Fixes #20929: Require render_config permission for UI config rendering #20975
+70
−1
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Modified `ObjectRenderConfigView.has_permission()` to require both view and render_config permissions - Added `remove_permissions()` test helper to remove permissions from existing ObjectPermission objects - Added regression tests for Device and VirtualMachine render-config permission enforcement The `render_config` permission action was introduced in #16681 for API endpoints. This extends PR_7604_description to the UI render-config tabs, preventing users from viewing rendered configurations without explicit permission.
jnovinger
requested review from
a team and
jeremystretch
and removed request for
a team
jeremystretch
requested changes
Dec 15, 2025
Comment on lines
+2343
to
+2344
| @tag('regression') # #20929 | ||
| def test_device_renderconfig_permission(self): |
Member
There was a problem hiding this comment.
Could we make this a standard view test?
Suggested change
| @tag('regression') # #20929 | |
| def test_device_renderconfig_permission(self): | |
| def test_device_renderconfig(self): |
Comment on lines
+330
to
+331
| @tag('regression') # #20929 | ||
| def test_virtualmachine_renderconfig_permission(self): |
| actions__contains=[action], object_types=object_type, users=self.user | ||
| ) | ||
| for obj_perm in obj_perms: | ||
| obj_perm.users.remove(self.user) |
Member
There was a problem hiding this comment.
add_permissions() creates a new ObjectPermission instance for each permission passed, so it might be prudent to simply delete the instance here instead of removing the assigned user. (This approach could also create a name conflict if calling add_permissions() after remove_permissions() for the same model & action.)
| if super().has_permission(): # enforce base required permission | ||
| perm = get_permission_for_model(self.queryset.model, 'render_config') | ||
| if self.request.user.has_perm(perm): | ||
| self.queryset = self.queryset.restrict(self.request.user, 'render_config') |
Member
There was a problem hiding this comment.
I'd prefer to avoid altering the queryset directly here if we can. Instead, how about just adding the necessary permission by name to additional_permissions under each view?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes: #20929
ObjectRenderConfigView.has_permission()to require both view and render_config permissionsremove_permissions()test helper to remove permissions from existing ObjectPermission objectsThe
render_configpermission action was introduced in #16681 for API endpoints. This extends PR_7604_description to the UI render-config tabs, preventing users from viewing rendered configurations without explicit permission.