Closes #16107: Set `LOGIN_REQUIRED` to True by default (#16122)

* Closes #16107: Set LOGIN_REQUIRED to True by default * Update tests
2024-05-14 07:53:19 -04:00 · 2024-05-14 07:53:19 -04:00 · b8a8db09ed
parent b67eda403a
commit b8a8db09ed
6 changed files with 15 additions and 11 deletions
--- a/docs/configuration/security.md
+++ b/docs/configuration/security.md
@ -159,9 +159,12 @@ Note that enabling this setting causes NetBox to update a user's session in the

 ## LOGIN_REQUIRED

-Default: False
+Default: True

-Setting this to True will permit only authenticated users to access any part of NetBox. By default, anonymous users are permitted to access most data in NetBox but not make any changes.
+When enabled, only authenticated users are permitted to access any part of NetBox. Disabling this will allow unauthenticated users to access most areas of NetBox (but not make any changes).
+
+!!! info "Changed in NetBox v4.0.2"
+    Prior to NetBox v4.0.2, this setting was disabled by default.

 ---

--- a/netbox/netbox/configuration_example.py
+++ b/netbox/netbox/configuration_example.py
@ -157,9 +157,8 @@ LOGGING = {}
 # authenticated to NetBox indefinitely.
 LOGIN_PERSISTENCE = False

-# Setting this to True will permit only authenticated users to access any part of NetBox. By default, anonymous users
-# are permitted to access most data in NetBox but not make any changes.
-LOGIN_REQUIRED = False
+# Setting this to False will permit unauthenticated users to access most areas of NetBox (but not make any changes).
+LOGIN_REQUIRED = True

 # The length of time (in seconds) for which a user will remain logged into the web UI before being prompted to
 # re-authenticate. (Default: 1209600 [14 days])
--- a/netbox/netbox/settings.py
+++ b/netbox/netbox/settings.py
@ -105,7 +105,7 @@ LANGUAGE_CODE = getattr(configuration, 'DEFAULT_LANGUAGE', 'en-us')
 LANGUAGE_COOKIE_PATH = CSRF_COOKIE_PATH
 LOGGING = getattr(configuration, 'LOGGING', {})
 LOGIN_PERSISTENCE = getattr(configuration, 'LOGIN_PERSISTENCE', False)
-LOGIN_REQUIRED = getattr(configuration, 'LOGIN_REQUIRED', False)
+LOGIN_REQUIRED = getattr(configuration, 'LOGIN_REQUIRED', True)
 LOGIN_TIMEOUT = getattr(configuration, 'LOGIN_TIMEOUT', None)
 LOGOUT_REDIRECT_URL = getattr(configuration, 'LOGOUT_REDIRECT_URL', 'home')
 MEDIA_ROOT = getattr(configuration, 'MEDIA_ROOT', os.path.join(BASE_DIR, 'media')).rstrip('/')
--- a/netbox/netbox/tests/test_plugins.py
+++ b/netbox/netbox/tests/test_plugins.py
@ -42,6 +42,7 @@ class PluginTest(TestCase):
        url = reverse('admin:dummy_plugin_dummymodel_add')
        self.assertEqual(url, '/admin/dummy_plugin/dummymodel/add/')

+    @override_settings(LOGIN_REQUIRED=False)
    def test_views(self):

        # Test URL resolution
@ -53,7 +54,7 @@ class PluginTest(TestCase):
        response = client.get(url)
        self.assertEqual(response.status_code, 200)

-    @override_settings(EXEMPT_VIEW_PERMISSIONS=['*'])
+    @override_settings(EXEMPT_VIEW_PERMISSIONS=['*'], LOGIN_REQUIRED=False)
    def test_api_views(self):

        # Test URL resolution
@ -65,6 +66,7 @@ class PluginTest(TestCase):
        response = client.get(url)
        self.assertEqual(response.status_code, 200)

+    @override_settings(LOGIN_REQUIRED=False)
    def test_registered_views(self):

        # Test URL resolution
--- a/netbox/utilities/testing/api.py
+++ b/netbox/utilities/testing/api.py
@ -73,7 +73,7 @@ class APIViewTestCases:

    class GetObjectViewTestCase(APITestCase):

-        @override_settings(EXEMPT_VIEW_PERMISSIONS=['*'])
+        @override_settings(EXEMPT_VIEW_PERMISSIONS=['*'], LOGIN_REQUIRED=False)
        def test_get_object_anonymous(self):
            """
            GET a single object as an unauthenticated user.
@ -135,7 +135,7 @@ class APIViewTestCases:
    class ListObjectsViewTestCase(APITestCase):
        brief_fields = []

-        @override_settings(EXEMPT_VIEW_PERMISSIONS=['*'])
+        @override_settings(EXEMPT_VIEW_PERMISSIONS=['*'], LOGIN_REQUIRED=False)
        def test_list_objects_anonymous(self):
            """
            GET a list of objects as an unauthenticated user.
--- a/netbox/utilities/testing/views.py
+++ b/netbox/utilities/testing/views.py
@ -62,7 +62,7 @@ class ViewTestCases:
        """
        Retrieve a single instance.
        """
-        @override_settings(EXEMPT_VIEW_PERMISSIONS=['*'])
+        @override_settings(EXEMPT_VIEW_PERMISSIONS=['*'], LOGIN_REQUIRED=False)
        def test_get_object_anonymous(self):
            # Make the request as an unauthenticated user
            self.client.logout()
@ -421,7 +421,7 @@ class ViewTestCases:
        """
        Retrieve multiple instances.
        """
-        @override_settings(EXEMPT_VIEW_PERMISSIONS=['*'])
+        @override_settings(EXEMPT_VIEW_PERMISSIONS=['*'], LOGIN_REQUIRED=False)
        def test_list_objects_anonymous(self):
            # Make the request as an unauthenticated user
            self.client.logout()