$user token in permissions constraint not behaving according to documentation #11099

New Issue

Closed

opened 2025-12-29 21:40:18 +01:00 by adam · 1 comment

adam commented 2025-12-29 21:40:18 +01:00

Owner

Copy Link

Originally created by @Padnezz on GitHub (Apr 29, 2025).

Deployment Type

Self-hosted

NetBox Version

v4.0.10

Python Version

3.11

Steps to Reproduce

1. New netbox instance with empty db
2. Create user u1 with default privileges, active user
3. Create permissions structure p1 with the following settings:
   --Can view
   --Can edit
   --Object type: Tenancy: Contact assignments
   --User: u1
   --Constraint: {"contact__name": "$user"}
   -With default values in all other choices
4. Create site s1, with default values in all other choices
5. Create device role dr1, with default values in all other choices
6. Create manufacutrer m1, with default values in all other choices
7. Create device type dv1, using manufacturer m1, with default values in all other choices
8. Create device d1, using device role dr1, manufacturer m1, device type dv1, with default values in all other choices
9. Create contact role cr1
10. Create contact with same name as user u1
11. Create API key for user u1,
12. Run API call to assign contact u1 with contact role cr1 to device d1 (All IDs are 1 as we don't expect to have anything else beforehand)
    curl -X 'POST' "${NB_HOST}/api/tenancy/contact-assignments/" -H 'accept: application/json' -H 'Content-Type: application/json' -H "Authorization: Token ${NB_KEY}" -d '{ "object_type": "dcim.device", "object_id": 1,"contact": {"id" : 1},"role": {"id": 1}}'

Expected Behavior

Contact u1 with contact role cr1 is assigned on device d1, using the API key from user u1. This is because the permissions constraint should pass, because the name of contact u1 string equals the username of u1. This happens up until Netbox version v4.0.9.
According to the documentation in https://netboxlabs.com/docs/netbox/en/stable/administration/permissions/ > User Token, we understand that we can use $user as a string value. Our prod instance (Netbox version v3.7.8) is built upon this behavior using contacts and users in the Netbox instance.

Observed Behavior

API instead returns {"detail":"You do not have permission to perform this action."} and no action is performed on the device d1. This happens in Netbox version v4.0.10 and beyond. Setting the string u1 in the permissions constraint instead of $user works though.
We were unable to test the example constraint according to documentation https://netboxlabs.com/docs/netbox/en/stable/administration/permissions/ > User Token as the API does not return a created_by object on dcim.device GET requests.

Is this PR the reason for this? https://github.com/netbox-community/netbox/pull/17268
Should we be using $user another way?

Originally created by @Padnezz on GitHub (Apr 29, 2025). ### Deployment Type Self-hosted ### NetBox Version v4.0.10 ### Python Version 3.11 ### Steps to Reproduce 1. New netbox instance with empty db 2. Create user `u1` with default privileges, active user 3. Create permissions structure `p1` with the following settings: --Can view --Can edit --Object type: Tenancy: Contact assignments --User: u1 --Constraint: `{"contact__name": "$user"}` -With default values in all other choices 4. Create site `s1`, with default values in all other choices 5. Create device role `dr1`, with default values in all other choices 6. Create manufacutrer `m1`, with default values in all other choices 7. Create device type `dv1`, using manufacturer `m1`, with default values in all other choices 8. Create device `d1`, using device role `dr1`, manufacturer `m1`, device type `dv1`, with default values in all other choices 9. Create contact role `cr1` 10. Create contact with same name as user `u1` 11. Create API key for user `u1`, 12. Run API call to assign contact `u1` with contact role `cr1` to device `d1` (All IDs are `1` as we don't expect to have anything else beforehand) `curl -X 'POST' "${NB_HOST}/api/tenancy/contact-assignments/" -H 'accept: application/json' -H 'Content-Type: application/json' -H "Authorization: Token ${NB_KEY}" -d '{ "object_type": "dcim.device", "object_id": 1,"contact": {"id" : 1},"role": {"id": 1}}'` ### Expected Behavior Contact `u1` with contact role `cr1` is assigned on device `d1`, using the API key from user `u1`. This is because the permissions constraint should pass, because the name of contact `u1` string equals the username of `u1`. This happens up until Netbox version `v4.0.9`. According to the documentation in https://netboxlabs.com/docs/netbox/en/stable/administration/permissions/ > _**User Token**_, we understand that we can use `$user` as a string value. Our prod instance (Netbox version `v3.7.8`) is built upon this behavior using contacts and users in the Netbox instance. ### Observed Behavior API instead returns `{"detail":"You do not have permission to perform this action."}` and no action is performed on the device `d1`. This happens in Netbox version `v4.0.10` and beyond. Setting the string `u1` in the permissions constraint instead of `$user` works though. We were unable to test the example constraint according to documentation https://netboxlabs.com/docs/netbox/en/stable/administration/permissions/ > _**User Token**_ as the API does not return a `created_by` object on `dcim.device` GET requests. Is this PR the reason for this? https://github.com/netbox-community/netbox/pull/17268 Should we be using `$user` another way?

