Fixes #1385: Connected device API endpoint no longer requires authentication if LOGIN_REQUIRED=False

2024-05-10 07:54:54 +00:00 · 2017-08-02 11:17:57 -04:00
parent 28225c7cbd
commit fd6df8e52a
2 changed files with 30 additions and 4 deletions
--- a/netbox/utilities/api.py
+++ b/netbox/utilities/api.py
@ -4,9 +4,10 @@ from django.conf import settings
 from django.contrib.contenttypes.models import ContentType

 from rest_framework import authentication, exceptions
+from rest_framework.compat import is_authenticated
 from rest_framework.exceptions import APIException
 from rest_framework.pagination import LimitOffsetPagination
-from rest_framework.permissions import DjangoModelPermissions, SAFE_METHODS
+from rest_framework.permissions import BasePermission, DjangoModelPermissions, SAFE_METHODS
 from rest_framework.serializers import Field, ValidationError

 from users.models import Token
@ -20,6 +21,10 @@ class ServiceUnavailable(APIException):
    default_detail = "Service temporarily unavailable, please try again later."


+#
+# Authentication
+#
+
 class TokenAuthentication(authentication.TokenAuthentication):
    """
    A custom authentication scheme which enforces Token expiration times.
@ -61,6 +66,20 @@ class TokenPermissions(DjangoModelPermissions):
        return super(TokenPermissions, self).has_permission(request, view)


+class IsAuthenticatedOrLoginNotRequired(BasePermission):
+    """
+    Returns True if the user is authenticated or LOGIN_REQUIRED is False.
+    """
+    def has_permission(self, request, view):
+        if not settings.LOGIN_REQUIRED:
+            return True
+        return request.user and is_authenticated(request.user)
+
+
+#
+# Serializers
+#
+
 class ChoiceFieldSerializer(Field):
    """
    Represent a ChoiceField as {'value': <DB value>, 'label': <string>}.
@ -98,6 +117,10 @@ class ContentTypeFieldSerializer(Field):
            raise ValidationError("Invalid content type")


+#
+# Mixins
+#
+
 class ModelValidationMixin(object):
    """
    Enforce a model's validation through clean() when validating serializer data. This is necessary to ensure we're
@ -119,6 +142,10 @@ class WritableSerializerMixin(object):
        return self.serializer_class


+#
+# Pagination
+#
+
 class OptionalLimitOffsetPagination(LimitOffsetPagination):
    """
    Override the stock paginator to allow setting limit=0 to disable pagination for a request. This returns all objects