Rack elevations display devices (and details of them) to users without permissions #3917

New Issue

Closed

opened 2025-12-29 18:32:04 +01:00 by adam · 3 comments

adam commented 2025-12-29 18:32:04 +01:00

Owner

Copy Link

Originally created by @cpmills1975 on GitHub (Jul 29, 2020).

Originally assigned to: @jeremystretch on GitHub.

Environment

• Python version: 3.7.8
• NetBox version: 2.9-beta1

Steps to Reproduce

1. As admin (or user with adequate permissions) create two devices (device 'a' and device 'b') and rack them, device 'a' should have appropriate attributes such that it will be visible to user 'a' and the device 'b' should have appropriate attributes such that it will NOT be visible to user 'a'.
2. Ensure permissions are created that limit user 'a' to see only device 'a' and not 'device b'
3. Confirm, via the devices screen that user 'a' can see only device 'a' and not device 'b'
4. View the rack elevations. Device 'b' will be visible and, when hovering over it, attributes will be displayed as normal in the tooltip, however clicking on it results in a 404 not found error, presumably, due to inadequate permissions.

Expected Behavior

While I get that displaying empty rack units doesn't make sense, some way to display occupied rack units but without any details of the device that are using them should be considered. Perhaps something similar to the rack reservation color coding. Alternatively blocking out the units, but displaying no details and either making sure they are not clickable, or if clicked result in a 403 forbidden result would be applicable.

Observed Behavior

Device 'b' is displayed to the user, along with serial number, asset number, role etc and when clicking it, a 404 is returned. The permissions model correctly prevents access to device 'b' when viewing the device list.

Originally created by @cpmills1975 on GitHub (Jul 29, 2020). Originally assigned to: @jeremystretch on GitHub. <!-- NOTE: IF YOUR ISSUE DOES NOT FOLLOW THIS TEMPLATE, IT WILL BE CLOSED. This form is only for reproducible bugs. If you need assistance with NetBox installation, or if you have a general question, DO NOT open an issue. Instead, post to our mailing list: https://groups.google.com/forum/#!forum/netbox-discuss Please describe the environment in which you are running NetBox. Be sure that you are running an unmodified instance of the latest stable release before submitting a bug report, and that any plugins have been disabled. --> ### Environment * Python version: 3.7.8 * NetBox version: 2.9-beta1 <!-- Describe in detail the exact steps that someone else can take to reproduce this bug using the current stable release of NetBox. Begin with the creation of any necessary database objects and call out every operation being performed explicitly. If reporting a bug in the REST API, be sure to reconstruct the raw HTTP request(s) being made: Don't rely on a client library such as pynetbox. --> ### Steps to Reproduce 1. As admin (or user with adequate permissions) create two devices (device 'a' and device 'b') and rack them, device 'a' should have appropriate attributes such that it will be visible to user 'a' and the device 'b' should have appropriate attributes such that it will NOT be visible to user 'a'. 2. Ensure permissions are created that limit user 'a' to see only device 'a' and not 'device b' 3. Confirm, via the devices screen that user 'a' can see only device 'a' and not device 'b' 4. View the rack elevations. Device 'b' will be visible and, when hovering over it, attributes will be displayed as normal in the tooltip, however clicking on it results in a 404 not found error, presumably, due to inadequate permissions. <!-- What did you expect to happen? --> ### Expected Behavior While I get that displaying empty rack units doesn't make sense, some way to display occupied rack units but without any details of the device that are using them should be considered. Perhaps something similar to the rack reservation color coding. Alternatively blocking out the units, but displaying no details and either making sure they are not clickable, or if clicked result in a 403 forbidden result would be applicable. <!-- What happened instead? --> ### Observed Behavior Device 'b' is displayed to the user, along with serial number, asset number, role etc and when clicking it, a 404 is returned. The permissions model correctly prevents access to device 'b' when viewing the device list.

adam added the type: bugstatus: acceptedbeta labels 2025-12-29 18:32:04 +01:00

adam closed this issue 2025-12-29 18:32:04 +01:00

adam commented 2025-12-29 18:32:04 +01:00

Author

Owner

Copy Link

@jeremystretch commented on GitHub (Jul 29, 2020):

Good catch. Here's what it looks like with the fix in place. There are four 1U switches installed, and the current user has permission to view only the top two. The other devices are rendered only as unavailable space.

