Fixes #7092: Fix missing object permissions on Prefix IP Addresses view

netbox/ipam/views.py

@@ -455,8 +455,16 @@ class PrefixIPAddressesView(generic.ObjectView):
 
         bulk_querystring = 'vrf_id={}&parent={}'.format(instance.vrf.pk if instance.vrf else '0', instance.prefix)
 
+        # Compile permissions list for rendering the object table
+        permissions = {
+            'add': request.user.has_perm('ipam.add_ipaddress'),
+            'change': request.user.has_perm('ipam.change_ipaddress'),
+            'delete': request.user.has_perm('ipam.delete_ipaddress'),
+        }
+
         return {
             'table': table,
+            'permissions': permissions,
             'bulk_querystring': bulk_querystring,
             'active_tab': 'ip-addresses',
             'first_available_ip': instance.get_first_available_ip(),

netbox/templates/utilities/obj_table.html

@@ -1,40 +1,44 @@
 {% load helpers %}
+
 {% if permissions.change or permissions.delete %}
     <form method="post" class="form form-horizontal">
         {% csrf_token %}
         <input type="hidden" name="return_url" value="{% if return_url %}{{ return_url }}{% else %}{{ request.path }}{% if request.GET %}?{{ request.GET.urlencode }}{% endif %}{% endif %}" />
+
         {% if table.paginator.num_pages > 1 %}
             <div id="select-all-box" class="d-none card noprint">
-                <div class="card-body">
-                    <div class="float-end">
-                        {% if bulk_edit_url and permissions.change %}
-                            <button type="submit" name="_edit" formaction="{% url bulk_edit_url %}{% if bulk_querystring %}?{{ bulk_querystring }}{% elif request.GET %}?{{ request.GET.urlencode }}{% endif %}" class="btn btn-warning btn-sm" disabled="disabled">
-                                <span class="mdi mdi-pencil" aria-hidden="true"></span> Edit All
-                            </button>
-                        {% endif %}
-                        {% if bulk_delete_url and permissions.delete %}
-                            <button type="submit" name="_delete" formaction="{% url bulk_delete_url %}{% if bulk_querystring %}?{{ bulk_querystring }}{% elif request.GET %}?{{ request.GET.urlencode }}{% endif %}" class="btn btn-danger btn-sm" disabled="disabled">
-                                <span class="mdi mdi-trash-can-outline" aria-hidden="true"></span> Delete All
-                            </button>
-                        {% endif %}
-                    </div>
-                    <div class="form-check">
-                      <input type="checkbox" id="select-all" name="_all" class="form-check-input" />
-                      <label for="select-all" class="form-check-label">
-                        Select <strong>all {{ table.rows|length }} {{ table.data.verbose_name_plural }}</strong> matching query
-                      </label>
-                    </div>
+                <div class="float-end">
+                    {% if bulk_edit_url and permissions.change %}
+                        <button type="submit" name="_edit" formaction="{% url bulk_edit_url %}{% if bulk_querystring %}?{{ bulk_querystring }}{% elif request.GET %}?{{ request.GET.urlencode }}{% endif %}" class="btn btn-warning btn-sm" disabled="disabled">
+                            <span class="mdi mdi-pencil" aria-hidden="true"></span> Edit All
+                        </button>
+                    {% endif %}
+                    {% if bulk_delete_url and permissions.delete %}
+                        <button type="submit" name="_delete" formaction="{% url bulk_delete_url %}{% if bulk_querystring %}?{{ bulk_querystring }}{% elif request.GET %}?{{ request.GET.urlencode }}{% endif %}" class="btn btn-danger btn-sm" disabled="disabled">
+                            <span class="mdi mdi-trash-can-outline" aria-hidden="true"></span> Delete All
+                        </button>
+                    {% endif %}
+                </div>
+                <div class="form-check">
+                    <input type="checkbox" id="select-all" name="_all" class="form-check-input" />
+                    <label for="select-all" class="form-check-label">
+                    Select <strong>all {{ table.rows|length }} {{ table.data.verbose_name_plural }}</strong> matching query
+                    </label>
                 </div>
             </div>
         {% endif %}
+
         {% include table_template|default:'inc/responsive_table.html' %}
+
         <div class="float-start noprint">
             {% block extra_actions %}{% endblock %}
+
             {% if bulk_edit_url and permissions.change %}
                 <button type="submit" name="_edit" formaction="{% url bulk_edit_url %}{% if request.GET %}?{{ request.GET.urlencode }}{% endif %}" class="btn btn-warning btn-sm">
                     <i class="mdi mdi-pencil" aria-hidden="true"></i> Edit Selected
                 </button>
             {% endif %}
+
             {% if bulk_delete_url and permissions.delete %}
                 <button type="submit" name="_delete" formaction="{% url bulk_delete_url %}{% if request.GET %}?{{ request.GET.urlencode }}{% endif %}" class="btn btn-danger btn-sm">
                     <i class="mdi mdi-trash-can-outline" aria-hidden="true"></i> Delete Selected
@@ -43,7 +47,9 @@
         </div>
     </form>
 {% else %}
+
     {% include table_template|default:'inc/responsive_table.html' %}
+
 {% endif %}
-    {% include 'inc/paginator.html' with paginator=table.paginator page=table.page %}
-<div class="clearfix"></div>
+
+{% include 'inc/paginator.html' with paginator=table.paginator page=table.page %}