What's Changed
Security
- #5450 - Updated
django
to~3.2.25
due toCVE-2024-27351
. - #5465 - Added requirement for user authentication to access the endpoint
/extras/job-results/<uuid:pk>/log-table/
; furthermore it will not allow an authenticated user to view log entries for a JobResult they don't otherwise have permission to view. (GHSA-m732-wvh2-7cq4) - #5465 - Added narrower permissions enforcement on the endpoints
/extras/git-repositories/<str:slug>/sync/
and/extras/git-repositories/<str:slug>/dry-run/
; a user who haschange
permissions for a subset of Git repositories is no longer permitted to sync or dry-run other repositories for which they lack the appropriate permissions. (GHSA-m732-wvh2-7cq4) - #5465 - Added narrower permissions enforcement on the
/api/dcim/connected-device/?peer_device=...&?peer_interface=...
REST API endpoint; a user who hasview
permissions for a subset of interfaces is no longer permitted to query other interfaces for which they lack permissions. (GHSA-m732-wvh2-7cq4) - #5465 - Added narrower permissions enforcement on all
<app>/<model>/<lookup>/notes/
UI endpoints; a user must now have the appropriateextras.view_note
permissions to view existing notes. (GHSA-m732-wvh2-7cq4) - #5465 - Added requirement for user authentication to access the REST API endpoints
/api/redoc/
,/api/swagger/
,/api/swagger.json
, and/api/swagger.yaml
. (GHSA-m732-wvh2-7cq4) - #5465 - Added requirement for user authentication to access the
/api/graphql
REST API endpoint, even whenEXEMPT_VIEW_PERMISSIONS
is configured. (GHSA-m732-wvh2-7cq4) - #5465 - Added requirement for user authentication to access the endpoints
/dcim/racks/<uuid>/dynamic-groups/
,/dcim/devices/<uuid>/dynamic-groups/
,/ipam/prefixes/<uuid>/dynamic-groups/
,/ipam/ip-addresses/<uuid>/dynamic-groups/
,/virtualization/clusters/<uuid>/dynamic-groups/
, and/virtualization/virtual-machines/<uuid>/dynamic-groups/
, even whenEXEMPT_VIEW_PERMISSIONS
is configured. (GHSA-m732-wvh2-7cq4) - #5465 - Added requirement for user authentication to access the endpoint
/extras/secrets/provider/<str:provider_slug>/form/
. (GHSA-m732-wvh2-7cq4)
Added
- #5465 - Added
nautobot.apps.utils.get_url_for_url_pattern
andnautobot.apps.utils.get_url_patterns
lookup functions. - #5465 - Added
nautobot.apps.views.GenericView
base class.
Changed
- #5465 - Added support for
view_name
andview_description
optional parameters when instantiating anautobot.apps.api.OrderedDefaultRouter
. Specifying these parameters is to be preferred over defining a customAPIRootView
subclass when defining App API URLs. - #5465 - Added requirement for user authentication by default on the
nautobot.core.api.AuthenticatedAPIRootView
class. As a consequence, viewing the browsable REST API root endpoints (e.g./api/
,/api/circuits/
,/api/dcim/
, etc.) now requires user authentication. - #5465 - Added requirement for user authentication to access
/api/docs/
and/graphql/
even whenHIDE_RESTRICTED_UI
is False.
Fixed
- #5465 - Fixed a 500 error when accessing any of the
/dcim/<port-type>/<uuid>/connect/<termination_b_type>/
view endpoints with an invalid/nonexistenttermination_b_type
string.
Documentation
- #5465 - Updated example views in the App developer documentation to include
ObjectPermissionRequiredMixin
orLoginRequiredMixin
as appropriate best practices.
Housekeeping
- #5465 - Updated custom views in the
example_plugin
to use the newGenericView
base class as a best practice.
Full Changelog: v1.6.15...v1.6.16