Inicio Explorar Axuda
Iniciar sesión
LBP
/
netbox
réplica de https://github.com/netbox-community/netbox.git
2
0
Fork 0
Ficheiros Incidencias 0 Wiki
Explorar o código

Fixes #10719: Prevent user without sufficient permission from creating an IP address via FHRP group creation

jeremystretch %!s(int64=3) %!d(string=hai) anos
pai
2a62b628cf
achega
7b3ef2ade5
Modificáronse 3 ficheiros con 9 adicións e 1 borrados
Dividir vista Mostrar estatísticas de Diff
  1. 1 0
      docs/release-notes/version-3.3.md
  2. 2 1
      netbox/ipam/forms/models.py
  3. 6 0
      netbox/ipam/views.py

+ 1 - 0
docs/release-notes/version-3.3.md
Ver ficheiro 

@@ -21,6 +21,7 @@
 
 * [#10655](https://github.com/netbox-community/netbox/issues/10655) - Correct display of assigned contacts in object tables
 
 * [#10712](https://github.com/netbox-community/netbox/issues/10712) - Fix ModuleNotFoundError exception when generating API schema under Python 3.9+
 
 * [#10716](https://github.com/netbox-community/netbox/issues/10716) - Add left/right page plugin content embeds for tag view
 
+* [#10719](https://github.com/netbox-community/netbox/issues/10719) - Prevent user without sufficient permission from creating an IP address via FHRP group creation
 
 * [#10723](https://github.com/netbox-community/netbox/issues/10723) - Distinguish between inside/outside NAT assignments for device/VM primary IPs
 
 * [#10745](https://github.com/netbox-community/netbox/issues/10745) - Correct display of status field in clusters list
 
 * [#10746](https://github.com/netbox-community/netbox/issues/10746) - Add missing status attribute to cluster view

+ 2 - 1
netbox/ipam/forms/models.py
Ver ficheiro 

@@ -552,6 +552,7 @@ class FHRPGroupForm(NetBoxModelForm):
 
 
     def save(self, *args, **kwargs):
 
         instance = super().save(*args, **kwargs)
 
+        user = getattr(instance, '_user', None)  # Set under FHRPGroupEditView.alter_object()
 
 
         # Check if we need to create a new IPAddress for the group
 
         if self.cleaned_data.get('ip_address'):
 
@@ -565,7 +566,7 @@ class FHRPGroupForm(NetBoxModelForm):
 
             ipaddress.save()
 
 
             # Check that the new IPAddress conforms with any assigned object-level permissions
 
-            if not IPAddress.objects.filter(pk=ipaddress.pk).first():
 
+            if not IPAddress.objects.restrict(user, 'add').filter(pk=ipaddress.pk).first():
 
                 raise PermissionsViolation()
 
 
         return instance

+ 6 - 0
netbox/ipam/views.py
Ver ficheiro 

@@ -930,6 +930,12 @@ class FHRPGroupEditView(generic.ObjectEditView):
 
 
         return return_url
 
 
+    def alter_object(self, obj, request, url_args, url_kwargs):
 
+        # Workaround to solve #10719. Capture the current user on the FHRPGroup instance so that
 
+        # we can evaluate permissions during the creation of a new IPAddress within the form.
 
+        obj._user = request.user
 
+        return obj
 
+
 
 
 class FHRPGroupDeleteView(generic.ObjectDeleteView):
 
     queryset = FHRPGroup.objects.all()