fix: use reverse() for YAML export URL, add permission check, fix unauthenticated test

marcinpsk · marcinpsk · commit d8185040c42d · 2026-03-31T00:36:02.000+02:00
- Replace hardcoded YAML_URL with reverse() in setUpTestData
- Add view_interfacenamerule permission check to get() and post()
- Add self.client.logout() to test_yaml_export_unauthenticated_responds
  so it actually exercises unauthenticated access
diff --git a/netbox_interface_name_rules/tests/test_views.py b/netbox_interface_name_rules/tests/test_views.py
@@ -723,15 +723,20 @@ def test_csv_round_trip_creates_rule(self):
 class YAMLExportViewTest(ViewTestBase):
     """Tests for the YAML export view at GET/POST /rules/export/yaml/."""
 
-    YAML_URL = "/plugins/interface-name-rules/rules/export/yaml/"
+    @classmethod
+    def setUpTestData(cls):
+        super().setUpTestData()
+        cls.YAML_URL = reverse("plugins:netbox_interface_name_rules:interfacenamerule_export_yaml")
 
     def test_yaml_export_unauthenticated_responds(self):
-        """Unauthenticated GET must not return a server error (4xx or 2xx is acceptable).
+        """Unauthenticated GET must not return a server error.
 
-        ViewTestBase does not log in by default — this exercises anonymous access.
-        ConditionalLoginRequiredMixin enforces auth only when LOGIN_REQUIRED=True;
-        in the test environment that setting may be False, so 200 is also valid.
+        setUp() logs in the superuser, so we explicitly logout first to exercise
+        anonymous access. ConditionalLoginRequiredMixin only enforces auth when
+        LOGIN_REQUIRED=True; in the test environment that setting may be False,
+        so 200 is also valid alongside a redirect.
         """
+        self.client.logout()
         response = self.client.get(self.YAML_URL)
         self.assertIn(response.status_code, [200, 301, 302])
 
diff --git a/netbox_interface_name_rules/views.py b/netbox_interface_name_rules/views.py
@@ -138,6 +138,8 @@ def _build_response(self, queryset):
 
     def get(self, request):
         """Export all rules as YAML."""
+        if not request.user.has_perm("netbox_interface_name_rules.view_interfacenamerule"):
+            raise PermissionDenied
         return self._build_response(InterfaceNameRule.objects.all())
 
     def post(self, request):
@@ -147,6 +149,8 @@ def post(self, request):
         post their PKs as repeated ``pk`` inputs.  Falls back to all rules when
         nothing is selected.
         """
+        if not request.user.has_perm("netbox_interface_name_rules.view_interfacenamerule"):
+            raise PermissionDenied
         pk_list = [int(v) for v in request.POST.getlist("pk") if v.isdigit()]
         if pk_list:
             queryset = InterfaceNameRule.objects.filter(pk__in=pk_list)