adam added the type: bug label 2025-12-29 21:40:18 +01:00

adam closed this issue 2025-12-29 21:40:19 +01:00

adam commented 2025-12-29 21:40:20 +01:00

Author

Owner

Copy Link

@jeremystretch commented on GitHub (Apr 29, 2025):

The $user token resolves to the current user's numeric ID, not it's username, so attempting to bind a user to a contact in this manner won't work.

You could instead instead add a custom field on the Contact model to establish a relationship to the User model, and assign the contact u1 with the user u1. The update the permission constraint to:

{
    "contact__custom_field_data__user": "$user"
}

Hope that helps. I'm going to close this out as the ability to match on the name of the current user is not supported.

@jeremystretch commented on GitHub (Apr 29, 2025): The `$user` token resolves to the current user's numeric ID, not it's username, so attempting to bind a user to a contact in this manner won't work. You could instead instead add a custom field on the Contact model to establish a relationship to the User model, and assign the contact `u1` with the user `u1`. The update the permission constraint to: ``` { "contact__custom_field_data__user": "$user" } ``` Hope that helps. I'm going to close this out as the ability to match on the name of the current user is not supported.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

update-changelog-comments-docs

feature-removal-issue-type

20911-dropdown

20239-plugin-menu-classes-mutable-state

21097-graphql-id-lookups

feature

fix_module_substitution

20923-dcim-templates

20044-elevation-stuck-lightmode

feature-ip-prefix-link

v4.5-beta1-release

20068-import-moduletype-attrs

20766-fix-german-translation-code-literals

20378-del-script

7604-filter-modifiers-v3

circuit-swap

12318-case-insensitive-uniqueness

20637-improve-device-q-filter

20660-script-load

19724-graphql

20614-update-ruff

14884-script

02496-max-page

19720-macaddress-interface-generic-relation

19408-circuit-terminations-export-templates

20203-openapi-check

fix-19669-api-image-download

7604-filter-modifiers

19275-fixes-interface-bulk-edit

fix-17794-get_field_value_return_list

11507-show-aggregate-and-rir-on-api

9583-add_column_specific_search_field_to_tables

v4.5.0

v4.4.10

v4.4.9

v4.5.0-beta1

v4.4.8

v4.4.7

v4.4.6

v4.4.5

v4.4.4

v4.4.3

v4.4.2

v4.4.1

v4.4.0

v4.3.7

v4.4.0-beta1

v4.3.6

v4.3.5

v4.3.4

v4.3.3

v4.3.2

v4.3.1

v4.3.0

v4.2.9

v4.3.0-beta2

v4.2.8

v4.3.0-beta1

v4.2.7

v4.2.6

v4.2.5

v4.2.4

v4.2.3

v4.2.2

v4.2.1

v4.2.0

v4.1.11

v4.1.10

v4.1.9

v4.1.8

v4.2-beta1

v4.1.7

v4.1.6

v4.1.5

v4.1.4

v4.1.3

v4.1.2

v4.1.1

v4.1.0

v4.0.11

v4.0.10

v4.0.9

v4.1-beta1

v4.0.8

v4.0.7

v4.0.6

v4.0.5

v4.0.3

v4.0.2

v4.0.1

v4.0.0

v3.7.8

v3.7.7

v4.0-beta2

v3.7.6

v3.7.5

v4.0-beta1

v3.7.4

v3.7.3

v3.7.2

v3.7.1

v3.7.0

v3.6.9

v3.6.8

v3.6.7

v3.7-beta1

v3.6.6

v3.6.5

v3.6.4

v3.6.3

v3.6.2

v3.6.1

v3.6.0

v3.5.9

v3.6-beta2

v3.5.8

v3.6-beta1

v3.5.7

v3.5.6

v3.5.5

v3.5.4

v3.5.3

v3.5.2

v3.5.1

v3.5.0

v3.4.10

v3.4.9

v3.5-beta2

v3.4.8

v3.5-beta1

