From cc6e74dfd53b9d8fc3c5937055c9e90fcaa05275 Mon Sep 17 00:00:00 2001 From: Jeremy Stretch Date: Thu, 21 May 2020 13:12:15 -0400 Subject: [PATCH] Move ObjectPermissionRequiredMixin to utilities.views --- netbox/dcim/views.py | 3 +- netbox/ipam/views.py | 2 +- netbox/netbox/authentication.py | 55 ----------------------------- netbox/utilities/permissions.py | 15 ++++++++ netbox/utilities/views.py | 62 ++++++++++++++++++++++++++++++++- 5 files changed, 78 insertions(+), 59 deletions(-) delete mode 100644 netbox/netbox/authentication.py create mode 100644 netbox/utilities/permissions.py diff --git a/netbox/dcim/views.py b/netbox/dcim/views.py index d6b97e128..2bcf876c6 100644 --- a/netbox/dcim/views.py +++ b/netbox/dcim/views.py @@ -21,13 +21,12 @@ from extras.models import Graph from extras.views import ObjectConfigContextView from ipam.models import Prefix, VLAN from ipam.tables import InterfaceIPAddressTable, InterfaceVLANTable -from netbox.authentication import ObjectPermissionRequiredMixin from utilities.forms import ConfirmationForm from utilities.paginator import EnhancedPaginator from utilities.utils import csv_format from utilities.views import ( BulkComponentCreateView, BulkDeleteView, BulkEditView, BulkImportView, ComponentCreateView, GetReturnURLMixin, - ObjectImportView, ObjectDeleteView, ObjectEditView, ObjectListView, + ObjectImportView, ObjectDeleteView, ObjectEditView, ObjectListView, ObjectPermissionRequiredMixin, ) from virtualization.models import VirtualMachine from . import filters, forms, tables diff --git a/netbox/ipam/views.py b/netbox/ipam/views.py index ab97afc2a..bb0844d4d 100644 --- a/netbox/ipam/views.py +++ b/netbox/ipam/views.py @@ -8,10 +8,10 @@ from django.views.generic import View from django_tables2 import RequestConfig from dcim.models import Device, Interface -from netbox.authentication import ObjectPermissionRequiredMixin from utilities.paginator import EnhancedPaginator from utilities.views import ( BulkCreateView, BulkDeleteView, BulkEditView, BulkImportView, ObjectDeleteView, ObjectEditView, ObjectListView, + ObjectPermissionRequiredMixin, ) from virtualization.models import VirtualMachine from . import filters, forms, tables diff --git a/netbox/netbox/authentication.py b/netbox/netbox/authentication.py deleted file mode 100644 index 2e68e6ef1..000000000 --- a/netbox/netbox/authentication.py +++ /dev/null @@ -1,55 +0,0 @@ -from django.contrib.auth.mixins import AccessMixin -from django.core.exceptions import ImproperlyConfigured - -from users.models import ObjectPermission - - -class ObjectPermissionRequiredMixin(AccessMixin): - """ - Similar to Django's built-in PermissionRequiredMixin, but extended to check for both model-level and object-level - permission assignments. If the user has only object-level permissions assigned, the view's queryset is filtered - to return only those objects on which the user is permitted to perform the specified action. - """ - permission_required = None - - def has_permission(self): - user = self.request.user - - # First, check that the user is granted the required permission at either the model or object level. - if not user.has_perm(self.permission_required): - return False - - # Superusers implicitly have all permissions - if user.is_superuser: - return True - - # Determine whether the permission is model-level or object-level. Model-level permissions grant the - # specified action to *all* objects, so no further action is needed. - if self.permission_required in {*user._user_perm_cache, *user._group_perm_cache}: - return True - - # If the permission is granted only at the object level, filter the view's queryset to return only objects - # on which the user is permitted to perform the specified action. - attrs = ObjectPermission.objects.get_attr_constraints(user, self.permission_required) - if attrs: - # Update the view's QuerySet to filter only the permitted objects - self.queryset = self.queryset.filter(attrs) - return True - - def dispatch(self, request, *args, **kwargs): - if self.permission_required is None: - raise ImproperlyConfigured( - '{0} is missing the permission_required attribute. Define {0}.permission_required, or override ' - '{0}.get_permission_required().'.format(self.__class__.