@jeremystretch commented on GitHub (Jul 29, 2020): Good catch. Here's what it looks like with the fix in place. There are four 1U switches installed, and the current user has permission to view only the top two. The other devices are rendered only as unavailable space. 

adam commented 2025-12-29 18:32:04 +01:00

Author

Owner

Copy Link

@cpmills1975 commented on GitHub (Aug 3, 2020):

This looks great @jeremystretch and having tested your latest commits, I can see the devices are indeed hidden. However, the API call for the rack elevation still exposes more information than one might reasonably expect including device ID, name and URL at /api/dcim/racks/id/elevation. Would you prefer a separate ticket opened for this?

@cpmills1975 commented on GitHub (Aug 3, 2020): This looks great @jeremystretch and having tested your latest commits, I can see the devices are indeed hidden. However, the API call for the rack elevation still exposes more information than one might reasonably expect including device ID, name and URL at /api/dcim/racks/id/elevation. Would you prefer a separate ticket opened for this?

adam commented 2025-12-29 18:32:05 +01:00

Author

Owner

Copy Link

@jeremystretch commented on GitHub (Aug 3, 2020):

Good catch. I've opened #4940 to add an occupied field to each rack unit. This will allow us to indicate that a unit is occupied without revealing the specific device occupying it. The work to restrict the viewable devices will be done under that issue.

@jeremystretch commented on GitHub (Aug 3, 2020): Good catch. I've opened #4940 to add an `occupied` field to each rack unit. This will allow us to indicate that a unit is occupied without revealing the specific device occupying it. The work to restrict the viewable devices will be done under that issue.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

