nautobot 2.2.2__py3-none-any.whl → 2.2.4__py3-none-any.whl

nautobot/core/testing/views.py

@@ -15,11 +15,10 @@ from django.utils.http import urlencode
 from django.utils.text import slugify
 from tree_queries.models import TreeNode
 
-from nautobot.core import testing
 from nautobot.core.models.generics import PrimaryModel
 from nautobot.core.models.tree_queries import TreeModel
 from nautobot.core.templatetags import helpers
-from nautobot.core.testing import mixins
+from nautobot.core.testing import mixins, utils
 from nautobot.core.utils import lookup
 from nautobot.extras import choices as extras_choices, models as extras_models, querysets as extras_querysets
 from nautobot.extras.forms import CustomFieldModelFormMixin, RelationshipModelFormMixin
@@ -152,7 +151,7 @@ class ViewTestCases:
 
             # The "Change Log" tab should appear in the response since we have all exempt permissions
             if issubclass(self.model, extras_models.ChangeLoggedModel):
-                response_body = testing.extract_page_body(response.content.decode(response.charset))
+                response_body = utils.extract_page_body(response.content.decode(response.charset))
                 self.assertIn("Change Log", response_body, msg=response_body)
 
         @override_settings(EXEMPT_VIEW_PERMISSIONS=[])
@@ -160,7 +159,7 @@ class ViewTestCases:
             instance = self._get_queryset().first()
 
             # Try GET without permission
-            with testing.disable_warnings("django.request"):
+            with utils.disable_warnings("django.request"):
                 response = self.client.get(instance.get_absolute_url())
                 self.assertHttpStatus(response, [403, 404])
                 response_body = response.content.decode(response.charset)
@@ -180,7 +179,7 @@ class ViewTestCases:
             response = self.client.get(instance.get_absolute_url())
             self.assertHttpStatus(response, 200)
 
-            response_body = testing.extract_page_body(response.content.decode(response.charset))
+            response_body = utils.extract_page_body(response.content.decode(response.charset))
 
             # The object's display name or string representation should appear in the response
             self.assertIn(escape(getattr(instance, "display", str(instance))), response_body, msg=response_body)
@@ -247,7 +246,7 @@ class ViewTestCases:
             obj_perm.object_types.add(ContentType.objects.get_for_model(self.model))
 
             response = self.client.get(instance.get_absolute_url())
-            response_body = testing.extract_page_body(response.content.decode(response.charset))
+            response_body = utils.extract_page_body(response.content.decode(response.charset))
             advanced_tab_href = f"{instance.get_absolute_url()}#advanced"
 
             self.assertIn(advanced_tab_href, response_body)
@@ -304,16 +303,16 @@ class ViewTestCases:
 
         def test_create_object_without_permission(self):
             # Try GET without permission
-            with testing.disable_warnings("django.request"):
+            with utils.disable_warnings("django.request"):
                 self.assertHttpStatus(self.client.get(self._get_url("add")), 403)
 
             # Try POST without permission
             request = {
                 "path": self._get_url("add"),
-                "data": testing.post_data(self.form_data),
+                "data": utils.post_data(self.form_data),
             }
             response = self.client.post(**request)
-            with testing.disable_warnings("django.request"):
+            with utils.disable_warnings("django.request"):
                 self.assertHttpStatus(response, 403)
 
