GraphQL permissions don't match Rest API #10509

New Issue

Closed

opened 2025-12-29 21:32:24 +01:00 by adam · 3 comments

adam commented 2025-12-29 21:32:24 +01:00

Owner

Copy Link

Originally created by @llamafilm on GitHub (Nov 24, 2024).

Deployment Type

NetBox Enterprise

Triage priority

I'm a NetBox Labs customer

NetBox Version

v4.1.7

Python Version

3.12

Steps to Reproduce

1. Create a user with permission to view Devices only
2. Run a GraphQL query to retrieve the site name for a Device

Expected Behavior

Since this information is visible in the webpage and via Rest API, I expect it to be visible via GraphQL too.

Observed Behavior

The GraphQL query fails:

{'data': None, 'errors': [{'message': 'Cannot return null for non-nullable field DeviceType.site.', 'locations': [{'line': 8, 'column': 5}], 'path': ['device', 'site']}]}

It's not a big issue; it works fine if I grant permission to view Locations and Sites. But it seems weird that the permissions are inconsistent between the two APIs.

import requests

NETBOX_HOST = 'http://127.0.0.1'
NETBOX_TOKEN = ''

headers = {
    "Authorization": f"Token {NETBOX_TOKEN}",
    "Accept": "application/json"
}

query = r"""
query {
  device(id: 14476) {
    serial
    location {
      name
    }
    site {
      name
    }
  }
}"""
req = requests.post(f"{NETBOX_HOST}/graphql/", headers=headers, json={'query': query})
print(req.json())

### Rest API works
url = f"{NETBOX_HOST}/api/dcim/devices/14476/"
req = requests.get(url, headers=headers)
print(req.json())

Originally created by @llamafilm on GitHub (Nov 24, 2024). ### Deployment Type NetBox Enterprise ### Triage priority I'm a NetBox Labs customer ### NetBox Version v4.1.7 ### Python Version 3.12 ### Steps to Reproduce 1. Create a user with permission to view Devices only 2. Run a GraphQL query to retrieve the site name for a Device ### Expected Behavior Since this information is visible in the webpage and via Rest API, I expect it to be visible via GraphQL too. ### Observed Behavior The GraphQL query fails: > {'data': None, 'errors': [{'message': 'Cannot return null for non-nullable field DeviceType.site.', 'locations': [{'line': 8, 'column': 5}], 'path': ['device', 'site']}]} It's not a big issue; it works fine if I grant permission to view Locations and Sites. But it seems weird that the permissions are inconsistent between the two APIs. ```python import requests NETBOX_HOST = 'http://127.0.0.1' NETBOX_TOKEN = '' headers = { "Authorization": f"Token {NETBOX_TOKEN}", "Accept": "application/json" } query = r""" query { device(id: 14476) { serial location { name } site { name } } }""" req = requests.post(f"{NETBOX_HOST}/graphql/", headers=headers, json={'query': query}) print(req.json()) ### Rest API works url = f"{NETBOX_HOST}/api/dcim/devices/14476/" req = requests.get(url, headers=headers) print(req.json()) ```

adam added the type: bugtopic: GraphQLseverity: low labels 2025-12-29 21:32:24 +01:00

adam closed this issue 2025-12-29 21:32:24 +01:00

adam commented 2025-12-29 21:32:25 +01:00

Author

Owner

Copy Link

@arthanson commented on GitHub (Dec 3, 2024):

I'm not sure this is a bug as the issue looks like it is permissions when querying the sub-objects, but it is different then the REST API so leaving it open as it will require more debugging. It may be a won't fix after investigation.

@arthanson commented on GitHub (Dec 3, 2024): I'm not sure this is a bug as the issue looks like it is permissions when querying the sub-objects, but it is different then the REST API so leaving it open as it will require more debugging. It may be a won't fix after investigation.

adam commented 2025-12-29 21:32:25 +01:00

Author

Owner

Copy Link

@jeremypng commented on GitHub (Jan 23, 2025):

The REST API permissions are leaky. The GraphQL permissions are correct. The user has permission to the device, not the site object, so you can't query the site name since it is not on the device object.

I would suggest not fixing this.

