Enforcing permissions with constraints in NetBox plugins

[markkuleinio]

I have a plugin that gets a device ID as a view parameter. I have been using PermissionRequiredMixin and permission_required = "dcim.view_device" to ensure that user has permission to view devices before running the view methods.

Now, I have also implemented constraints for the permissions so that the users can only access objects of their own tenants. It works great, NetBox GUI returns "does not exist" results when the user is trying to directly access devices that are not permitted, within the normal NetBox features.

My plugin view uses device = Device.objects.get(id=device_id) to get the device object based on the device ID submitted with the GET request, when preparing to do the plugin things with the device.

The problem now is that the permission constraints are not checked this way, so the user can access any device object by just changing the device ID in the plugin view URL.

What would be the correct way to enforce the permission constraints within the plugin code?

I understand that PermissionRequiredMixin is a Django feature, not from NetBox codebase. Is there a similar class or something else that could be used to dynamically evaluate the user's permission to the retrieved object, taking the constraints into account?