         @override_settings(EXEMPT_VIEW_PERMISSIONS=["*"])
@@ -332,7 +331,7 @@ class ViewTestCases:
             # Try POST with model-level permission
             request = {
                 "path": self._get_url("add"),
-                "data": testing.post_data(self.form_data),
+                "data": utils.post_data(self.form_data),
             }
             self.assertHttpStatus(self.client.post(**request), 302)
             self.assertEqual(initial_count + 1, self._get_queryset().count())
@@ -362,7 +361,7 @@ class ViewTestCases:
                     detail_url = instance.get_absolute_url()
                     validate(detail_url)
                     response = self.client.get(detail_url)
-                    response_body = testing.extract_page_body(response.content.decode(response.charset))
+                    response_body = utils.extract_page_body(response.content.decode(response.charset))
                     advanced_tab_href = f"{detail_url}#advanced"
                     self.assertIn(advanced_tab_href, response_body)
                     self.assertIn("<td>Created By</td>", response_body)
@@ -391,7 +390,7 @@ class ViewTestCases:
             # Try to create an object (not permitted)
             request = {
                 "path": self._get_url("add"),
-                "data": testing.post_data(self.form_data),
+                "data": utils.post_data(self.form_data),
             }
             self.assertHttpStatus(self.client.post(**request), 200)
             self.assertEqual(initial_count, self._get_queryset().count())  # Check that no object was created
@@ -403,7 +402,7 @@ class ViewTestCases:
             # Try to create an object (permitted)
             request = {
                 "path": self._get_url("add"),
-                "data": testing.post_data(self.form_data),
+                "data": utils.post_data(self.form_data),
             }
             self.assertHttpStatus(self.client.post(**request), 302)
             self.assertEqual(initial_count + 1, self._get_queryset().count())
@@ -472,15 +471,15 @@ class ViewTestCases:
             instance = self._get_queryset().first()
 
             # Try GET without permission
-            with testing.disable_warnings("django.request"):
+            with utils.disable_warnings("django.request"):
                 self.assertHttpStatus(self.client.get(self._get_url("edit", instance)), [403, 404])
 
             # Try POST without permission
             request = {
                 "path": self._get_url("edit", instance),
-                "data": testing.post_data(self.form_data),
+                "data": utils.post_data(self.form_data),
             }
-            with testing.disable_warnings("django.request"):
+            with utils.disable_warnings("django.request"):
                 self.assertHttpStatus(self.client.post(**request), [403, 404])
 
         @override_settings(EXEMPT_VIEW_PERMISSIONS=["*"])
@@ -499,7 +498,7 @@ class ViewTestCases:
             # Try POST with model-level permission
             request = {
                 "path": self._get_url("edit", instance),
-                "data": testing.post_data(self.form_data),
+                "data": utils.post_data(self.form_data),
             }
             self.assertHttpStatus(self.client.post(**request), 302)
             self.assertInstanceEqual(self._get_queryset().get(pk=instance.pk), self.form_data)
@@ -515,7 +514,7 @@ class ViewTestCases:
                     detail_url = instance.get_absolute_url()
                     validate(detail_url)
                     response = self.client.get(detail_url)
-                    response_body = testing.extract_page_body(response.content.decode(response.charset))
+                    response_body = utils.extract_page_body(response.content.decode(response.charset))
                     advanced_tab_href = f"{detail_url}#advanced"
                     self.assertIn(advanced_tab_href, response_body)
                     self.assertIn("<td>Last Updated By</td>", response_body)
@@ -547,7 +546,7 @@ class ViewTestCases:
             # Try to edit a permitted object
             request = {
                 "path": self._get_url("edit", instance1),
-                "data": testing.post_data(self.form_data),
+                "data": utils.post_data(self.form_data),
             }
             self.assertHttpStatus(self.client.post(**request), 302)
             self.assertInstanceEqual(self._get_queryset().get(pk=instance1.pk), self.form_data)
@@ -555,7 +554,7 @@ class ViewTestCases:
             # Try to edit a non-permitted object
             request = {
                 "path": self._get_url("edit", instance2),
-                "data": testing.post_data(self.form_data),
+                "data": utils.post_data(self.form_data),
             }
             self.assertHttpStatus(self.client.post(**request), 404)
 
@@ -571,7 +570,7 @@ class ViewTestCases:
             For some models this may just be any random object, but when we have FKs with `on_delete=models.PROTECT`
             (as is often the case) we need to find or create an instance that doesn't have such entanglements.
             """
-            instance = testing.get_deletable_objects(self.model, self._get_queryset()).first()
+            instance = utils.get_deletable_objects(self.model, self._get_queryset()).first()
             if instance is None:
                 self.fail("Couldn't find a single deletable object!")
             return instance
@@ -580,15 +579,15 @@ class ViewTestCases:
             instance = self.get_deletable_object()
 
             # Try GET without permission
-            with testing.disable_warnings("django.request"):
+            with utils.disable_warnings("django.request"):
                 self.assertHttpStatus(self.client.get(self._get_url("delete", instance)), [403, 404])
 