__name__) - ) - - if not hasattr(self, 'queryset'): - raise ImproperlyConfigured( - '{} has no queryset defined. ObjectPermissionRequiredMixin may only be used on views which define ' - 'a base queryset'.format(self.__class__.__name__) - ) - - if not self.has_permission(): - return self.handle_no_permission() - - return super().dispatch(request, *args, **kwargs) diff --git a/netbox/utilities/permissions.py b/netbox/utilities/permissions.py new file mode 100644 index 000000000..516d6fe5b --- /dev/null +++ b/netbox/utilities/permissions.py @@ -0,0 +1,15 @@ +def get_permission_for_model(model, action): + """ + Resolve the named permission for a given model (or instance) and action (e.g. view or add). + + :param model: A model or instance + :param action: View, add, change, or delete (string) + """ + if action not in ('view', 'add', 'change', 'delete'): + raise ValueError(f"Unsupported action: {action}") + + return '{}.{}_{}'.format( + model._meta.app_label, + action, + model._meta.model_name + ) diff --git a/netbox/utilities/views.py b/netbox/utilities/views.py index 01eb6d2ba..6097fa5b2 100644 --- a/netbox/utilities/views.py +++ b/netbox/utilities/views.py @@ -4,7 +4,8 @@ from copy import deepcopy from django.contrib import messages from django.contrib.contenttypes.models import ContentType -from django.core.exceptions import FieldDoesNotExist, ObjectDoesNotExist, ValidationError +from django.contrib.auth.mixins import AccessMixin +from django.core.exceptions import FieldDoesNotExist, ImproperlyConfigured, ObjectDoesNotExist, ValidationError from django.db import transaction, IntegrityError from django.db.models import ManyToManyField, ProtectedError from django.forms import Form, ModelMultipleChoiceField, MultipleHiddenInput, Textarea @@ -32,6 +33,61 @@ from .forms import ConfirmationForm, ImportForm from .paginator import EnhancedPaginator, get_paginate_count +# +# Mixins +# + +class ObjectPermissionRequiredMixin(AccessMixin): + """ + Similar to Django's built-in PermissionRequiredMixin, but extended to check for both model-level and object-level + permission assignments. If the user has only object-level permissions assigned, the view's queryset is filtered + to return only those objects on which the user is permitted to perform the specified action. + """ + permission_required = None + + def has_permission(self): + user = self.request.user + + # First, check that the user is granted the required permission at either the model or object level. + if not user.has_perm(self.permission_required): + return False + + # Superusers implicitly have all permissions + if user.is_superuser: + return True + + # Determine whether the permission is model-level or object-level. Model-level permissions grant the + # specified action to *all* objects, so no further action is needed. + if self.permission_required in {*user._user_perm_cache, *user._group_perm_cache}: + return True + + # If the permission is granted only at the object level, filter the view's queryset to return only objects + # on which the user is permitted to perform the specified action. + attrs = ObjectPermission.objects.get_attr_constraints(user, self.permission_required) + if attrs: + # Update the view's QuerySet to filter only the permitted objects + self.queryset = self.queryset.filter(attrs) + return True + + def dispatch(self, request, *args, **kwargs): + if self.permission_required is None: + raise ImproperlyConfigured( + '{0} is missing the permission_required attribute. Define {0}.permission_required, or override ' + '{0}.get_permission_required().'.format(self.__class__.__name__) + ) + + if not hasattr(self, 'queryset'): + raise ImproperlyConfigured( + '{} has no queryset defined. ObjectPermissionRequiredMixin may only be used on views which define ' + 'a base queryset'.format(self.__class__.__name__) + ) + + if not self.has_permission(): + return self.handle_no_permission() + + return super().dispatch(request, *args, **kwargs) + + class GetReturnURLMixin(object): """ Provides logic for determining where a user should be redirected after processing a form. @@ -58,6 +114,10 @@ class GetReturnURLMixin(object): return reverse('home') +# +# Generic views +# + class ObjectListView(View): """ List a series of objects.