@ -89,6 +91,12 @@
                    </div>
                </div>
            </div>
+        {% else %}
+            <div class="alert alert-warning">
+                <i class="glyphicon glyphicon-exclamation-sign" aria-hidden="true"></i>
+                You do not have permission to decrypt this secret.
+            </div>
+        {% endif %}
    </div>
 </div>