v1.6.16 - 2024-03-25 #5482
gsnider2195
started this conversation in
General
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
What's Changed
Security
django
to~3.2.25
due toCVE-2024-27351
./extras/job-results/<uuid:pk>/log-table/
; furthermore it will not allow an authenticated user to view log entries for a JobResult they don't otherwise have permission to view. (GHSA-m732-wvh2-7cq4)/extras/git-repositories/<str:slug>/sync/
and/extras/git-repositories/<str:slug>/dry-run/
; a user who haschange
permissions for a subset of Git repositories is no longer permitted to sync or dry-run other repositories for which they lack the appropriate permissions. (GHSA-m732-wvh2-7cq4)/api/dcim/connected-device/?peer_device=...&?peer_interface=...
REST API endpoint; a user who hasview
permissions for a subset of interfaces is no longer permitted to query other interfaces for which they lack permissions. (GHSA-m732-wvh2-7cq4)<app>/<model>/<lookup>/notes/
UI endpoints; a user must now have the appropriateextras.view_note
permissions to view existing notes. (GHSA-m732-wvh2-7cq4)/api/redoc/
,/api/swagger/
,/api/swagger.json
, and/api/swagger.yaml
. (GHSA-m732-wvh2-7cq4)/api/graphql
REST API endpoint, even whenEXEMPT_VIEW_PERMISSIONS
is configured. (GHSA-m732-wvh2-7cq4)/dcim/racks/<uuid>/dynamic-groups/
,/dcim/devices/<uuid>/dynamic-groups/
,/ipam/prefixes/<uuid>/dynamic-groups/
,/ipam/ip-addresses/<uuid>/dynamic-groups/
,/virtualization/clusters/<uuid>/dynamic-groups/
, and/virtualization/virtual-machines/<uuid>/dynamic-groups/
, even whenEXEMPT_VIEW_PERMISSIONS
is configured. (GHSA-m732-wvh2-7cq4)/extras/secrets/provider/<str:provider_slug>/form/
. (GHSA-m732-wvh2-7cq4)Added
nautobot.apps.utils.get_url_for_url_pattern
andnautobot.apps.utils.get_url_patterns
lookup functions.nautobot.apps.views.GenericView
base class.Changed
view_name
andview_description
optional parameters when instantiating anautobot.apps.api.OrderedDefaultRouter
. Specifying these parameters is to be preferred over defining a customAPIRootView
subclass when defining App API URLs.nautobot.core.api.AuthenticatedAPIRootView
class. As a consequence, viewing the browsable REST API root endpoints (e.g./api/
,/api/circuits/
,/api/dcim/
, etc.) now requires user authentication./api/docs/
and/graphql/
even whenHIDE_RESTRICTED_UI
is False.Fixed
/dcim/<port-type>/<uuid>/connect/<termination_b_type>/
view endpoints with an invalid/nonexistenttermination_b_type
string.Documentation
ObjectPermissionRequiredMixin
orLoginRequiredMixin
as appropriate best practices.Housekeeping
example_plugin
to use the newGenericView
base class as a best practice.Full Changelog: v1.6.15...v1.6.16
Contributors
This discussion was created from the release v1.6.16 - 2024-03-25.
Beta Was this translation helpful? Give feedback.
All reactions