read-only API token & "render-config" endpoint

[do9xe]

Hello everyone,

while testing stuff for our network automation suite I discovered that the API-endpoint "/api/dcim/device//render-config/" is only working with a write-enabled API-token. Due to ne nature of our automation I'd like the token to be read-only. I dug into the code and found, that NetBox considers POST an unsafe method and therefor it cannot be used with an API-token that is read-only. By looking at the code that is specific to the "render-config" endpoint I saw that nothing is actually written anywhere, so a read-only token should have the permission to access this endpoint.

I want to extend the token permission system in a way that even endpoints that require POST methods can be accessed by read-only tokens if the endpoint is not actually writing stuff. This decision should be done while implementing the endpoint, it should be hard coded and shouldn't be editable by the user.

I thought about extending the has_permission() function of the TokenPermissions class in netbox/netbox/api/authentication.py. You could check for the action attribute in the view object, that is passed to this function, but there would need to be a callback somewhere else or an additional attribute in the view object, as the actual permission needed should be set with the actual view and not in the authentication.py.

I haven't made any larger plans on this, as we encountered this just today. I'd like to hear some opinions on this before opening a feature request and a PR.

[do9xe]

Would it be better if I create a feature request issue for this or should I also add a pull request with proposed code?

[jeremystretch]

We will only accept PRs for FRs that have been approved and assigned. Please open an FR if you would like to propose this change.

[do9xe]

I know, I just wanted to have a discussion first before I invest some time into writing the FR. If this is a general "no" for this, I'm fine with that, but if it's a "maybe" I would write it down in detail and look for some possibilities on how it could be implemented.

[PhilipLoenneker]

I discovered this issue recently too and would like to encourage some method of making the render endpoint available to read-only tokens. I had a look and couldn't see any Feature Request that appeared to match this. Is there anything I can do to assist?

I imagine the only reason it is a POST request is because of the "General Purpose Use" information here, which allows submitting variables for use in the template:
https://docs.netbox.dev/en/stable/features/configuration-rendering/#general-purpose-use

I apologise that I'm not familiar with the available functionality, and acknowledge that this may be a silly suggestion, but is it possible to have the endpoint respond to GET and POST requests, with the GET request obviously not accepting additional variables but is accessible with a read-only token?