Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes: #14634 - Bypass Write permissions for render endpoint #15251

Open
wants to merge 3 commits into
base: develop
Choose a base branch
from
Open

Fixes: #14634 - Bypass Write permissions for render endpoint #15251

wants to merge 3 commits into from
+29 −3

Conversation

DanSheps
Copy link
Member

Fixes: #14634 - Bypass Write permissions for render endpoint

  • Bypass permission for render endpoint by swapping the permissions map and overriding the restrict() action.

@jeremystretch
Copy link
Member

@DanSheps are you still working on this?

@DanSheps
Copy link
Member Author

Yes, sorry, I will get back on it. Trying to find an elegant way to do this.

DanSheps
DanSheps commented Mar 21, 2024
View reviewed changes
netbox/extras/api/mixins.py
Comment on lines +69 to +71
def initial(self, request, *args, **kwargs):
self.original_queryset = self.queryset
super().initial(request, *args, **kwargs)
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could alternatively modify:

class BaseViewSet(GenericViewSet):
    """
    Base class for all API ViewSets. This is responsible for the enforcement of object-based permissions.
    """
    def initial(self, request, *args, **kwargs):
        super().initial(request, *args, **kwargs)

        # Restrict the view's QuerySet to allow only the permitted objects
        if request.user.is_authenticated:
            if action := HTTP_ACTIONS[request.method]:
                self.queryset = self.queryset.restrict(request.user, action)

to account for permissions using:

self.get_permissions() and using the resulting perms_map to determine what permission should be applied.

This is a down the road thing IMO though.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We'll definitely need to identify a more maintainable solution. This will probably entail digging into DRF permissions logic a bit.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As mentioned above, I think we can figure out something by modifying the BaseViewSet and then adjusting the queryset based on that.

I will take a second crack at this on the weekend.

@DanSheps DanSheps marked this pull request as ready for review March 21, 2024 03:41
@DanSheps DanSheps self-assigned this Mar 21, 2024
@github-actions GitHub Actions
Copy link

This PR has been automatically marked as stale because it has not had recent activity. It will be closed automatically if no further action is taken.

@github-actions github-actions bot added the pending closure Requires immediate attention to avoid being closed for inactivity label May 21, 2024
@DanSheps DanSheps removed the pending closure Requires immediate attention to avoid being closed for inactivity label May 21, 2024
@DanSheps
Copy link
Member Author

Need to get back to this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jeremystretch jeremystretch Awaiting requested review from jeremystretch

Assignees

@DanSheps DanSheps

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

API access to render-config needs add permissions and write enable for the api token
2 participants
@DanSheps @jeremystretch