EDIT: To make this fail smoother when permissions are lacking the strawberry types could be relaxed so all the fields are nullable. Since they are only used for response queries and there is no mutation support, it would allow the model to not fail if there is missing data because of a lack of permissions.

@jeremypng commented on GitHub (Jan 23, 2025): The REST API permissions are leaky. The GraphQL permissions are correct. The user has permission to the device, not the site object, so you can't query the site name since it is not on the device object. I would suggest not fixing this. EDIT: To make this fail smoother when permissions are lacking the strawberry types could be relaxed so all the fields are nullable. Since they are only used for response queries and there is no mutation support, it would allow the model to not fail if there is missing data because of a lack of permissions.

adam commented 2025-12-29 21:32:25 +01:00

Author

Owner

Copy Link

@arthanson commented on GitHub (Apr 22, 2025):

Agree with not fixing as per comment above.

@arthanson commented on GitHub (Apr 22, 2025): Agree with not fixing as per comment above.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

update-changelog-comments-docs

feature-removal-issue-type

20911-dropdown

20239-plugin-menu-classes-mutable-state

21097-graphql-id-lookups

feature

fix_module_substitution

20923-dcim-templates

20044-elevation-stuck-lightmode

feature-ip-prefix-link

v4.5-beta1-release

20068-import-moduletype-attrs

20766-fix-german-translation-code-literals

20378-del-script

7604-filter-modifiers-v3

circuit-swap

12318-case-insensitive-uniqueness

20637-improve-device-q-filter

20660-script-load

19724-graphql

20614-update-ruff

14884-script

02496-max-page

19720-macaddress-interface-generic-relation

19408-circuit-terminations-export-templates

20203-openapi-check

fix-19669-api-image-download

7604-filter-modifiers

19275-fixes-interface-bulk-edit

fix-17794-get_field_value_return_list

11507-show-aggregate-and-rir-on-api

9583-add_column_specific_search_field_to_tables

v4.5.0

v4.4.10

v4.4.9

v4.5.0-beta1

v4.4.8

v4.4.7

v4.4.6

v4.4.5

v4.4.4

v4.4.3

v4.4.2

v4.4.1

v4.4.0

v4.3.7

v4.4.0-beta1

v4.3.6

v4.3.5

v4.3.4

v4.3.3

v4.3.2

v4.3.1

v4.3.0

v4.2.9

v4.3.0-beta2

v4.2.8

v4.3.0-beta1

v4.2.7

v4.2.6

v4.2.5

v4.2.4

v4.2.3

v4.2.2

v4.2.1

v4.2.0

v4.1.11

v4.1.10

v4.1.9

v4.1.8

v4.2-beta1

v4.1.7

v4.1.6

v4.1.5

v4.1.4

v4.1.3

v4.1.2

v4.1.1

v4.1.0

v4.0.11

v4.0.10

v4.0.9

v4.1-beta1

v4.0.8

v4.0.7

v4.0.6

v4.0.5

v4.0.3

v4.0.2

v4.0.1

v4.0.0

v3.7.8

v3.7.7

v4.0-beta2

v3.7.6

v3.7.5

v4.0-beta1

v3.7.4

v3.7.3

v3.7.2

v3.7.1

v3.7.0

v3.6.9

v3.6.8

v3.6.7

v3.7-beta1

v3.6.6

v3.6.5

v3.6.4

v3.6.3

v3.6.2

v3.6.1

v3.6.0

v3.5.9

v3.6-beta2

v3.5.8

v3.6-beta1

v3.5.7

v3.5.6

v3.5.5

v3.5.4

v3.5.3

v3.5.2

v3.5.1

v3.5.0

v3.4.10

v3.4.9

v3.5-beta2

v3.4.8

v3.5-beta1

v3.4.7

v3.4.6

v3.4.5

v3.4.4

v3.4.3

v3.4.2

v3.4.1

v3.4.0

v3.3.10

v3.3.9

v3.4-beta1

v3.3.8

