From 1449cda390f5488b51ac3699c3c6a4f2d8e9cdd0 Mon Sep 17 00:00:00 2001 From: Arthur Date: Thu, 11 Apr 2024 10:51:04 -0700 Subject: [PATCH 1/3] 15582 check permissions on specific object when sync request --- netbox/core/api/views.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/netbox/core/api/views.py b/netbox/core/api/views.py index 7bf2f87a666..35951f5bd87 100644 --- a/netbox/core/api/views.py +++ b/netbox/core/api/views.py @@ -37,6 +37,11 @@ def sync(self, request, pk): raise PermissionDenied("Syncing data sources requires the core.sync_datasource permission.") datasource = get_object_or_404(DataSource, pk=pk) + + # have to check perms again against this specific object as there could be constraints + if not request.user.has_perm('core.sync_datasource', datasource): + raise PermissionDenied("User does not have the core.sync_datasource permission for this object.") + datasource.enqueue_sync_job(request) serializer = serializers.DataSourceSerializer(datasource, context={'request': request}) From 3f19be86078e6c6ffcfa552792263bbc362e39ac Mon Sep 17 00:00:00 2001 From: Arthur Date: Mon, 15 Apr 2024 08:23:45 -0700 Subject: [PATCH 2/3] 15582 move permission check --- netbox/core/api/views.py | 3 --- 1 file changed, 3 deletions(-) diff --git a/netbox/core/api/views.py b/netbox/core/api/views.py index 35951f5bd87..c95bfb22c93 100644 --- a/netbox/core/api/views.py +++ b/netbox/core/api/views.py @@ -33,9 +33,6 @@ def sync(self, request, pk): """ Enqueue a job to synchronize the DataSource. """ - if not request.user.has_perm('core.sync_datasource'): - raise PermissionDenied("Syncing data sources requires the core.sync_datasource permission.") - datasource = get_object_or_404(DataSource, pk=pk) # have to check perms again against this specific object as there could be constraints From 7fcb28b60b3fefacd539f422f014e323dfc04e03 Mon Sep 17 00:00:00 2001 From: Jeremy Stretch Date: Wed, 17 Apr 2024 09:58:33 -0400 Subject: [PATCH 3/3] Enable translation of error message --- netbox/core/api/views.py | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/netbox/core/api/views.py b/netbox/core/api/views.py index c95bfb22c93..39c922eb641 100644 --- a/netbox/core/api/views.py +++ b/netbox/core/api/views.py @@ -1,5 +1,5 @@ from django.shortcuts import get_object_or_404 - +from django.utils.translation import gettext_lazy as _ from rest_framework.decorators import action from rest_framework.exceptions import PermissionDenied from rest_framework.response import Response @@ -35,9 +35,8 @@ def sync(self, request, pk): """ datasource = get_object_or_404(DataSource, pk=pk) - # have to check perms again against this specific object as there could be constraints - if not request.user.has_perm('core.sync_datasource', datasource): - raise PermissionDenied("User does not have the core.sync_datasource permission for this object.") + if not request.user.has_perm('core.sync_datasource', obj=datasource): + raise PermissionDenied(_("This user does not have permission to synchronize this data source.")) datasource.enqueue_sync_job(request) serializer = serializers.DataSourceSerializer(datasource, context={'request': request})