Skip to content

Fixes: #14634 - Bypass Write permissions for render endpoint #15251

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 10 commits into from
Closed

Fixes: #14634 - Bypass Write permissions for render endpoint #15251

wants to merge 10 commits into from

Conversation

DanSheps
Copy link
Member

Fixes: #14634 - Bypass Write permissions for render endpoint

  • Bypass permission for render endpoint by swapping the permissions map and overriding the restrict() action.

@jeremystretch
Copy link
Member

@DanSheps are you still working on this?

@DanSheps
Copy link
Member Author

Yes, sorry, I will get back on it. Trying to find an elegant way to do this.

DanSheps
DanSheps commented Mar 21, 2024
View reviewed changes
netbox/extras/api/mixins.py Outdated
Comment on lines 69 to 71
def initial(self, request, *args, **kwargs):
self.original_queryset = self.queryset
super().initial(request, *args, **kwargs)
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could alternatively modify:

class BaseViewSet(GenericViewSet):
    """
    Base class for all API ViewSets. This is responsible for the enforcement of object-based permissions.
    """
    def initial(self, request, *args, **kwargs):
        super().initial(request, *args, **kwargs)

        # Restrict the view's QuerySet to allow only the permitted objects
        if request.user.is_authenticated:
            if action := HTTP_ACTIONS[request.method]:
                self.queryset = self.queryset.restrict(request.user, action)

to account for permissions using:

self.get_permissions() and using the resulting perms_map to determine what permission should be applied.

This is a down the road thing IMO though.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We'll definitely need to identify a more maintainable solution. This will probably entail digging into DRF permissions logic a bit.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As mentioned above, I think we can figure out something by modifying the BaseViewSet and then adjusting the queryset based on that.

I will take a second crack at this on the weekend.

@DanSheps DanSheps requested a review from jeremystretch March 21, 2024 03:40
@DanSheps DanSheps marked this pull request as ready for review March 21, 2024 03:41
@DanSheps DanSheps self-assigned this Mar 21, 2024
@github-actions GitHub Actions
Copy link
Contributor

This PR has been automatically marked as stale because it has not had recent activity. It will be closed automatically if no further action is taken.

@github-actions github-actions bot added the pending closure Requires immediate attention to avoid being closed for inactivity label May 21, 2024
@DanSheps DanSheps removed the pending closure Requires immediate attention to avoid being closed for inactivity label May 21, 2024
@DanSheps
Copy link
Member Author

Need to get back to this.

@jeremystretch jeremystretch removed their request for review May 29, 2024 14:28
@DanSheps DanSheps requested a review from jeremystretch June 5, 2024 15:05
jeremystretch
jeremystretch requested changes Jun 10, 2024
View reviewed changes
Copy link
Member

@jeremystretch jeremystretch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work @DanSheps!

@DanSheps DanSheps requested a review from jeremystretch June 13, 2024 03:08
jeremystretch
jeremystretch reviewed Jun 17, 2024
View reviewed changes
Copy link
Member

@jeremystretch jeremystretch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@DanSheps can you address the CI failures please?

@DanSheps
Copy link
Member Author

@DanSheps can you address the CI failures please?

I had to make some changes, mainly going back to overriding the permissions map as I couldn't cleanly reslolve certain issues without overriding a number of methods to return view-only permissions.

Reason being is DJango checks to make sure the method has permissions before proceeding to check the more specific permissions and before hitting inital() within the ViewSet.

I found myself overriding get_required_permissions as well as a few others just to get where I needed to be and it wouldn't be what I would deem "clean". (FWIW, I tried to alter the perms_map in __init__(), but it looks like unless it is a local variable to that specific class any changes to it within __init__() trickles down to the parent class as well)

@DanSheps DanSheps requested a review from jeremystretch June 17, 2024 16:01
jeremystretch
jeremystretch reviewed Jun 18, 2024
View reviewed changes
netbox/netbox/api/authentication.py
Overrides permission map to return only view permissions as required
"""
# Override the stock perm_map to enforce view permissions
perms_map = {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This approach isn't sufficient as it doesn't permit the use of a write-disabled API token. We need to override has_permission() and has_object_permission() on the permission class.

@jeremystretch
Copy link
Member

Thanks for all your work on this @DanSheps; sorry it turned out to be more trouble than it's worth. I'm going to close this PR as #14634 has been superseded by #16681 per our discussion yesterday. Thanks again!

@DanSheps
Copy link
Member Author

Thanks for all your work on this @DanSheps; sorry it turned out to be more trouble than it's worth. I'm going to close this PR as #14634 has been superseded by #16681 per our discussion yesterday. Thanks again!

It was a fun learning exercise with the Django permissions framework so it isn't all bad.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jul 22, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@jeremystretch jeremystretch jeremystretch requested changes

Assignees

@DanSheps DanSheps

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

API access to render-config needs add permissions and write enable for the api token
2 participants
@DanSheps @jeremystretch