v3.3.7

v3.3.6

v3.3.5

v3.3.4

v3.3.3

v3.3.2

v3.3.1

v3.3.0

v3.2.9

v3.2.8

v3.3-beta2

v3.2.7

v3.3-beta1

v3.2.6

v3.2.5

v3.2.4

v3.2.3

v3.2.2

v3.2.1

v3.2.0

v3.1.11

v3.1.10

v3.2-beta2

v3.1.9

v3.2-beta1

v3.1.8

v3.1.7

v3.1.6

v3.1.5

v3.1.4

v3.1.3

v3.1.2

v3.1.1

v3.1.0

v3.0.12

v3.0.11

v3.0.10

v3.1-beta1

v3.0.9

v3.0.8

v3.0.7

v3.0.6

v3.0.5

v3.0.4

v3.0.3

v3.0.2

v3.0.1

v3.0.0

v2.11.12

v3.0-beta2

v2.11.11

v2.11.10

v3.0-beta1

v2.11.9

v2.11.8

v2.11.7

v2.11.6

v2.11.5

v2.11.4

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.10

v2.10.9

v2.11-beta1

v2.10.8

v2.10.7

v2.10.6

v2.10.5

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.11

v2.10-beta2

v2.9.10

v2.10-beta1

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.9-beta2

v2.8.9

v2.9-beta1

v2.8.8

v2.8.7

v2.8.6

v2.8.5

v2.8.4

v2.8.3

v2.8.2

v2.8.1

v2.8.0

v2.7.12

v2.7.11

v2.7.10

v2.7.9

v2.7.8

v2.7.7

v2.7.6

v2.7.5

v2.7.4

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.12

v2.6.11

v2.6.10

v2.6.9

v2.7-beta1

Solcon-2020-01-06

v2.6.8

v2.6.7

v2.6.6

v2.6.5

v2.6.4

v2.6.3

v2.6.2

v2.6.1

v2.6.0

v2.5.13

v2.5.12

v2.6-beta1

v2.5.11

v2.5.10

v2.5.9

v2.5.8

v2.5.7

v2.5.6

v2.5.5

v2.5.4

v2.5.3

v2.5.2

v2.5.1

v2.5.0

v2.4.9

v2.5-beta2

v2.4.8

v2.5-beta1

v2.4.7

v2.4.6

v2.4.5

v2.4.4

v2.4.3

v2.4.2

v2.4.1

v2.4.0

v2.3.7

v2.4-beta1

v2.3.6

v2.3.5

v2.3.4

v2.3.3

v2.3.2

v2.3.1

v2.3.0

v2.2.10

v2.3-beta2

v2.2.9

v2.3-beta1

v2.2.8

v2.2.7

v2.2.6

v2.2.5

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.6

v2.2-beta2

v2.1.5

v2.2-beta1

v2.1.4

v2.1.3

v2.1.2

v2.1.1

v2.1.0

v2.0.10

v2.1-beta1

v2.0.9

v2.0.8

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v2.0-beta3

v1.9.6

v1.9.5

v2.0-beta2

v1.9.4-r1

v1.9.3

v2.0-beta1

v1.9.2

v1.9.1

v1.9.0-r1

v1.8.4

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.7.3

v1.7.2-r1

v1.7.1

v1.7.0

v1.6.3

v1.6.2-r1

v1.6.1-r1

1.6.1

v1.6.0

v1.5.2

v1.5.1

v1.5.0

v1.4.2

v1.4.1

v1.4.0

v1.3.2

v1.3.1

v1.3.0

v1.2.2

v1.2.1

v1.2.0

v1.1.0

v1.0.7-r1

v1.0.7

v1.0.6

v1.0.5

v1.0.4

v1.0.3-r1

v1.0.3

1.0.0

Labels

Clear labels

beta

breaking change

complexity: high

complexity: low

complexity: medium

needs milestone

netbox

pending closure

plugin candidate

pull-request

Mirrored from GitHub Pull Request

severity: high

severity: low

severity: medium

status: accepted

status: backlog

status: blocked

status: duplicate

status: needs owner

status: needs triage

status: revisions needed

status: under review

topic: GraphQL

topic: Internationalization

topic: OpenAPI

topic: UI/UX

topic: cabling

topic: event rules

topic: htmx navigation

topic: industrialization

topic: migrations

topic: plugins

topic: scripts

topic: templating

topic: testing

type: bug

type: deprecation

type: documentation

type: feature

type: housekeeping

type: translation

No Label severity: low topic: GraphQL type: bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/netbox#10509