Available prefixes endpoint use parent prefix permissions on POST

[Dimaqa]

Environment

• Python version: 3.6.9
• NetBox version: 2.10.3

Steps to Reproduce

1. Create permission allowing to add only reserved prefixes
2. Create reserved prefix
3. POST on /ipam/prefixes/{created_prefix_id}/available-prefixes/
4. Returned prefix will have active status

Also you can do this:

1. Create permission allowing to add only reserved prefixes
2. Create active prefix
3. POST on /ipam/prefixes/{created_prefix_id}/available-prefixes/ with body {"status" : "reserved"}
4. API will return 404 NOT FOUND error

Expected Behavior

In the first case api should return permission error.
In the second create reserved child prefix.

Observed Behavior

We can get around add permissions using parent prefixes.

[Dimaqa]

I believe this won't fix second case, when you can't create child prefix with all needed permissions

[jeremystretch]

Yes, that's expected: If you don't have permission to view a prefix, you won't be able to automatically create child prefixes within it.

[Dimaqa]

No, my point is that if you have view all permissions and create reserved permissions, you still won't be able to create prefix with 404 error. But GET works fine, so that's probably different bug

[jeremystretch]

Sorry, I'm probably just not following. Would you bind opening a separate bug for it?

[Dimaqa]

Sure