Closes #12207: Establish a permission for creating API tokens on behalf of other users (#12192)

* 11091 add permission to allow user to create api tokens for other users * 11091 update docs * 11091 fix for test * 11091 fix for test * 11091 test case for invalid token creation * 11091 add test for permission grant * Cleanup & fix serializer validation --------- Co-authored-by: jeremystretch <jstretch@netboxlabs.com>
2024-05-10 07:54:54 +00:00 · 2023-04-12 07:25:06 -07:00
parent 97ed6439ce
commit 9e305c6181
4 changed files with 39 additions and 3 deletions
--- a/netbox/users/api/serializers.py
+++ b/netbox/users/api/serializers.py
@@ -2,6 +2,7 @@ from django.conf import settings
 from django.contrib.auth.models import Group, User
 from django.contrib.contenttypes.models import ContentType
 from rest_framework import serializers
+from rest_framework.exceptions import PermissionDenied

 from netbox.api.fields import ContentTypeField, IPNetworkSerializer, SerializedPKRelatedField
 from netbox.api.serializers import ValidatedModelSerializer
@@ -91,6 +92,16 @@ class TokenSerializer(ValidatedModelSerializer):
            data['key'] = Token.generate_key()
        return super().to_internal_value(data)

+    def validate(self, data):
+
+        # If the Token is being created on behalf of another user, enforce the grant_token permission.
+        request = self.context.get('request')
+        token_user = data.get('user')
+        if token_user and token_user != request.user and not request.user.has_perm('users.grant_token'):
+            raise PermissionDenied("This user does not have permission to create tokens for other users.")
+
+        return super().validate(data)
+

 class TokenProvisionSerializer(serializers.Serializer):
    username = serializers.CharField()
--- a/netbox/users/tests/test_api.py
+++ b/netbox/users/tests/test_api.py
@@ -153,6 +153,26 @@ class TokenTest(
        response = self.client.post(url, data, format='json', **self.header)
        self.assertEqual(response.status_code, 403)

+    def test_provision_token_other_user(self):
+        """
+        Test provisioning a Token for a different User with & without the grant_token permission.
+        """
+        self.add_permissions('users.add_token')
+        user2 = User.objects.create_user(username='testuser2')
+        data = {
+            'user': user2.id,
+        }
+        url = reverse('users-api:token-list')
+
+        # Attempt to create a new Token for User2 *without* the grant_token permission
+        response = self.client.post(url, data, format='json', **self.header)
+        self.assertEqual(response.status_code, 403)
+
+        # Assign grant_token permission and successfully create a new Token for User2
+        self.add_permissions('users.grant_token')
+        response = self.client.post(url, data, format='json', **self.header)
+        self.assertEqual(response.status_code, 201)
+

 class ObjectPermissionTest(
    # No GraphQL support for ObjectPermission