             # Try POST without permission
             request = {
                 "path": self._get_url("delete", instance),
-                "data": testing.post_data({"confirm": True}),
+                "data": utils.post_data({"confirm": True}),
             }
-            with testing.disable_warnings("django.request"):
+            with utils.disable_warnings("django.request"):
                 self.assertHttpStatus(self.client.post(**request), [403, 404])
 
         @override_settings(EXEMPT_VIEW_PERMISSIONS=["*"])
@@ -624,7 +623,7 @@ class ViewTestCases:
             # Try POST with model-level permission
             request = {
                 "path": self._get_url("delete", instance),
-                "data": testing.post_data({"confirm": True}),
+                "data": utils.post_data({"confirm": True}),
             }
             self.assertHttpStatus(self.client.post(**request), 302)
             with self.assertRaises(ObjectDoesNotExist):
@@ -701,7 +700,7 @@ class ViewTestCases:
             # Try to delete a permitted object
             request = {
                 "path": self._get_url("delete", instance1),
-                "data": testing.post_data({"confirm": True}),
+                "data": utils.post_data({"confirm": True}),
             }
             self.assertHttpStatus(self.client.post(**request), 302)
             with self.assertRaises(ObjectDoesNotExist):
@@ -713,7 +712,7 @@ class ViewTestCases:
             instance3 = self._get_queryset().first()
             request = {
                 "path": self._get_url("delete", instance3),
-                "data": testing.post_data({"confirm": True}),
+                "data": utils.post_data({"confirm": True}),
             }
             self.assertHttpStatus(self.client.post(**request), 404)
             self.assertTrue(self._get_queryset().filter(pk=instance3.pk).exists())
@@ -781,7 +780,7 @@ class ViewTestCases:
             instance1, instance2 = self._get_queryset().all()[:2]
             response = self.client.get(f"{self._get_url('list')}?id={instance1.pk}")
             self.assertHttpStatus(response, 200)
-            content = testing.extract_page_body(response.content.decode(response.charset))
+            content = utils.extract_page_body(response.content.decode(response.charset))
             # TODO: it'd make test failures more readable if we strip the page headers/footers from the content
             if hasattr(self.model, "name"):
                 self.assertRegex(content, r">\s*" + re.escape(escape(instance1.name)) + r"\s*<", msg=content)
@@ -794,7 +793,7 @@ class ViewTestCases:
             """Verify that with STRICT_FILTERING, an unknown filter results in an error message and no matches."""
             response = self.client.get(f"{self._get_url('list')}?ice_cream_flavor=chocolate")
             self.assertHttpStatus(response, 200)
-            content = testing.extract_page_body(response.content.decode(response.charset))
+            content = utils.extract_page_body(response.content.decode(response.charset))
             # TODO: it'd make test failures more readable if we strip the page headers/footers from the content
             self.assertIn("Unknown filter field", content, msg=content)
             # There should be no table rows displayed except for the empty results row
@@ -820,7 +819,7 @@ class ViewTestCases:
                 ],
             )
             self.assertHttpStatus(response, 200)
-            content = testing.extract_page_body(response.content.decode(response.charset))
+            content = utils.extract_page_body(response.content.decode(response.charset))
             # TODO: it'd make test failures more readable if we strip the page headers/footers from the content
             self.assertNotIn("Unknown filter field", content, msg=content)
             self.assertIn("None", content, msg=content)
@@ -833,7 +832,7 @@ class ViewTestCases:
         @override_settings(EXEMPT_VIEW_PERMISSIONS=[])
         def test_list_objects_without_permission(self):
             # Try GET without permission
-            with testing.disable_warnings("django.request"):
+            with utils.disable_warnings("django.request"):
                 response = self.client.get(self._get_url("list"))
                 self.assertHttpStatus(response, 403)
                 response_body = response.content.decode(response.charset)
@@ -884,7 +883,7 @@ class ViewTestCases:
             # Try GET with object-level permission
             response = self.client.get(self._get_url("list"))
             self.assertHttpStatus(response, 200)
-            content = testing.extract_page_body(response.content.decode(response.charset))
+            content = utils.extract_page_body(response.content.decode(response.charset))
             # TODO: it'd make test failures more readable if we strip the page headers/footers from the content
             if hasattr(self.model, "name"):
                 self.assertRegex(content, r">\s*" + re.escape(escape(instance1.name)) + r"\s*<", msg=content)
@@ -952,11 +951,11 @@ class ViewTestCases:
         def test_create_multiple_objects_without_permission(self):
             request = {
                 "path": self._get_url("add"),
-                "data": testing.post_data(self.bulk_create_data),
+                "data": utils.post_data(self.bulk_create_data),
             }
 
