Closes #12207: Establish a permission for creating API tokens on behalf of other users (#12192)

* 11091 add permission to allow user to create api tokens for other users * 11091 update docs * 11091 fix for test * 11091 fix for test * 11091 test case for invalid token creation * 11091 add test for permission grant * Cleanup & fix serializer validation --------- Co-authored-by: jeremystretch <jstretch@netboxlabs.com>
2024-05-10 07:54:54 +00:00 · 2023-04-12 07:25:06 -07:00
parent 97ed6439ce
commit 9e305c6181
4 changed files with 39 additions and 3 deletions
--- a/netbox/users/api/serializers.py
+++ b/netbox/users/api/serializers.py
@@ -2,6 +2,7 @@ from django.conf import settings
 from django.contrib.auth.models import Group, User
 from django.contrib.contenttypes.models import ContentType
 from rest_framework import serializers
+from rest_framework.exceptions import PermissionDenied

 from netbox.api.fields import ContentTypeField, IPNetworkSerializer, SerializedPKRelatedField
 from netbox.api.serializers import ValidatedModelSerializer
@@ -91,6 +92,16 @@ class TokenSerializer(ValidatedModelSerializer):
            data['key'] = Token.generate_key()
        return super().to_internal_value(data)

+    def validate(self, data):
+
+        # If the Token is being created on behalf of another user, enforce the grant_token permission.
+        request = self.context.get('request')
+        token_user = data.get('user')
+        if token_user and token_user != request.user and not request.user.has_perm('users.grant_token'):
+            raise PermissionDenied("This user does not have permission to create tokens for other users.")
+
+        return super().validate(data)
+

 class TokenProvisionSerializer(serializers.Serializer):
    username = serializers.CharField()