2
0
mirror of https://github.com/inventree/InvenTree.git synced 2026-07-05 06:32:55 +00:00

[API] Adjust permissions for machine restart (#12197)

* [API] Adjust permissions for machine restart

Can only be actioned by a staff user

* Fix import

* Wrong class

* Extend unit test

* Bump API version

* Update CHANGELOG
This commit is contained in:
Oliver
2026-06-18 22:18:14 +10:00
committed by GitHub
parent 5b97acb79f
commit 29b8ed91d2
4 changed files with 22 additions and 5 deletions
@@ -1,11 +1,14 @@
"""InvenTree API version information."""
# InvenTree API version
INVENTREE_API_VERSION = 509
INVENTREE_API_VERSION = 510
"""Increment this API version number whenever there is a significant change to the API that any clients need to know about."""
INVENTREE_API_TEXT = """
v510 -> 2026-06-18 : https://github.com/inventree/InvenTree/pull/12197
- Require "staff" access permissions for the machine restart API endpoint
v509 -> 2026-06-17 : https://github.com/inventree/InvenTree/pull/12184
- Adds "completed_row_count_history" and "row_count_history" fields to the DataImportSession model, which store the historic count of completed rows and total rows for a data import session.
+5 -1
View File
@@ -3,6 +3,7 @@
from django.urls import include, path, re_path
from drf_spectacular.utils import extend_schema
from rest_framework import permissions
from rest_framework.exceptions import NotFound
from rest_framework.response import Response
from rest_framework.views import APIView
@@ -142,7 +143,10 @@ class MachineRestart(APIView):
- POST: restart machine by pk
"""
permission_classes = [InvenTree.permissions.IsAuthenticatedOrReadScope]
permission_classes = [
permissions.IsAuthenticated,
InvenTree.permissions.IsStaffOrReadOnlyScope,
]
@extend_schema(
request=None, responses={200: MachineSerializers.MachineRestartSerializer()}
+12 -3
View File
@@ -287,14 +287,23 @@ class MachineAPITest(TestMachineRegistryMixin, InvenTreeAPITestCase):
active=True,
)
restart_url = reverse('api-machine-restart', kwargs={'pk': machine.pk})
# Non-staff users must not be able to restart a machine
self.user.is_staff = False
self.user.save()
self.post(restart_url, expected_code=403)
# Restore staff access
self.user.is_staff = True
self.user.save()
# verify machine status before restart
response = self.get(reverse('api-machine-detail', kwargs={'pk': machine.pk}))
self.assertEqual(response.data['status_text'], '')
# restart the machine
response = self.post(
reverse('api-machine-restart', kwargs={'pk': machine.pk}), expected_code=200
)
self.post(restart_url, expected_code=200)
# verify machine status after restart
response = self.get(reverse('api-machine-detail', kwargs={'pk': machine.pk}))