starred/netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2026-01-11 21:10:29 +01:00
Code Issues 273 Packages Projects Releases 10 Wiki Activity

A user with no permissions except for login rights can still search for objects #2935

New Issue
Closed
opened 2025-12-29 18:23:44 +01:00 by adam · 0 comments
adam commented 2025-12-29 18:23:44 +01:00
Owner
Copy Link

Originally created by @Grokzen on GitHub (Oct 8, 2019).

Environment

  • Python version: 3.6.x
  • NetBox version: 2.6.5

Steps to Reproduce

  1. Create a new user.
  2. Set the user as Active in the djanog admin
  3. Ensure the user has no permissions or groups added
  4. Login to site
  5. All links on the home.html page is blocked out, and all other links give 403 to list/detail/edit views.
  6. User can still use global search page and still scrape out some information that it was not suppoed to have due to no View permissions on any views. http://localhost/search/?q=dsa&obj_type=

Expected Behavior

Either the user should not be able to use the search, or the search results should be filtered to only the models that match the view_<model> permissions that the user has assigned to it.

Observed Behavior

The user could use the search feature when not intended to be able to use it.

Originally created by @Grokzen on GitHub (Oct 8, 2019). <!-- NOTE: This form is only for reproducible bugs. If you need assistance with NetBox installation, or if you have a general question, DO NOT open an issue. Instead, post to our mailing list: https://groups.google.com/forum/#!forum/netbox-discuss Please describe the environment in which you are running NetBox. Be sure that you are running an unmodified instance of the latest stable release before submitting a bug report. --> ### Environment * Python version: 3.6.x <!-- Example: 3.5.4 --> * NetBox version: 2.6.5 <!-- Example: 2.5.2 --> <!-- Describe in detail the exact steps that someone else can take to reproduce this bug using the current stable release of NetBox (or the current beta release where applicable). Begin with the creation of any necessary database objects and call out every operation being performed explicitly. If reporting a bug in the REST API, be sure to reconstruct the raw HTTP request(s) being made: Don't rely on a wrapper like pynetbox. --> ### Steps to Reproduce 1. Create a new user. 2. Set the user as `Active` in the djanog admin 3. Ensure the user has no permissions or groups added 4. Login to site 5. All links on the home.html page is blocked out, and all other links give 403 to list/detail/edit views. 6. User can still use global search page and still scrape out some information that it was not suppoed to have due to no View permissions on any views. `http://localhost/search/?q=dsa&obj_type=` <!-- What did you expect to happen? --> ### Expected Behavior Either the user should not be able to use the search, or the search results should be filtered to only the models that match the `view_<model>` permissions that the user has assigned to it. <!-- What happened instead? --> ### Observed Behavior The user could use the search feature when not intended to be able to use it.
adam added the type: bugstatus: accepted labels 2025-12-29 18:23:44 +01:00
adam closed this issue 2025-12-29 18:23:44 +01:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
beta
breaking change
complexity: high
complexity: low
complexity: medium
needs milestone
netbox
pending closure
plugin candidate
pull-request
Mirrored from GitHub Pull Request
 severity: high
severity: low
severity: medium
status: accepted
status: backlog
status: blocked
status: duplicate
status: needs owner
status: needs triage
status: revisions needed
status: under review
topic: GraphQL
topic: Internationalization
topic: OpenAPI
topic: UI/UX
topic: cabling
topic: event rules
topic: htmx navigation
topic: industrialization
topic: migrations
topic: plugins
topic: scripts
topic: templating
topic: testing
type: bug
type: deprecation
type: documentation
type: feature
type: housekeeping
type: translation
No Label status: accepted type: bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/netbox#2935
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?