Correct permissions for scheduled-job REST APIs #1490

glennmatthews · 2022-03-14T15:56:35Z

Fixes: #1478

Correct the permissions on our custom scheduledjob REST API endpoints:

POST /api/extras/scheduled-jobs/<pk>/approve/
- No longer requires extras.add_scheduledjob permission
- Now requires extras.change_scheduledjob permission
- Now requires extras.approve_job permission
POST /api/extras/scheduled-jobs/<pk>/deny/
- No longer requires extras.add_scheduledjob permission
- Now requires extras.delete_scheduledjob permission
- Now requires extras.approve_job permission
POST /api/extras/scheduled-jobs/<pk>/dry-run/
- No longer requires extras.add_scheduledjob permission
- Now requires extras.view_scheduledjob permission
- Now requires extras.run_job permission

There's got to be a better/cleaner way to adjust the permissions enforced for a given viewpoint that wouldn't require both overriding ModelViewSetMixin.restrict_queryset and subclassing TokenPermissions, but this is the briefest approach I've been able to identify with respect to the current implementation in Nautobot.

nautobot/extras/api/views.py

Co-authored-by: Bryan Culver <31187+bryanculver@users.noreply.github.com>

glennmatthews · 2022-03-17T21:45:44Z

TODO:

update nautobot/docs/additional-features/job-scheduling-and-approvals.md to clearly document the required permissions
clearly document this as a behavior change in the release-notes

…uest

Fix #1478 - correct permissions for scheduled-job REST APIs

d08a10e

bryanculver added this to the v1.3.0 milestone Mar 15, 2022

bryanculver approved these changes Mar 17, 2022

View reviewed changes

nautobot/extras/api/views.py Outdated Show resolved Hide resolved

nautobot/extras/api/views.py Outdated Show resolved Hide resolved

Update nautobot/extras/api/views.py

7a6107e

Co-authored-by: Bryan Culver <31187+bryanculver@users.noreply.github.com>

jathanism approved these changes Mar 18, 2022

View reviewed changes

glennmatthews added 3 commits March 18, 2022 12:10

Remove permissions exception for users denying their own approval req…

2a323d0

…uest

Docs updates

b10c140

Merge branch 'next' into gfm-scheduledjob-api

3045f33

glennmatthews merged commit b7ab9ac into next Mar 21, 2022

glennmatthews deleted the gfm-scheduledjob-api branch March 21, 2022 16:06

This was referenced Mar 21, 2022

[1.3] Scheduled-job approval/dry-run REST API doesn't enforce object-based permissions yet #1478

Closed

Explore adding a concrete Job model #1001

Closed

[1.3] Jobs documentation needs to be updated #1479

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Correct permissions for scheduled-job REST APIs #1490

Correct permissions for scheduled-job REST APIs #1490

glennmatthews commented Mar 14, 2022

glennmatthews commented Mar 17, 2022 •

edited

Loading

Correct permissions for scheduled-job REST APIs #1490

Correct permissions for scheduled-job REST APIs #1490

Conversation

glennmatthews commented Mar 14, 2022

Fixes: #1478

glennmatthews commented Mar 17, 2022 • edited Loading

glennmatthews commented Mar 17, 2022 •

edited

Loading