From fb12cdccba3374cadf13dd02ba169d31cd7fbc0d Mon Sep 17 00:00:00 2001
From: Martin Hauser <mhauser@netboxlabs.com>
Date: Tue, 23 Jun 2026 14:48:28 +0200
Subject: [PATCH] test(api): Grant related-object view permissions

Grant the API test user view permissions for related objects referenced
in write payloads, including devices, tags, and target custom object
types. This keeps API writes compatible with NetBox's
permission-filtered related-object resolution and prevents HTTP 400
failures in the tests.

Fixes #592
---
 netbox_custom_objects/tests/test_api.py | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/netbox_custom_objects/tests/test_api.py b/netbox_custom_objects/tests/test_api.py
index 5da69a5b..3eb5a467 100644
--- a/netbox_custom_objects/tests/test_api.py
+++ b/netbox_custom_objects/tests/test_api.py
@@ -6,7 +6,7 @@
 from django.test import TestCase, RequestFactory
 from django.urls import reverse
 
-from utilities.testing import create_test_user
+from utilities.testing import TestCase as NetBoxTestCase, create_test_user
 from rest_framework import status
 from rest_framework.test import APIClient
 
@@ -115,7 +115,7 @@ def test_delete_object_without_permission(self):
         self.assertHttpStatus(response, 403)
 
 
-class CustomObjectTest(CustomObjectsTestCase, CustomObjectAPITestCaseMixin, TestCase):
+class CustomObjectTest(CustomObjectsTestCase, CustomObjectAPITestCaseMixin, NetBoxTestCase):
     model = None  # Will be set in setUpTestData
     bulk_update_data = {
         'test_field': 'Updated test field',
@@ -388,6 +388,7 @@ def test_create_with_nested_serializers(self):
         obj_perm.save()
         obj_perm.users.add(self.user)
         obj_perm.object_types.add(ObjectType.objects.get_for_model(self.model))
+        self.add_permissions('dcim.view_device')
 
         devices = Device.objects.all()
 
@@ -418,6 +419,7 @@ def test_create_with_nested_serializers(self):
     def test_create_with_tags_persists_to_db(self):
         """Regression #371: tags submitted on POST must be saved to the DB, not just echoed."""
         self._add_permission('add', 'Create with tags perm')
+        self.add_permissions('extras.view_tag')
         tag = Tag.objects.get_or_create(name='api-create-tag', slug='api-create-tag')[0]
 
         data = {
@@ -437,6 +439,7 @@ def test_patch_with_tags_persists_to_db(self):
         """Regression #371: tags submitted on PATCH must be saved to the DB, not just echoed."""
         self._add_permission('view', 'View perm')
         self._add_permission('change', 'Patch with tags perm')
+        self.add_permissions('extras.view_tag')
         tag = Tag.objects.get_or_create(name='api-patch-tag', slug='api-patch-tag')[0]
 
         instance = self._get_queryset().first()
@@ -1592,6 +1595,7 @@ def _add_perm(self, action, model):
     def test_patch_updates_cross_cot_m2m_field(self):
         """#443 – PATCH with a list of target PKs must update the M2M field."""
         self._add_perm('change', self.model_source)
+        self._add_perm('view', self.model_target)
 
         # Confirm initial state.
         self.assertSetEqual(