             # Try POST without permission
-            with testing.disable_warnings("django.request"):
+            with utils.disable_warnings("django.request"):
                 self.assertHttpStatus(self.client.post(**request), 403)
 
         @override_settings(EXEMPT_VIEW_PERMISSIONS=[])
@@ -964,7 +963,7 @@ class ViewTestCases:
             initial_count = self._get_queryset().count()
             request = {
                 "path": self._get_url("add"),
-                "data": testing.post_data(self.bulk_create_data),
+                "data": utils.post_data(self.bulk_create_data),
             }
 
             # Assign non-constrained permission
@@ -994,7 +993,7 @@ class ViewTestCases:
             initial_count = self._get_queryset().count()
             request = {
                 "path": self._get_url("add"),
-                "data": testing.post_data(self.bulk_create_data),
+                "data": utils.post_data(self.bulk_create_data),
             }
 
             # Assign constrained permission
@@ -1078,7 +1077,7 @@ class ViewTestCases:
             }
 
             # Try POST without permission
-            with testing.disable_warnings("django.request"):
+            with utils.disable_warnings("django.request"):
                 self.assertHttpStatus(self.client.post(self._get_url("bulk_edit"), data), 403)
 
         @override_settings(EXEMPT_VIEW_PERMISSIONS=["*"])
@@ -1090,7 +1089,7 @@ class ViewTestCases:
             }
 
             # Append the form data to the request
-            data.update(testing.post_data(self.bulk_edit_data))
+            data.update(utils.post_data(self.bulk_edit_data))
 
             # Assign model-level permission
             obj_perm = users_models.ObjectPermission(name="Test permission", actions=["change"])
@@ -1124,7 +1123,7 @@ class ViewTestCases:
             # Expect a 200 status cause we are only rendering the bulk edit table.
             # after pressing Edit Selected button.
             self.assertHttpStatus(response, 200)
-            response_body = testing.extract_page_body(response.content.decode(response.charset))
+            response_body = utils.extract_page_body(response.content.decode(response.charset))
             # Check if all the pks are passed into the BulkEditForm/BulkUpdateForm
             for pk in pk_list:
                 self.assertIn(f'<input type="hidden" name="pk" value="{pk}"', response_body)
@@ -1143,7 +1142,7 @@ class ViewTestCases:
             except StopIteration:
                 self.fail(f"Test requires at least three instances of {self.model._meta.model_name} to be defined.")
 
-            post_data = testing.post_data(self.bulk_edit_data)
+            post_data = utils.post_data(self.bulk_edit_data)
 
             # Open bulk update form with first two objects
             selected_data = {
@@ -1155,7 +1154,7 @@ class ViewTestCases:
             response = self.client.post(f"{self._get_url('bulk_edit')}?{query_string}", selected_data)
             # Expect a 200 status cause we are only rendering the bulk edit table after pressing Edit Selected button.
             self.assertHttpStatus(response, 200)
-            response_body = testing.extract_page_body(response.content.decode(response.charset))
+            response_body = utils.extract_page_body(response.content.decode(response.charset))
             # Check if the first and second pk is passed into the form.
             self.assertIn(f'<input type="hidden" name="pk" value="{first_pk}"', response_body)
             self.assertIn(f'<input type="hidden" name="pk" value="{second_pk}"', response_body)
@@ -1195,7 +1194,7 @@ class ViewTestCases:
                 "pk": pk_list,
                 "_apply": True,  # Form button
             }
-            data.update(testing.post_data(self.bulk_edit_data))
+            data.update(utils.post_data(self.bulk_edit_data))
 
