v2.1.9 - 2024-03-25 #5478
gsnider2195
started this conversation in
General
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
What's Changed
Security
django
to~3.2.25
due toCVE-2024-27351
./extras/job-results/<uuid:pk>/log-table/
; furthermore it will not allow an authenticated user to view log entries for a JobResult they don't otherwise have permission to view. (GHSA-m732-wvh2-7cq4)/extras/git-repositories/<uuid:pk>/sync/
and/extras/git-repositories/<uuid:pk>/dry-run/
; a user who haschange
permissions for a subset of Git repositories is no longer permitted to sync or dry-run other repositories for which they lack the appropriate permissions. (GHSA-m732-wvh2-7cq4)/api/dcim/connected-device/?peer_device=...&?peer_interface=...
REST API endpoint; a user who hasview
permissions for a subset of interfaces is no longer permitted to query other interfaces for which they lack permissions. (GHSA-m732-wvh2-7cq4)<app>/<model>/<uuid>/notes/
UI endpoints; a user must now have the appropriateextras.view_note
permissions to view existing notes. (GHSA-m732-wvh2-7cq4)/api/redoc/
,/api/swagger/
,/api/swagger.json
, and/api/swagger.yaml
. (GHSA-m732-wvh2-7cq4)/api/graphql
REST API endpoint, even whenEXEMPT_VIEW_PERMISSIONS
is configured. (GHSA-m732-wvh2-7cq4)/dcim/racks/<uuid>/dynamic-groups/
,/dcim/devices/<uuid>/dynamic-groups/
,/ipam/prefixes/<uuid>/dynamic-groups/
,/ipam/ip-addresses/<uuid>/dynamic-groups/
,/virtualization/clusters/<uuid>/dynamic-groups/
, and/virtualization/virtual-machines/<uuid>/dynamic-groups/
, even whenEXEMPT_VIEW_PERMISSIONS
is configured. (GHSA-m732-wvh2-7cq4)/extras/secrets/provider/<str:provider_slug>/form/
. (GHSA-m732-wvh2-7cq4)Added
nautobot.apps.utils.get_url_for_url_pattern
andnautobot.apps.utils.get_url_patterns
lookup functions.nautobot.apps.views.GenericView
base class.Changed
view_name
andview_description
optional parameters when instantiating anautobot.apps.api.OrderedDefaultRouter
. Specifying these parameters is to be preferred over defining a customAPIRootView
subclass when defining App API URLs.nautobot.apps.api.APIRootView
class. As a consequence, viewing the browsable REST API root endpoints (e.g./api/
,/api/circuits/
,/api/dcim/
, etc.) now requires user authentication.Removed
/api/users/users/my-profile/
,/api/users/users/session/
,/api/users/tokens/authenticate/
, and/api/users/tokens/logout/
as they are unused at this time.Fixed
/graphql
./admin
./api/
./dcim/<port-type>/<uuid>/connect/<termination_b_type>/
view endpoints with an invalid/nonexistenttermination_b_type
string.Dependencies
coverage
as a nautobot dependency instead of a development dependency.Documentation
ObjectPermissionRequiredMixin
orLoginRequiredMixin
as appropriate best practices.Housekeeping
OrderedDict
instance innautobot/core/api/routers.py#21
with with a plaindict
instance.OrderedDict
instance innautobot/dcim/models/racks.py#275
with a plaindict
instance.--pattern
argument toinvoke unittest
.--parallel-workers
argument toinvoke unittest
.example_plugin
to use the newGenericView
base class as a best practice.Full Changelog: v2.1.8...v2.1.9
Contributors
This discussion was created from the release v2.1.9 - 2024-03-25.
Beta Was this translation helpful? Give feedback.
All reactions