Enforce view permissions for UI views

2024-05-10 07:54:54 +00:00 · 2019-04-11 17:27:38 -04:00
parent ea6815b9bb
commit e710ccb0e6
16 changed files with 257 additions and 168 deletions
--- a/netbox/extras/tests/test_views.py
+++ b/netbox/extras/tests/test_views.py
@@ -7,6 +7,7 @@ from django.urls import reverse

 from dcim.models import Site
 from extras.models import ConfigContext, ObjectChange, Tag
+from utilities.testing import create_test_user


 class TagTestCase(TestCase):
@@ -35,8 +36,9 @@ class TagTestCase(TestCase):
 class ConfigContextTestCase(TestCase):

    def setUp(self):
-
+        user = create_test_user(permissions=['extras.view_configcontext'])
        self.client = Client()
+        self.client.force_login(user)

        site = Site(name='Site 1', slug='site-1')
        site.save()
@@ -70,11 +72,9 @@ class ConfigContextTestCase(TestCase):
 class ObjectChangeTestCase(TestCase):

    def setUp(self):
-
+        user = create_test_user(permissions=['extras.view_objectchange'])
        self.client = Client()
-
-        user = User(username='testuser', email='testuser@example.com')
-        user.save()
+        self.client.force_login(user)

        site = Site(name='Site 1', slug='site-1')
        site.save()
--- a/netbox/extras/views.py
+++ b/netbox/extras/views.py
@@ -96,7 +96,8 @@ class TagBulkDeleteView(PermissionRequiredMixin, BulkDeleteView):
 # Config contexts
 #

-class ConfigContextListView(ObjectListView):
+class ConfigContextListView(PermissionRequiredMixin, ObjectListView):
+    permission_required = 'extras.view_configcontext'
    queryset = ConfigContext.objects.all()
    filter = filters.ConfigContextFilter
    filter_form = ConfigContextFilterForm
@@ -104,7 +105,8 @@ class ConfigContextListView(ObjectListView):
    template_name = 'extras/configcontext_list.html'


-class ConfigContextView(View):
+class ConfigContextView(PermissionRequiredMixin, View):
+    permission_required = 'extras.view_configcontext'

    def get(self, request, pk):

@@ -173,7 +175,8 @@ class ObjectConfigContextView(View):
 # Change logging
 #

-class ObjectChangeListView(ObjectListView):
+class ObjectChangeListView(PermissionRequiredMixin, ObjectListView):
+    permission_required = 'extras.view_objectchange'
    queryset = ObjectChange.objects.select_related('user', 'changed_object_type')
    filter = filters.ObjectChangeFilter
    filter_form = ObjectChangeFilterForm
@@ -181,7 +184,8 @@ class ObjectChangeListView(ObjectListView):
    template_name = 'extras/objectchange_list.html'


-class ObjectChangeView(View):
+class ObjectChangeView(PermissionRequiredMixin, View):
+    permission_required = 'extras.view_objectchange'

    def get(self, request, pk):

@@ -272,10 +276,11 @@ class ImageAttachmentDeleteView(PermissionRequiredMixin, ObjectDeleteView):
 # Reports
 #

-class ReportListView(View):
+class ReportListView(PermissionRequiredMixin, View):
    """
    Retrieve all of the available reports from disk and the recorded ReportResult (if any) for each.
    """
+    permission_required = 'extras.view_reportresult'

    def get(self, request):

@@ -295,10 +300,11 @@ class ReportListView(View):
        })


-class ReportView(View):
+class ReportView(PermissionRequiredMixin, View):
    """
    Display a single Report and its associated ReportResult (if any).
    """
+    permission_required = 'extras.view_reportresult'

    def get(self, request, name):