starred/netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2026-04-27 11:17:27 +02:00
Code Issues 273 Packages Projects Releases 10 Wiki Activity

Fix permission check, perform_create delegation, and test mock setup

Browse Source 
- destroy() now checks extras.delete_script (queryset is Script.objects.all())
- create() delegates to self.perform_create() instead of calling serializer.save() directly
- Add comment explaining why update/partial_update intentionally return 405
- Fix test_upload_script_module: set mock_storage.save.return_value so file_path
  receives a real string after the _save_upload return-value fix; add DB existence check

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Arthur
2026-03-30 14:55:52 -07:00
parent 40f31205f2
commit c4077bf0eb
2 changed files with 8 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
netbox/extras/api/views.py
View File

@@ -306,10 +306,13 @@ class ScriptViewSet(ModelViewSet):
context={'request': request}, context={'request': request},
) )
serializer.is_valid(raise_exception=True) serializer.is_valid(raise_exception=True)
serializer.save() self.perform_create(serializer)
return Response(serializer.data, status=status.HTTP_201_CREATED) return Response(serializer.data, status=status.HTTP_201_CREATED)
# PUT and PATCH are intentionally unsupported: ScriptSerializer has no writable fields
# and there is no implementation for replacing the underlying module file via these methods.
# They remain registered by ModelViewSet and return 405 rather than 404.
def update(self, request, *args, **kwargs): def update(self, request, *args, **kwargs):
raise MethodNotAllowed(request.method) raise MethodNotAllowed(request.method)
@@ -317,8 +320,8 @@ class ScriptViewSet(ModelViewSet):
raise MethodNotAllowed(request.method) raise MethodNotAllowed(request.method)
def destroy(self, request, *args, **kwargs): def destroy(self, request, *args, **kwargs):
if not request.user.has_perm('extras.delete_scriptmodule'): if not request.user.has_perm('extras.delete_script'):
raise PermissionDenied(_("This user does not have permission to delete script modules.")) raise PermissionDenied(_("This user does not have permission to delete scripts."))
return super().destroy(request, *args, **kwargs) return super().destroy(request, *args, **kwargs)
def _get_script(self, pk): def _get_script(self, pk):

2
netbox/extras/tests/test_api.py
View File

@@ -1411,6 +1411,7 @@ class ScriptUploadTest(APITestCase):
script_content = b"from extras.scripts import Script\nclass TestScript(Script):\n pass\n" script_content = b"from extras.scripts import Script\nclass TestScript(Script):\n pass\n"
upload_file = SimpleUploadedFile('test_upload.py', script_content, content_type='text/plain') upload_file = SimpleUploadedFile('test_upload.py', script_content, content_type='text/plain')
mock_storage = MagicMock() mock_storage = MagicMock()
mock_storage.save.return_value = 'test_upload.py'
with patch('extras.api.serializers_.scripts.storages') as mock_storages: with patch('extras.api.serializers_.scripts.storages') as mock_storages:
mock_storages.create_storage.return_value = mock_storage mock_storages.create_storage.return_value = mock_storage
mock_storages.backends = {'scripts': {}} mock_storages.backends = {'scripts': {}}
@@ -1423,6 +1424,7 @@ class ScriptUploadTest(APITestCase):
self.assertHttpStatus(response, status.HTTP_201_CREATED) self.assertHttpStatus(response, status.HTTP_201_CREATED)
self.assertEqual(response.data['file_path'], 'test_upload.py') self.assertEqual(response.data['file_path'], 'test_upload.py')
mock_storage.save.assert_called_once() mock_storage.save.assert_called_once()
self.assertTrue(ScriptModule.objects.filter(file_path='test_upload.py').exists())
def test_upload_script_module_without_file_fails(self): def test_upload_script_module_without_file_fails(self):
self.add_permissions('extras.add_scriptmodule', 'core.add_managedfile') self.add_permissions('extras.add_scriptmodule', 'core.add_managedfile')