v3.4.7

v3.4.6

v3.4.5

v3.4.4

v3.4.3

v3.4.2

v3.4.1

v3.4.0

v3.3.10

v3.3.9

v3.4-beta1

v3.3.8

v3.3.7

v3.3.6

v3.3.5

v3.3.4

v3.3.3

v3.3.2

v3.3.1

v3.3.0

v3.2.9

v3.2.8

v3.3-beta2

v3.2.7

v3.3-beta1

v3.2.6

v3.2.5

v3.2.4

v3.2.3

v3.2.2

v3.2.1

v3.2.0

v3.1.11

v3.1.10

v3.2-beta2

v3.1.9

v3.2-beta1

v3.1.8

v3.1.7

v3.1.6

v3.1.5

v3.1.4

v3.1.3

v3.1.2

v3.1.1

v3.1.0

v3.0.12

v3.0.11

v3.0.10

v3.1-beta1

v3.0.9

v3.0.8

v3.0.7

v3.0.6

v3.0.5

v3.0.4

v3.0.3

v3.0.2

v3.0.1

v3.0.0

v2.11.12

v3.0-beta2

v2.11.11

v2.11.10

v3.0-beta1

v2.11.9

v2.11.8

v2.11.7

v2.11.6

v2.11.5

v2.11.4

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.10

v2.10.9

v2.11-beta1

v2.10.8

v2.10.7

v2.10.6

v2.10.5

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.11

v2.10-beta2

v2.9.10

v2.10-beta1

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.9-beta2

v2.8.9

v2.9-beta1

v2.8.8

v2.8.7

v2.8.6

v2.8.5

v2.8.4

v2.8.3

v2.8.2

v2.8.1

v2.8.0

v2.7.12

v2.7.11

v2.7.10

v2.7.9

v2.7.8

v2.7.7

v2.7.6

v2.7.5

v2.7.4

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.12

v2.6.11

v2.6.10

v2.6.9

v2.7-beta1

Solcon-2020-01-06

v2.6.8

v2.6.7

v2.6.6

v2.6.5

v2.6.4

v2.6.3

v2.6.2

v2.6.1

v2.6.0

v2.5.13

v2.5.12

v2.6-beta1

v2.5.11

v2.5.10

v2.5.9

v2.5.8

v2.5.7

v2.5.6

v2.5.5

v2.5.4

v2.5.3

v2.5.2

v2.5.1

v2.5.0

v2.4.9

v2.5-beta2

v2.4.8

v2.5-beta1

v2.4.7

v2.4.6

v2.4.5

v2.4.4

v2.4.3

v2.4.2

v2.4.1

v2.4.0

v2.3.7

v2.4-beta1

v2.3.6

v2.3.5

v2.3.4

v2.3.3

v2.3.2

v2.3.1

v2.3.0

v2.2.10

v2.3-beta2

v2.2.9

v2.3-beta1

v2.2.8

v2.2.7

v2.2.6

v2.2.5

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.6

v2.2-beta2

v2.1.5

v2.2-beta1

v2.1.4

v2.1.3

v2.1.2

v2.1.1

v2.1.0

v2.0.10

v2.1-beta1

v2.0.9

v2.0.8

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v2.0-beta3

v1.9.6

v1.9.5

v2.0-beta2

v1.9.4-r1

v1.9.3

v2.0-beta1

v1.9.2

v1.9.1

v1.9.0-r1

v1.8.4

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.7.3

v1.7.2-r1

v1.7.1

v1.7.0

v1.6.3

v1.6.2-r1

v1.6.1-r1

1.6.1

v1.6.0

v1.5.2

v1.5.1

v1.5.0

v1.4.2

v1.4.1

v1.4.0

v1.3.2

v1.3.1

v1.3.0

v1.2.2

v1.2.1

v1.2.0

v1.1.0

v1.0.7-r1

v1.0.7

v1.0.6

v1.0.5

v1.0.4

v1.0.3-r1

v1.0.3

1.0.0

Labels

Clear labels

beta

breaking change

complexity: high

complexity: low

complexity: medium

needs milestone

netbox

pending closure

plugin candidate

pull-request

Mirrored from GitHub Pull Request

severity: high

severity: low

severity: medium

status: accepted

status: backlog

status: blocked

status: duplicate

status: needs owner

status: needs triage

status: revisions needed

status: under review

topic: GraphQL

topic: Internationalization

topic: OpenAPI

topic: UI/UX

topic: cabling

topic: event rules

topic: htmx navigation

topic: industrialization

topic: migrations

topic: plugins

topic: scripts

topic: templating

topic: testing

type: bug

type: deprecation

type: documentation

type: feature

type: housekeeping

type: translation

No Label type: bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/netbox#11099