update-changelog-comments-docs

feature-removal-issue-type

20911-dropdown

20239-plugin-menu-classes-mutable-state

21097-graphql-id-lookups

feature

fix_module_substitution

20923-dcim-templates

20044-elevation-stuck-lightmode

feature-ip-prefix-link

v4.5-beta1-release

20068-import-moduletype-attrs

20766-fix-german-translation-code-literals

20378-del-script

7604-filter-modifiers-v3

circuit-swap

12318-case-insensitive-uniqueness

20637-improve-device-q-filter

20660-script-load

19724-graphql

20614-update-ruff

14884-script

02496-max-page

19720-macaddress-interface-generic-relation

19408-circuit-terminations-export-templates

20203-openapi-check

fix-19669-api-image-download

7604-filter-modifiers

19275-fixes-interface-bulk-edit

fix-17794-get_field_value_return_list

11507-show-aggregate-and-rir-on-api

9583-add_column_specific_search_field_to_tables

v4.5.0

v4.4.10

v4.4.9

v4.5.0-beta1

v4.4.8

v4.4.7

v4.4.6

v4.4.5

v4.4.4

v4.4.3

v4.4.2

v4.4.1

v4.4.0

v4.3.7

v4.4.0-beta1

v4.3.6

v4.3.5

v4.3.4

v4.3.3

v4.3.2

v4.3.1

v4.3.0

v4.2.9

v4.3.0-beta2

v4.2.8

v4.3.0-beta1

v4.2.7

v4.2.6

v4.2.5

v4.2.4

v4.2.3

v4.2.2

v4.2.1

v4.2.0

v4.1.11

v4.1.10

v4.1.9

v4.1.8

v4.2-beta1

v4.1.7

v4.1.6

v4.1.5

v4.1.4

v4.1.3

v4.1.2

v4.1.1

v4.1.0

v4.0.11

v4.0.10

v4.0.9

v4.1-beta1

v4.0.8

v4.0.7

v4.0.6

v4.0.5

v4.0.3

v4.0.2

v4.0.1

v4.0.0

v3.7.8

v3.7.7

v4.0-beta2

v3.7.6

v3.7.5

v4.0-beta1

v3.7.4

v3.7.3

v3.7.2

v3.7.1

v3.7.0

v3.6.9

v3.6.8

v3.6.7

v3.7-beta1

v3.6.6

v3.6.5

v3.6.4

v3.6.3

v3.6.2

v3.6.1

v3.6.0

v3.5.9

v3.6-beta2

v3.5.8

v3.6-beta1

v3.5.7

v3.5.6

v3.5.5

v3.5.4

v3.5.3

v3.5.2

v3.5.1

v3.5.0

v3.4.10

v3.4.9

v3.5-beta2

v3.4.8

v3.5-beta1

v3.4.7

v3.4.6

v3.4.5

v3.4.4

v3.4.3

v3.4.2

v3.4.1

v3.4.0

v3.3.10

v3.3.9

v3.4-beta1

v3.3.8

v3.3.7

v3.3.6

v3.3.5

v3.3.4

v3.3.3

v3.3.2

v3.3.1

v3.3.0

v3.2.9

v3.2.8

v3.3-beta2

v3.2.7

v3.3-beta1

v3.2.6

v3.2.5

v3.2.4

v3.2.3

v3.2.2

v3.2.1

v3.2.0

v3.1.11

v3.1.10

v3.2-beta2

v3.1.9

v3.2-beta1

v3.1.8

v3.1.7

v3.1.6

v3.1.5

v3.1.4

v3.1.3

v3.1.2

v3.1.1

v3.1.0

v3.0.12

v3.0.11

v3.0.10

v3.1-beta1

v3.0.9

v3.0.8

v3.0.7

v3.0.6

v3.0.5

v3.0.4

v3.0.3

v3.0.2

v3.0.1

v3.0.0

v2.11.12

v3.0-beta2

v2.11.11

v2.11.10

v3.0-beta1

v2.11.9

v2.11.8

v2.11.7

v2.11.6

v2.11.5

v2.11.4

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.10

v2.10.9

v2.11-beta1

v2.10.8

v2.10.7

v2.10.6

v2.10.5

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.11

v2.10-beta2

v2.9.10

v2.10-beta1

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.9-beta2

v2.8.9

v2.9-beta1

v2.8.8

v2.8.7

v2.8.6

v2.8.5

v2.8.4

v2.8.3

v2.8.2

v2.8.1

v2.8.0

v2.7.12

v2.7.11

v2.7.10

v2.7.9

v2.7.8

v2.7.7

v2.7.6

v2.7.5

v2.7.4

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.12

v2.6.11

v2.6.10

v2.6.9

v2.7-beta1

Solcon-2020-01-06

v2.6.8

v2.6.7

v2.6.6

v2.6.5

v2.6.4

v2.6.3

v2.6.2

v2.6.1

v2.6.0

v2.5.13

v2.5.12

v2.6-beta1

v2.5.11

v2.5.10

v2.5.9

v2.5.8

v2.5.7

v2.5.6

v2.5.5

v2.5.4

v2.5.3

v2.5.2

v2.5.1

v2.5.0

v2.4.9

v2.5-beta2

v2.4.8

v2.5-beta1

v2.4.7

v2.4.6

v2.4.5

v2.4.4

v2.4.3

v2.4.2

v2.4.1

v2.4.0

v2.3.7

v2.4-beta1

v2.3.6

v2.3.5

v2.3.4

v2.3.3

v2.3.2

v2.3.1

v2.3.0

v2.2.10

v2.3-beta2

v2.2.9

v2.3-beta1

v2.2.8

v2.2.7

v2.2.6

v2.2.5

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.6

v2.2-beta2

v2.1.5

v2.2-beta1

v2.1.4

v2.1.3

v2.1.2

v2.1.1

v2.1.0

v2.0.10

v2.1-beta1

v2.0.9

v2.0.8

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v2.0-beta3

v1.9.6

v1.9.5

v2.0-beta2

v1.9.4-r1

v1.9.3

v2.0-beta1

v1.9.2

v1.9.1

v1.9.0-r1

v1.8.4

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.7.3

v1.7.2-r1

v1.7.1

v1.7.0

v1.6.3

v1.6.2-r1

v1.6.1-r1

1.6.1

v1.6.0

v1.5.2

v1.5.1

v1.5.0

v1.4.2

v1.4.1

v1.4.0

v1.3.2

v1.3.1

v1.3.0

v1.2.2

v1.2.1

v1.2.0

v1.1.0

v1.0.7-r1

v1.0.7

v1.0.6

v1.0.5

v1.0.4

v1.0.3-r1

v1.0.3

1.0.0

Labels

Clear labels

beta

breaking change

complexity: high

complexity: low

complexity: medium

needs milestone

netbox

pending closure

plugin candidate

pull-request

Mirrored from GitHub Pull Request

severity: high

severity: low

severity: medium

status: accepted

status: backlog

status: blocked

status: duplicate

status: needs owner

status: needs triage

status: revisions needed

status: under review

topic: GraphQL

topic: Internationalization

topic: OpenAPI

topic: UI/UX

topic: cabling

topic: event rules

topic: htmx navigation

topic: industrialization

topic: migrations

topic: plugins

topic: scripts

topic: templating

topic: testing

type: bug

type: deprecation

type: documentation

type: feature

type: housekeeping

type: translation

No Label beta status: accepted type: bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/netbox#3917