#724: Exempt API views from LoginRequiredMiddleware to enable basic HTTP authentication when LOGIN_REQUIRED is true

2024-05-10 07:54:54 +00:00 · 2016-12-07 15:14:22 -05:00
parent 4a9b4c5387
commit fca812928e
2 changed files with 7 additions and 1 deletions
--- a/netbox/netbox/settings.py
+++ b/netbox/netbox/settings.py
@ -185,6 +185,8 @@ SECRETS_MIN_PUBKEY_SIZE = 2048
 REST_FRAMEWORK = {
    'DEFAULT_FILTER_BACKENDS': ('rest_framework.filters.DjangoFilterBackend',)
 }
+if LOGIN_REQUIRED:
+    REST_FRAMEWORK['DEFAULT_PERMISSION_CLASSES'] = ('rest_framework.permissions.IsAuthenticated',)

 # Swagger settings (API docs)
 SWAGGER_SETTINGS = {
--- a/netbox/utilities/middleware.py
+++ b/netbox/utilities/middleware.py
@ -2,6 +2,7 @@ from django.http import HttpResponseRedirect
 from django.conf import settings


+BASE_PATH = getattr(settings, 'BASE_PATH', False)
 LOGIN_REQUIRED = getattr(settings, 'LOGIN_REQUIRED', False)


@ -11,5 +12,8 @@ class LoginRequiredMiddleware:
    """
    def process_request(self, request):
        if LOGIN_REQUIRED and not request.user.is_authenticated():
-            if request.path_info != settings.LOGIN_URL:
+            # Redirect unauthenticated requests to the login page. API requests are exempt from redirection as the API
+            # performs its own authentication.
+            api_path = '/{}api/'.format(BASE_PATH)
+            if not request.path_info.startswith(api_path) and request.path_info != settings.LOGIN_URL:
                return HttpResponseRedirect('{}?next={}'.format(settings.LOGIN_URL, request.path_info))