Skip to content

Commit a9ada44

Browse files
DanShepsDanSheps
authored
Fixes: #19669 & #18396 - Allow Token Authentication against Media view (#20046)
1 parent 9f605a2 commit a9ada44

File tree

2 files changed

+17
-2
lines changed

2 files changed

+17
-2
lines changed

netbox/netbox/views/misc.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,7 @@
2020
from netbox.tables import SearchTable
2121
from utilities.htmx import htmx_partial
2222
from utilities.paginator import EnhancedPaginator, get_paginate_count
23-
from utilities.views import ConditionalLoginRequiredMixin
23+
from utilities.views import ConditionalLoginRequiredMixin, TokenConditionalLoginRequiredMixin
2424

2525
__all__ = (
2626
'HomeView',
@@ -119,7 +119,7 @@ def get(self, request):
119119
})
120120

121121

122-
class MediaView(ConditionalLoginRequiredMixin, View):
122+
class MediaView(TokenConditionalLoginRequiredMixin, View):
123123
"""
124124
Wrap Django's serve() view to enforce LOGIN_REQUIRED for static media.
125125
"""

netbox/utilities/views.py

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@
77
from django.urls.exceptions import NoReverseMatch
88
from django.utils.translation import gettext_lazy as _
99

10+
from netbox.api.authentication import TokenAuthentication
1011
from netbox.plugins import PluginConfig
1112
from netbox.registry import registry
1213
from utilities.relations import get_related_models
@@ -19,6 +20,7 @@
1920
'GetRelatedModelsMixin',
2021
'GetReturnURLMixin',
2122
'ObjectPermissionRequiredMixin',
23+
'TokenConditionalLoginRequiredMixin',
2224
'ViewTab',
2325
'get_viewname',
2426
'register_model_view',
@@ -39,6 +41,19 @@ def dispatch(self, request, *args, **kwargs):
3941
return super().dispatch(request, *args, **kwargs)
4042

4143

44+
class TokenConditionalLoginRequiredMixin(ConditionalLoginRequiredMixin):
45+
def dispatch(self, request, *args, **kwargs):
46+
# Attempt to authenticate the user using a DRF token, if provided
47+
if settings.LOGIN_REQUIRED and not request.user.is_authenticated:
48+
authenticator = TokenAuthentication()
49+
auth_info = authenticator.authenticate(request)
50+
if auth_info is not None:
51+
request.user = auth_info[0] # User object
52+
request.auth = auth_info[1]
53+
54+
return super().dispatch(request, *args, **kwargs)
55+
56+
4257
class ContentTypePermissionRequiredMixin(ConditionalLoginRequiredMixin):
4358
"""
4459
Similar to Django's built-in PermissionRequiredMixin, but extended to check model-level permission assignments.

0 commit comments

Comments
 (0)