             # Attempt to bulk edit permitted objects into a non-permitted state
             response = self.client.post(self._get_url("bulk_edit"), data)
@@ -1227,7 +1226,7 @@ class ViewTestCases:
             For some models this may just be any random objects, but when we have FKs with `on_delete=models.PROTECT`
             (as is often the case) we need to find or create an instance that doesn't have such entanglements.
             """
-            return testing.get_deletable_objects(self.model, self._get_queryset()).values_list("pk", flat=True)[:3]
+            return utils.get_deletable_objects(self.model, self._get_queryset()).values_list("pk", flat=True)[:3]
 
         @override_settings(EXEMPT_VIEW_PERMISSIONS=[])
         def test_bulk_delete_objects_without_permission(self):
@@ -1239,7 +1238,7 @@ class ViewTestCases:
             }
 
             # Try POST without permission
-            with testing.disable_warnings("django.request"):
+            with utils.disable_warnings("django.request"):
                 self.assertHttpStatus(self.client.post(self._get_url("bulk_delete"), data), 403)
 
         @override_settings(EXEMPT_VIEW_PERMISSIONS=[])
@@ -1284,7 +1283,7 @@ class ViewTestCases:
             # Try POST with the selected data first. Emulating selecting all -> pressing Delete Selected button.
             response = self.client.post(self._get_url("bulk_delete"), selected_data)
             self.assertHttpStatus(response, 200)
-            response_body = testing.extract_page_body(response.content.decode(response.charset))
+            response_body = utils.extract_page_body(response.content.decode(response.charset))
             # Check if all the pks are passed into the BulkDeleteForm/BulkDestroyForm
             for pk in pk_list:
                 self.assertIn(f'<input type="hidden" name="pk" value="{pk}"', response_body)
@@ -1312,7 +1311,7 @@ class ViewTestCases:
             response = self.client.post(f"{self._get_url('bulk_delete')}?{query_string}", selected_data)
             # Expect a 200 status cause we are only rendering the bulk delete table after pressing Delete Selected button.
             self.assertHttpStatus(response, 200)
-            response_body = testing.extract_page_body(response.content.decode(response.charset))
+            response_body = utils.extract_page_body(response.content.decode(response.charset))
             # Check if the first and second pk is passed into the form.
             self.assertIn(f'<input type="hidden" name="pk" value="{first_pk}"', response_body)
             self.assertIn(f'<input type="hidden" name="pk" value="{second_pk}"', response_body)
@@ -1372,11 +1371,11 @@ class ViewTestCases:
             data.update(self.rename_data)
 
             # Test GET without permission
-            with testing.disable_warnings("django.request"):
+            with utils.disable_warnings("django.request"):
                 self.assertHttpStatus(self.client.get(self._get_url("bulk_rename")), 403)
 
             # Try POST without permission
-            with testing.disable_warnings("django.request"):
+            with utils.disable_warnings("django.request"):
                 self.assertHttpStatus(self.client.post(self._get_url("bulk_rename"), data), 403)
 
         @override_settings(EXEMPT_VIEW_PERMISSIONS=["*"])
@@ -1517,13 +1516,13 @@ class ViewTestCases:
                 url = reverse(f"dcim:device_bulk_add_{self.model._meta.model_name}")
                 request = {
                     "path": url,
-                    "data": testing.post_data({"pk": data["device"]}),
+                    "data": utils.post_data({"pk": data["device"]}),
                 }
             else:
                 url = reverse(f"virtualization:virtualmachine_bulk_add_{self.model._meta.model_name}")
                 request = {
                     "path": url,
-                    "data": testing.post_data({"pk": data["virtual_machine"]}),
+                    "data": utils.post_data({"pk": data["virtual_machine"]}),
                 }
             self.assertHttpStatus(self.client.post(**request), 200)
 
