Closes #16681: Introduce render_config permission for configuration rendering #20555
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…endering Add a new custom permission action `render_config` for rendering device and virtual machine configurations via the REST API. This allows users to render configurations without requiring the `add` permission. Changes: - Add permission check to RenderConfigMixin.render_config() for devices and VMs - Update API tests to use render_config permission instead of add - Add tests verifying permission enforcement (403 without render_config) - Document new permission requirement in configuration-rendering.md Note: Currently requires both render_config AND add permissions due to the automatic POST='add' filter in BaseViewSet.initial(). Removing the add requirement will be addressed in a follow-up commit.
Remove the add permission requirement from the render-config API endpoint while maintaining token write_enabled enforcement as specified in #16681. Changes: - Add TokenWritePermission class to check token write ability without requiring specific model permissions - Override get_permissions() in RenderConfigMixin to use TokenWritePermission instead of TokenPermissions for render_config action - Replace queryset restriction: use render_config instead of add - Remove add permissions from tests - render_config permission now sufficient - Update tests to expect 404 when permission denied (NetBox standard pattern) Per #16681: 'requirement for write permission makes sense for API calls (because we're accepting and processing arbitrary user data), the specific permission for creating devices does not'
Extend render_config permission requirement to the ConfigTemplate render endpoint per issue comments. Changes: - Add TokenWritePermission check via get_permissions() override in ConfigTemplateViewSet - Restrict queryset to render_config permission in render() method - Add explicit render_config permission check - Add tests for ConfigTemplate.render() with and without permission - Update documentation to include ConfigTemplate endpoint
| def get_permissions(self): | ||
| # For render action, check only token write ability (not model permissions) | ||
| if self.action == 'render': | ||
| return [TokenWritePermission()] |
There was a problem hiding this comment.
I think we still need to enforce view permissions for the ConfigTemplate itself.
| def get_permissions(self): | ||
| # For render_config action, check only token write ability (not model permissions) | ||
| if self.action == 'render_config': | ||
| return [TokenWritePermission()] |
There was a problem hiding this comment.
As with ConfigTemplateViewSet, I think we still need to enforce view permission for the device/VM for which the template is being rendered.
Remove redundant permission checks, add view permission enforcement via chained restrict() calls, and rename ConfigTemplate permission action from render_config to render for consistency.
|
I may have over-corrected a little on enforcing the view permissions, enforcing them on both the object in question and for the associated config template. Also, trying to be consistent, I enforced the view permissions by chaining another If any of these aren't the best way to do this, please let me know. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes: #16681
Add
render_configpermission action for rendering device, virtual machine, and config template configurations via the REST API.Changes:
/api/dcim/devices/{id}/render-config/,/api/virtualization/virtual-machines/{id}/render-config/, and/api/extras/config-templates/{id}/render/TokenWritePermissionto enforce token write ability independent of model permissionsrender_configpermissionPer #16681: rendering configs requires accepting arbitrary user data (requiring write-enabled tokens), but doesn't require permission to create devices/VMs. The
render_configpermission separates these concerns.Note: Optional data migration could grant
render_configto existing users withvieworaddpermissions to ease upgrade path. Can add if desired.