starred/netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2026-01-11 21:10:29 +01:00
Code Issues 273 Packages Projects Releases 10 Wiki Activity

Permission Cloning fails with single action selected #11809

New Issue
Closed
opened 2025-12-29 21:50:09 +01:00 by adam · 2 comments
adam commented 2025-12-29 21:50:09 +01:00
Owner
Copy Link

Originally created by @NicJames2378 on GitHub (Nov 5, 2025).

Originally assigned to: @pheus on GitHub.

NetBox Edition

NetBox Community

NetBox Version

v4.4.5

Python Version

3.12

Steps to Reproduce

The following assumes you are logged in with an administrative account of type "superuser".

  1. Navigate to "Permissions"
  2. Create a new basic permission (give it a name and object type[s])
  3. Assign any single action and "Save"
  4. Once redirected to the permission view, attempt to "Clone". This will cause the error below.

This has been reproduced in the Netbox Demo environment and a clone of our local production environment with all plugins disabled.

Expected Behavior

Attempting to clone a permission object which contains a single action should succeed. This has been tested to be reproducible with any single action selected, but appears to work when more than one is toggled.

Workaround: Currently, we have worked around this by removing all assignments on the permission, adding the "add" action, cloning, then removing the "add" action and re-assigning groups/users. This causes excess tedium.

Use case: Permissions in our environment need to limit what is visible on a least-privilege basis. For example, Asset Management only needs to see the hardware and serial numbers, while Facilities may need to see power infrastructure. This is required for local compliance regulations.Within departments, only certain people should be allowed to modify the documentation (henceforth 'department editors', i.e., the head of Facilities can update power panel information, but the workers can only see information). This is intended to enforce changes being documented as part of our workflow procedures before work is physically completed. NetBox represents our 'desired state' in this scenario.
Currently, all departments are limited to specific "view only" permissions, but the trusted department editors have full edit permissions to everything via superuser. To enforce better security and privilege management, we want to clone the current "view only" permissions and set the "add/change/delete" permissions, then assign to the required groups/users.

Observed Behavior

<class 'AttributeError'>

'str' object has no attribute 'remove'

Python version: 3.12.12
NetBox version: 4.4.5
Plugins: 
  netbox_topology_views: 4.4.0
Originally created by @NicJames2378 on GitHub (Nov 5, 2025). Originally assigned to: @pheus on GitHub. ### NetBox Edition NetBox Community ### NetBox Version v4.4.5 ### Python Version 3.12 ### Steps to Reproduce The following assumes you are logged in with an administrative account of type "superuser". 1. Navigate to "Permissions" 2. Create a new basic permission (give it a name and object type[s]) 3. Assign any single action and "Save" 4. Once redirected to the permission view, attempt to "Clone". This will cause the error below. This has been reproduced in the Netbox Demo environment and a clone of our local production environment with all plugins disabled. ### Expected Behavior Attempting to clone a permission object which contains a single action should succeed. This has been tested to be reproducible with any single action selected, but appears to work when more than one is toggled. Workaround: Currently, we have worked around this by removing all assignments on the permission, adding the "add" action, cloning, then removing the "add" action and re-assigning groups/users. This causes excess tedium. Use case: Permissions in our environment need to limit what is visible on a least-privilege basis. For example, Asset Management only needs to see the hardware and serial numbers, while Facilities may need to see power infrastructure. This is required for local compliance regulations.Within departments, only certain people should be allowed to modify the documentation (henceforth 'department editors', i.e., the head of Facilities can update power panel information, but the workers can only see information). This is intended to enforce changes being documented as part of our workflow procedures before work is physically completed. NetBox represents our 'desired state' in this scenario. Currently, all departments are limited to specific "view only" permissions, but the trusted department editors have full edit permissions to everything via superuser. To enforce better security and privilege management, we want to clone the current "view only" permissions and set the "add/change/delete" permissions, then assign to the required groups/users. ### Observed Behavior ``` <class 'AttributeError'> 'str' object has no attribute 'remove' Python version: 3.12.12 NetBox version: 4.4.5 Plugins: netbox_topology_views: 4.4.0 ```
adam added the type: bugstatus: acceptednetboxseverity: low labels 2025-12-29 21:50:09 +01:00
adam closed this issue 2025-12-29 21:50:09 +01:00
adam commented 2025-12-29 21:50:10 +01:00
Author
Owner
Copy Link

@pheus commented on GitHub (Nov 6, 2025):

Thanks for bringing this up. This is a side effect of the change in #20353 (NetBox v4.4.1). The form logic iterates over the action checkboxes and mutates self.initial['actions'] accordingly, but it assumes that value is always a list. In the clone flow, if only one action (view, add, change, or delete) is provided via the URL, self.initial['actions'] is a string instead of a list, so calling .remove(action) fails. Normalizing self.initial['actions'] to a list before mutation should resolve it.

I'd be happy to contribute the fix. Can you please assign it to me? Thanks

@pheus commented on GitHub (Nov 6, 2025): Thanks for bringing this up. This is a side effect of the change in #20353 (NetBox v4.4.1). The form logic iterates over the action checkboxes and mutates `self.initial['actions']` accordingly, but it assumes that value is always a list. In the clone flow, if only one action (`view`, `add`, `change`, or `delete`) is provided via the URL, `self.initial['actions']` is a string instead of a list, so calling `.remove(action)` fails. Normalizing `self.initial['actions']` to a list before mutation should resolve it. I'd be happy to contribute the fix. Can you please assign it to me? Thanks
adam commented 2025-12-29 21:50:10 +01:00
Author
Owner
Copy Link

@bctiemann commented on GitHub (Nov 6, 2025):

@pheus Sure!

@bctiemann commented on GitHub (Nov 6, 2025): @pheus Sure!
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
beta
breaking change
complexity: high
complexity: low
complexity: medium
needs milestone
netbox
pending closure
plugin candidate
pull-request
Mirrored from GitHub Pull Request
 severity: high
severity: low
severity: medium
status: accepted
status: backlog
status: blocked
status: duplicate
status: needs owner
status: needs triage
status: revisions needed
status: under review
topic: GraphQL
topic: Internationalization
topic: OpenAPI
topic: UI/UX
topic: cabling
topic: event rules
topic: htmx navigation
topic: industrialization
topic: migrations
topic: plugins
topic: scripts
topic: templating
topic: testing
type: bug
type: deprecation
type: documentation
type: feature
type: housekeeping
type: translation
No Label netbox severity: low status: accepted type: bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/netbox#11809
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?