@@ -1533,7 +1532,7 @@ class ViewTestCases:
             else:
                 data["pk"] = data.pop("virtual_machine")
             data["_create"] = ""
-            request["data"] = testing.post_data(data)
+            request["data"] = utils.post_data(data)
             self.assertHttpStatus(self.client.post(**request), 302)
 
             updated_count = self._get_queryset().count()

nautobot/core/tests/test_api.py

@@ -20,7 +20,7 @@ from nautobot.circuits.models import Provider
 from nautobot.core import testing
 from nautobot.core.api.parsers import NautobotCSVParser
 from nautobot.core.api.renderers import NautobotCSVRenderer
-from nautobot.core.api.utils import get_serializer_for_model
+from nautobot.core.api.utils import get_serializer_for_model, get_view_name
 from nautobot.core.api.versioning import NautobotAPIVersioning
 from nautobot.core.constants import COMPOSITE_KEY_SEPARATOR
 from nautobot.core.utils.lookup import get_route_for_model
@@ -28,7 +28,7 @@ from nautobot.dcim import models as dcim_models
 from nautobot.dcim.api import serializers as dcim_serializers
 from nautobot.extras import choices, models as extras_models
 from nautobot.ipam import models as ipam_models
-from nautobot.ipam.api import serializers as ipam_serializers
+from nautobot.ipam.api import serializers as ipam_serializers, views as ipam_api_views
 from nautobot.tenancy import models as tenancy_models
 
 User = get_user_model()
@@ -997,3 +997,24 @@ class NewUIGetMenuAPIViewTestCase(testing.APITestCase):
 
         self.assertEqual(response.status_code, 200)
         self.assertEqual(response.data, expected_response)
+
+
+class NautobotGetViewNameTest(TestCase):
+    """
+    Some unit tests for the get_view_name() functionality.
+    """
+
+    @override_settings(ALLOWED_HOSTS=["*"])
+    def test_get(self):
+        """Assert that the proper view name is displayed for the correct view."""
+        viewset = ipam_api_views.PrefixViewSet
+        # We need to get a specific view, so we need to set the class kwargs
+        view_kwargs = {
+            "Prefixes": {"suffix": "List", "basename": "prefix", "detail": False},
+            "Prefix": {"suffix": "Instance", "basename": "prefix", "detail": True},
+            "Available IPs": {"name": "Available IPs"},
+            "Available Prefixes": {"name": "Available Prefixes"},
+            "Notes": {"name": "Notes"},
+        }
+        for view_name, view_kwarg in view_kwargs.items():
+            self.assertEqual(view_name, get_view_name(viewset(**view_kwarg)))

nautobot/core/tests/test_jobs.py

@@ -4,9 +4,9 @@ from django.contrib.contenttypes.models import ContentType
 import yaml
 
 from nautobot.core.testing import create_job_result_and_run_job, TransactionTestCase
-from nautobot.dcim.models import DeviceType, Manufacturer
+from nautobot.dcim.models import DeviceType, Location, LocationType, Manufacturer
 from nautobot.extras.choices import JobResultStatusChoices, LogLevelChoices
-from nautobot.extras.models import ExportTemplate, JobLogEntry, Status
+from nautobot.extras.models import Contact, ContactAssociation, ExportTemplate, JobLogEntry, Role, Status
 from nautobot.users.models import ObjectPermission
 
