Standard Create, Update, and Delete permissions for the Token model #2479
Labels
status: accepted
This issue has been accepted for implementation
type: feature
Introduction of new functionality to the application
Comments
lampwins
added
the
status: under review
|
+1 that would be great to see in netbox |
jeremystretch
added
status: accepted
Merged
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Environment
Proposed Functionality
Currently, there are no django permission controls on the user Token model. The Token model represents API tokens which users use to interact with the API. This means users are free to create their own tokens at any time.
The proposal is to add the standard Django create, update, and delete permissions to this model.
It should be made clear that this has nothing to do with API access. If a user has a valid token assigned to them (by either themselves in the past or by an administrator at any point), they may still access the API with said token. This feature is strictly about token CRUD permissions.
Use Case
In certain deployments, administrators may desire to limit API token creation for users who should only be using the web UI. Although the API uses the same permissions mechanisms as the web UI, it may make sense to an administrator to limit API token creation for some users.
It is important to note that this does not preclude any user from having a valid token assigned to them, regardless of them not being able to create it themselves. Administrators will still be able to create and assign user tokens in the admin portal, the same as they can today.
Database Changes
Remove this from the Token model:
This will trigger a DB migration which will add the standard Django create, update, and delete permissions.
External Dependencies
None
The text was updated successfully, but these errors were encountered: