Skip to content

Commit 6ec8ac7

Browse files
committed
Fixes #6073: Permit users to manage their own REST API tokens without needing explicit permission
1 parent c8eae3a commit 6ec8ac7

File tree

3 files changed

+19
-25
lines changed

3 files changed

+19
-25
lines changed

docs/release-notes/version-2.10.md

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,13 @@
11
# NetBox v2.10
22

3+
## v2.10.9 (FUTURE)
4+
5+
### Bug Fixes
6+
7+
* [#6073](https://github.com/netbox-community/netbox/issues/6073) - Permit users to manage their own REST API tokens without needing explicit permission
8+
9+
---
10+
311
## v2.10.8 (2021-03-26)
412

513
### Bug Fixes

netbox/templates/users/api_tokens.html

Lines changed: 6 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -11,12 +11,8 @@
1111
<div class="panel-heading">
1212
<div class="pull-right noprint">
1313
<a class="btn btn-xs btn-success copy-token" data-clipboard-target="#token_{{ token.pk }}">Copy</a>
14-
{% if perms.users.change_token %}
15-
<a href="{% url 'user:token_edit' pk=token.pk %}" class="btn btn-xs btn-warning">Edit</a>
16-
{% endif %}
17-
{% if perms.users.delete_token %}
18-
<a href="{% url 'user:token_delete' pk=token.pk %}" class="btn btn-xs btn-danger">Delete</a>
19-
{% endif %}
14+
<a href="{% url 'user:token_edit' pk=token.pk %}" class="btn btn-xs btn-warning">Edit</a>
15+
<a href="{% url 'user:token_delete' pk=token.pk %}" class="btn btn-xs btn-danger">Delete</a>
2016
</div>
2117
<i class="mdi mdi-key"></i>
2218
<samp><span id="token_{{ token.pk }}">{{ token.key }}</span></samp>
@@ -55,16 +51,10 @@
5551
{% empty %}
5652
<p>You do not have any API tokens.</p>
5753
{% endfor %}
58-
{% if perms.users.add_token %}
59-
<a href="{% url 'user:token_add' %}" class="btn btn-primary">
60-
<span class="mdi mdi-plus-thick" aria-hidden="true"></span>
61-
Add a token
62-
</a>
63-
{% else %}
64-
<div class="alert alert-info text-center" role="alert">
65-
You do not have permission to create new API tokens. If needed, ask an administrator to enable token creation for your account or an assigned group.
66-
</div>
67-
{% endif %}
54+
<a href="{% url 'user:token_add' %}" class="btn btn-primary">
55+
<span class="mdi mdi-plus-thick" aria-hidden="true"></span>
56+
Add a token
57+
</a>
6858
</div>
6959
</div>
7060
{% endblock %}

netbox/users/views.py

Lines changed: 5 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@
66
from django.contrib.auth.mixins import LoginRequiredMixin
77
from django.contrib.auth.models import update_last_login
88
from django.contrib.auth.signals import user_logged_in
9-
from django.http import HttpResponseForbidden, HttpResponseRedirect
9+
from django.http import HttpResponseRedirect
1010
from django.shortcuts import get_object_or_404, redirect, render
1111
from django.urls import reverse
1212
from django.utils.decorators import method_decorator
@@ -282,13 +282,9 @@ class TokenEditView(LoginRequiredMixin, View):
282282

283283
def get(self, request, pk=None):
284284

285-
if pk is not None:
286-
if not request.user.has_perm('users.change_token'):
287-
return HttpResponseForbidden()
285+
if pk:
288286
token = get_object_or_404(Token.objects.filter(user=request.user), pk=pk)
289287
else:
290-
if not request.user.has_perm('users.add_token'):
291-
return HttpResponseForbidden()
292288
token = Token(user=request.user)
293289

294290
form = TokenForm(instance=token)
@@ -302,19 +298,19 @@ def get(self, request, pk=None):
302298

303299
def post(self, request, pk=None):
304300

305-
if pk is not None:
301+
if pk:
306302
token = get_object_or_404(Token.objects.filter(user=request.user), pk=pk)
307303
form = TokenForm(request.POST, instance=token)
308304
else:
309-
token = Token()
305+
token = Token(user=request.user)
310306
form = TokenForm(request.POST)
311307

312308
if form.is_valid():
313309
token = form.save(commit=False)
314310
token.user = request.user
315311
token.save()
316312

317-
msg = "Modified token {}".format(token) if pk else "Created token {}".format(token)
313+
msg = f"Modified token {token}" if pk else f"Created token {token}"
318314
messages.success(request, msg)
319315

320316
if '_addanother' in request.POST:

0 commit comments

Comments
 (0)