 
@@ -256,3 +256,80 @@ class ImportObjectsTestCase(TransactionTestCase):
             self.assertEqual(log_successes[3].message, 'Row 5: Created record "test_status4"')
             self.assertTrue(Status.objects.filter(name="test_status4").exists())
             self.assertEqual(log_successes[4].message, "Created 4 status object(s) from 5 row(s) of data")
+
+    def test_csv_import_contact_assignment(self):
+        location_types_csv = "\n".join(["name", "ContactAssignmentImportTestLocationType"])
+        locations_csv = "\n".join(
+            [
+                "location_type__name,name,status__name",
+                "ContactAssignmentImportTestLocationType,ContactAssignmentImportTestLocation1,Active",
+                "ContactAssignmentImportTestLocationType,ContactAssignmentImportTestLocation2,Active",
+            ]
+        )
+        roles_csv = "\n".join(
+            [
+                "name,content_types",
+                "ContactAssignmentImportTestLocation-On Site,extras.contactassociation",
+            ]
+        )
+        contacts_csv = "\n".join(["name,email", "Bob-ContactAssignmentImportTestLocation,bob@example.com"])
+
+        location_types_job_result = create_job_result_and_run_job(
+            "nautobot.core.jobs",
+            "ImportObjects",
+            content_type=ContentType.objects.get_for_model(LocationType).pk,
+            csv_data=location_types_csv,
+        )
+        self.assertEqual(location_types_job_result.status, JobResultStatusChoices.STATUS_SUCCESS)
+
+        location_type_count = LocationType.objects.filter(name="ContactAssignmentImportTestLocationType").count()
+        self.assertEqual(location_type_count, 1, f"Unexpected count of LocationTypes {location_type_count}")
+
+        locations_job_result = create_job_result_and_run_job(
+            "nautobot.core.jobs",
+            "ImportObjects",
+            content_type=ContentType.objects.get_for_model(Location).pk,
+            csv_data=locations_csv,
+        )
+        self.assertEqual(locations_job_result.status, JobResultStatusChoices.STATUS_SUCCESS)
+
+        location_count = Location.objects.filter(location_type__name="ContactAssignmentImportTestLocationType").count()
+        self.assertEqual(location_count, 2, f"Unexpected count of Locations {location_count}")
+
+        contacts_job_result = create_job_result_and_run_job(
+            "nautobot.core.jobs",
+            "ImportObjects",
+            content_type=ContentType.objects.get_for_model(Contact).pk,
+            csv_data=contacts_csv,
+        )
+        self.assertEqual(contacts_job_result.status, JobResultStatusChoices.STATUS_SUCCESS)
+
+        contact_count = Contact.objects.filter(name="Bob-ContactAssignmentImportTestLocation").count()
+        self.assertEqual(contact_count, 1, f"Unexpected number of contacts {contact_count}")
+
+        roles_job_result = create_job_result_and_run_job(
+            "nautobot.core.jobs",
+            "ImportObjects",
+            content_type=ContentType.objects.get_for_model(Role).pk,
+            csv_data=roles_csv,
+        )
+        self.assertEqual(roles_job_result.status, JobResultStatusChoices.STATUS_SUCCESS)
+
+        role_count = Role.objects.filter(name="ContactAssignmentImportTestLocation-On Site").count()
+        self.assertEqual(role_count, 1, f"Unexpected number of role values {role_count}")
+
+        associations = ["associated_object_id,associated_object_type,status__name,role__name,contact__name"]
+        for location in Location.objects.filter(location_type__name="ContactAssignmentImportTestLocationType"):
+            associations.append(
+                f"{location.pk},dcim.location,Active,ContactAssignmentImportTestLocation-On Site,Bob-ContactAssignmentImportTestLocation"
+            )
+        associations_csv = "\n".join(associations)
+
+        associations_job_result = create_job_result_and_run_job(
+            "nautobot.core.jobs",
+            "ImportObjects",
+            content_type=ContentType.objects.get_for_model(ContactAssociation).pk,
+            csv_data=associations_csv,
+        )
+
+        self.assertEqual(associations_job_result.status, JobResultStatusChoices.STATUS_SUCCESS)

nautobot/core/tests/test_templatetags_helpers.py

@@ -283,3 +283,35 @@ class NautobotTemplatetagsHelperTest(TestCase):
                     helpers.support_message(),
                     "<p>Settings <strong>support</strong> message:</p><ul><li>Item 1</li><li>Item 2</li></ul>",
                 )
+
+    def test_hyperlinked_object_target_new_tab(self):
+        # None gives a placeholder
+        self.assertEqual(helpers.hyperlinked_object_target_new_tab(None), helpers.placeholder(None))
+        # An object without get_absolute_url gives a string
+        self.assertEqual(helpers.hyperlinked_object_target_new_tab("hello"), "hello")
+        # An object with get_absolute_url gives a hyperlink
+        location = models.Location.objects.first()
+        # Initially remove description if any
+        location.description = ""
+        location.save()
+        self.assertEqual(
+            helpers.hyperlinked_object_target_new_tab(location),
+            f'<a href="/dcim/locations/{location.pk}/" target="_blank" rel="noreferrer">{location.name}</a>',
+        )
+        # An object with get_absolute_url and a description gives a titled hyperlink
+        location.description = "An important location"
+        location.save()
+        self.assertEqual(
+            helpers.hyperlinked_object_target_new_tab(location),
+            f'<a href="/dcim/locations/{location.pk}/" title="An important location" target="_blank" rel="noreferrer">{location.name}</a>',
+        )
+        # Optionally you can request a field other than the object's display string
+        self.assertEqual(
+            helpers.hyperlinked_object_target_new_tab(location, "name"),
+            f'<a href="/dcim/locations/{location.pk}/" title="An important location" target="_blank" rel="noreferrer">{location.name}</a>',
+        )
+        # If you request a nonexistent field, it defaults to the string representation
+        self.assertEqual(
+            helpers.hyperlinked_object_target_new_tab(location, "foo"),
+            f'<a href="/dcim/locations/{location.pk}/" title="An important location" target="_blank" rel="noreferrer">{location!s}</a>',
+        )

