Closes #16107: Set LOGIN_REQUIRED to True by default (#16122)

jeremystretch · web-flow · commit b8a8db09edc2 · 2024-05-14T07:53:19.000-04:00
* Closes #16107: Set LOGIN_REQUIRED to True by default * Update tests
diff --git a/docs/configuration/security.md b/docs/configuration/security.md
@@ -159,9 +159,12 @@ Note that enabling this setting causes NetBox to update a user's session in the
 
 ## LOGIN_REQUIRED
 
-Default: False
+Default: True
+
+When enabled, only authenticated users are permitted to access any part of NetBox. Disabling this will allow unauthenticated users to access most areas of NetBox (but not make any changes).
 
-Setting this to True will permit only authenticated users to access any part of NetBox. By default, anonymous users are permitted to access most data in NetBox but not make any changes.
+!!! info "Changed in NetBox v4.0.2"
+    Prior to NetBox v4.0.2, this setting was disabled by default.
 
 ---
 
diff --git a/netbox/netbox/configuration_example.py b/netbox/netbox/configuration_example.py
@@ -157,9 +157,8 @@
 # authenticated to NetBox indefinitely.
 LOGIN_PERSISTENCE = False
 
-# Setting this to True will permit only authenticated users to access any part of NetBox. By default, anonymous users
-# are permitted to access most data in NetBox but not make any changes.
-LOGIN_REQUIRED = False
+# Setting this to False will permit unauthenticated users to access most areas of NetBox (but not make any changes).
+LOGIN_REQUIRED = True
 
 # The length of time (in seconds) for which a user will remain logged into the web UI before being prompted to
 # re-authenticate. (Default: 1209600 [14 days])
diff --git a/netbox/netbox/settings.py b/netbox/netbox/settings.py
@@ -105,7 +105,7 @@
 LANGUAGE_COOKIE_PATH = CSRF_COOKIE_PATH
 LOGGING = getattr(configuration, 'LOGGING', {})
 LOGIN_PERSISTENCE = getattr(configuration, 'LOGIN_PERSISTENCE', False)
-LOGIN_REQUIRED = getattr(configuration, 'LOGIN_REQUIRED', False)
+LOGIN_REQUIRED = getattr(configuration, 'LOGIN_REQUIRED', True)
 LOGIN_TIMEOUT = getattr(configuration, 'LOGIN_TIMEOUT', None)
 LOGOUT_REDIRECT_URL = getattr(configuration, 'LOGOUT_REDIRECT_URL', 'home')
 MEDIA_ROOT = getattr(configuration, 'MEDIA_ROOT', os.path.join(BASE_DIR, 'media')).rstrip('/')
diff --git a/netbox/netbox/tests/test_plugins.py b/netbox/netbox/tests/test_plugins.py
@@ -42,6 +42,7 @@ def test_admin(self):
         url = reverse('admin:dummy_plugin_dummymodel_add')
         self.assertEqual(url, '/admin/dummy_plugin/dummymodel/add/')
 
+    @override_settings(LOGIN_REQUIRED=False)
     def test_views(self):
 
         # Test URL resolution
@@ -53,7 +54,7 @@ def test_views(self):
         response = client.get(url)
         self.assertEqual(response.status_code, 200)
 
-    @override_settings(EXEMPT_VIEW_PERMISSIONS=['*'])
+    @override_settings(EXEMPT_VIEW_PERMISSIONS=['*'], LOGIN_REQUIRED=False)
     def test_api_views(self):
 
         # Test URL resolution
@@ -65,6 +66,7 @@ def test_api_views(self):
         response = client.get(url)
         self.assertEqual(response.status_code, 200)
 
+    @override_settings(LOGIN_REQUIRED=False)
     def test_registered_views(self):
 
         # Test URL resolution
diff --git a/netbox/utilities/testing/api.py b/netbox/utilities/testing/api.py
@@ -73,7 +73,7 @@ class APIViewTestCases:
 
     class GetObjectViewTestCase(APITestCase):
 
-        @override_settings(EXEMPT_VIEW_PERMISSIONS=['*'])
+        @override_settings(EXEMPT_VIEW_PERMISSIONS=['*'], LOGIN_REQUIRED=False)
         def test_get_object_anonymous(self):
             """
             GET a single object as an unauthenticated user.
@@ -135,7 +135,7 @@ def test_options_object(self):
     class ListObjectsViewTestCase(APITestCase):
         brief_fields = []
 
-        @override_settings(EXEMPT_VIEW_PERMISSIONS=['*'])
+        @override_settings(EXEMPT_VIEW_PERMISSIONS=['*'], LOGIN_REQUIRED=False)
         def test_list_objects_anonymous(self):
             """
             GET a list of objects as an unauthenticated user.
diff --git a/netbox/utilities/testing/views.py b/netbox/utilities/testing/views.py
@@ -62,7 +62,7 @@ class GetObjectViewTestCase(ModelViewTestCase):
         """
         Retrieve a single instance.
         """
-        @override_settings(EXEMPT_VIEW_PERMISSIONS=['*'])
+        @override_settings(EXEMPT_VIEW_PERMISSIONS=['*'], LOGIN_REQUIRED=False)
         def test_get_object_anonymous(self):
             # Make the request as an unauthenticated user
             self.client.logout()
@@ -421,7 +421,7 @@ class ListObjectsViewTestCase(ModelViewTestCase):
         """
         Retrieve multiple instances.
         """
-        @override_settings(EXEMPT_VIEW_PERMISSIONS=['*'])
+        @override_settings(EXEMPT_VIEW_PERMISSIONS=['*'], LOGIN_REQUIRED=False)
         def test_list_objects_anonymous(self):
             # Make the request as an unauthenticated user
             self.client.logout()
