starred/netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2026-01-11 21:10:29 +01:00
Code Issues 273 Packages Projects Releases 10 Wiki Activity

Add custom validation and/or permissions constraint support to the Token model #11735

New Issue
Closed
opened 2025-12-29 21:49:16 +01:00 by adam · 3 comments
adam commented 2025-12-29 21:49:16 +01:00
Owner
Copy Link

Originally created by @atownson on GitHub (Oct 16, 2025).

NetBox version

v4.4.4

Feature type

Change to existing functionality

Proposed functionality

Currently, custom validators are not processed for the Token model and default permissions allow users to view, create, edit, and delete tokens scoped to their user. This proposal requests adding the CustomValidationMixin to the Token model to enable validation support and/or remove the default permissions for the Token model (found in settings.py).

Example validator implementation (configuration.py):

class TokenValidator(CustomValidator):
    def validate(self, instance, request):
        if not request.user.is_superuser:
            self.fail('Only admins are able to create API tokens.')

CUSTOM_VALIDATORS = {
    'users.token': (
        TokenValidator(),
    )
}

Use case

The goal of this request is to allow some guardrails for token management by enabling custom validators and/or removing the default permissions for the Token model. Understandably, the default permissions allow users to utilize the NetBox API with the same permissions they have available via the UI. However, compared to SSO, API tokens can be easily compromised. Admins should be able to recreate the current default permissions found the settings.py if they choose to do so.

Potential use cases would be limiting the creation, modification, or deletion of tokens to specific users or groups, configuring a maximum expiration value, limiting tokens to read only, and applying a defined IP allow list.

Database changes

None

External dependencies

None

Originally created by @atownson on GitHub (Oct 16, 2025). ### NetBox version v4.4.4 ### Feature type Change to existing functionality ### Proposed functionality Currently, custom validators are not processed for the Token model and default permissions allow users to view, create, edit, and delete tokens scoped to their user. This proposal requests adding the `CustomValidationMixin` to the Token model to enable validation support and/or remove the default permissions for the Token model (found in settings.py). Example validator implementation (configuration.py): ``` class TokenValidator(CustomValidator): def validate(self, instance, request): if not request.user.is_superuser: self.fail('Only admins are able to create API tokens.') CUSTOM_VALIDATORS = { 'users.token': ( TokenValidator(), ) } ``` ### Use case The goal of this request is to allow some guardrails for token management by enabling custom validators and/or removing the default permissions for the Token model. Understandably, the default permissions allow users to utilize the NetBox API with the same permissions they have available via the UI. However, compared to SSO, API tokens can be easily compromised. Admins should be able to recreate the current default permissions found the settings.py if they choose to do so. Potential use cases would be limiting the creation, modification, or deletion of tokens to specific users or groups, configuring a maximum expiration value, limiting tokens to read only, and applying a defined IP allow list. ### Database changes None ### External dependencies None
adam added the type: feature label 2025-12-29 21:49:16 +01:00
adam closed this issue 2025-12-29 21:49:16 +01:00
adam commented 2025-12-29 21:49:17 +01:00
Author
Owner
Copy Link

@jeremystretch commented on GitHub (Oct 16, 2025):

and/or remove the default permissions for the Token model (found in settings.py).

You can override the default permissions via the DEFAULT_PERMISSIONS configuration parameter.

@jeremystretch commented on GitHub (Oct 16, 2025): > and/or remove the default permissions for the Token model (found in settings.py). You can override the default permissions via the [`DEFAULT_PERMISSIONS`](https://netboxlabs.com/docs/netbox/configuration/security/#default_permissions) configuration parameter.
adam commented 2025-12-29 21:49:17 +01:00
Author
Owner
Copy Link

@jeremystretch commented on GitHub (Oct 16, 2025):

Potential use cases would be limiting the creation, modification, or deletion of tokens to specific users or groups, configuring a maximum expiration value, limiting tokens to read only, and applying a defined IP allow list.

These all sound like things that can be tackled via the assignment of carefully crafted permissions. Introducing support for custom validators doesn't make sense in this context because you aren't validating the token, but rather enforcing limitations on it (which is the purpose of permissions).

@jeremystretch commented on GitHub (Oct 16, 2025): > Potential use cases would be limiting the creation, modification, or deletion of tokens to specific users or groups, configuring a maximum expiration value, limiting tokens to read only, and applying a defined IP allow list. These all sound like things that can be tackled via the assignment of carefully crafted permissions. Introducing support for custom validators doesn't make sense in this context because you aren't _validating_ the token, but rather enforcing limitations on it (which is the purpose of permissions).
adam commented 2025-12-29 21:49:17 +01:00
Author
Owner
Copy Link

@atownson commented on GitHub (Oct 16, 2025):

Indeed if the DEFAULT_PERMISSIONS can be modified (as documented), this should solve the given use cases. This issue may be closed. Thank you.

@atownson commented on GitHub (Oct 16, 2025): Indeed if the DEFAULT_PERMISSIONS can be modified (as documented), this should solve the given use cases. This issue may be closed. Thank you.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
beta
breaking change
complexity: high
complexity: low
complexity: medium
needs milestone
netbox
pending closure
plugin candidate
pull-request
Mirrored from GitHub Pull Request
 severity: high
severity: low
severity: medium
status: accepted
status: backlog
status: blocked
status: duplicate
status: needs owner
status: needs triage
status: revisions needed
status: under review
topic: GraphQL
topic: Internationalization
topic: OpenAPI
topic: UI/UX
topic: cabling
topic: event rules
topic: htmx navigation
topic: industrialization
topic: migrations
topic: plugins
topic: scripts
topic: templating
topic: testing
type: bug
type: deprecation
type: documentation
type: feature
type: housekeeping
type: translation
No Label type: feature
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/netbox#11735
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?