nautobot/core/tests/test_views.py

@@ -146,6 +146,39 @@ class HomeViewTestCase(TestCase):
         response_content = response.content.decode(response.charset).replace("\n", "")
         self.assertNotRegex(response_content, footer_hostname_version_pattern)
 
+    def test_banners_markdown(self):
+        url = reverse("home")
+        with override_settings(
+            BANNER_TOP="# Hello world",
+            BANNER_BOTTOM="[info](https://nautobot.com)",
+        ):
+            response = self.client.get(url)
+        self.assertInHTML("<h1>Hello world</h1>", response.content.decode(response.charset))
+        self.assertInHTML(
+            '<a href="https://nautobot.com" rel="noopener noreferrer">info</a>',
+            response.content.decode(response.charset),
+        )
+
+        with override_settings(BANNER_LOGIN="_Welcome to Nautobot!_"):
+            self.client.logout()
+            response = self.client.get(reverse("login"))
+        self.assertInHTML("<em>Welcome to Nautobot!</em>", response.content.decode(response.charset))
+
+    def test_banners_no_xss(self):
+        url = reverse("home")
+        with override_settings(
+            BANNER_TOP='<script>alert("Hello from above!");</script>',
+            BANNER_BOTTOM='<script>alert("Hello from below!");</script>',
+        ):
+            response = self.client.get(url)
+        self.assertNotIn("Hello from above", response.content.decode(response.charset))
+        self.assertNotIn("Hello from below", response.content.decode(response.charset))
+
+        with override_settings(BANNER_LOGIN='<script>alert("Welcome to Nautobot!");</script>'):
+            self.client.logout()
+            response = self.client.get(reverse("login"))
+        self.assertNotIn("Welcome to Nautobot!", response.content.decode(response.charset))
+
 
 @override_settings(BRANDING_TITLE="Nautobot")
 class SearchFieldsTestCase(TestCase):
@@ -242,6 +275,25 @@ class FilterFormsTestCase(TestCase):
         self.assertInHTML(locations[0].name, response_content)
         self.assertInHTML(locations[1].name, response_content)
 
+    def test_filtering_crafted_query_params(self):
+        """Test for reflected-XSS vulnerability GHSA-jxgr-gcj5-cqqg."""
+        self.add_permissions("dcim.view_location")
+        query_param = "?location_type=1 onmouseover=alert('hi') foo=bar"
+        url = reverse("dcim:location_list") + query_param
+        response = self.client.get(url)
+        self.assertHttpStatus(response, 200)
+        response_content = response.content.decode(response.charset)
+        # The important thing here is that the data-field-parent and data-field-value are correctly quoted
+        self.assertInHTML(
+            """
+<span class="filter-selection-choice-remove remove-filter-param"
+      data-field-type="child"
+      data-field-parent="location_type"
+      data-field-value="1 onmouseover=alert(&#x27;hi&#x27;) foo=bar"
+>×</span>""",  # noqa: RUF001 - ambiguous-unicode-character-string
+            response_content,
+        )
+
 
 class ForceScriptNameTestcase(TestCase):
     """Basic test to assert that `settings.FORCE_SCRIPT_NAME` works as intended."""