starred/netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2026-01-12 05:20:31 +01:00
Code Issues 273 Packages Projects Releases 10 Wiki Activity

Interface connections and traces expose details of connected devices regardless of permissions #3937

New Issue
Closed
opened 2025-12-29 18:32:10 +01:00 by adam · 3 comments
adam commented 2025-12-29 18:32:10 +01:00
Owner
Copy Link

Originally created by @cpmills1975 on GitHub (Aug 4, 2020).

Environment

  • Python version: 3.6.8
  • NetBox version: 2.9-beta1

Steps to Reproduce

  1. Create two devices, one with adequate attributes such that it will be hidden to a user, the other visible
  2. Connect two interfaces between the two devices
  3. Log in with restricted user and observe connection details

Expected Behavior

While still indicating that a connection exists between the visible device and the hidden device, the details of the device it is connected to in the interfaces table and when performing a cable trace should somehow be hidden.

Observed Behavior

The device and port names of the 'B' end of the connection is displayed, but clicking on them results in a 404 error.

Originally created by @cpmills1975 on GitHub (Aug 4, 2020). <!-- NOTE: IF YOUR ISSUE DOES NOT FOLLOW THIS TEMPLATE, IT WILL BE CLOSED. This form is only for reproducible bugs. If you need assistance with NetBox installation, or if you have a general question, DO NOT open an issue. Instead, post to our mailing list: https://groups.google.com/forum/#!forum/netbox-discuss Please describe the environment in which you are running NetBox. Be sure that you are running an unmodified instance of the latest stable release before submitting a bug report, and that any plugins have been disabled. --> ### Environment * Python version: 3.6.8 * NetBox version: 2.9-beta1 <!-- Describe in detail the exact steps that someone else can take to reproduce this bug using the current stable release of NetBox. Begin with the creation of any necessary database objects and call out every operation being performed explicitly. If reporting a bug in the REST API, be sure to reconstruct the raw HTTP request(s) being made: Don't rely on a client library such as pynetbox. --> ### Steps to Reproduce 1. Create two devices, one with adequate attributes such that it will be hidden to a user, the other visible 2. Connect two interfaces between the two devices 3. Log in with restricted user and observe connection details <!-- What did you expect to happen? --> ### Expected Behavior While still indicating that a connection exists between the visible device and the hidden device, the details of the device it is connected to in the interfaces table and when performing a cable trace should somehow be hidden. <!-- What happened instead? --> ### Observed Behavior The device and port names of the 'B' end of the connection is displayed, but clicking on them results in a 404 error.
adam closed this issue 2025-12-29 18:32:10 +01:00
adam commented 2025-12-29 18:32:10 +01:00
Author
Owner
Copy Link

@jeremystretch commented on GitHub (Aug 7, 2020):

I'm not sure I agree with this. Let's start with the REST API representation of a cable trace. The response is a list of three-tuples, with each representing a (near end, cable, far end) set in the path. The near and far end serializations show a minimal representation of the connected termination and its parent device/circuit. For example:

[
    {
        "id": 1,
        "url": "http://localhost:8000/api/dcim/console-ports/1/",
        "device": {
            "id": 1,
            "url": "http://localhost:8000/api/dcim/devices/1/",
            "name": "device1",
            "display_name": "device1"
        },
        "name": "Console Port 1",
        "cable": 1,
        "connection_status": {
            "value": true,
            "label": "Connected"
        }
    },
    {
        "id": 1,
        "url": "http://localhost:8000/api/dcim/cables/1/",
        "type": ""
    },
    {
        "id": 1,
        "url": "http://localhost:8000/api/dcim/console-server-ports/2/",
        "device": {
            "id": 2,
            "url": "http://localhost:8000/api/dcim/devices/2/",
            "name": "device2",
            "display_name": "device2"
        },
        "name": "Console Server Port 1",
        "cable": 1,
        "connection_status": {
            "value": true,
            "label": "Connected"
        }
    }
]

The goal of object-based permissions is not to entirely hide the existence of every non-viewable object: that would be impractical given the tightly integrated nature of NetBox's data model. Rather, it is to prevent an unauthorized use from viewing any specific details of an object beyond its unique identifier (e.g. its name). For example, a user viewing a device will be able to see what site it's assigned to, even if they don't have permission to view the site itself.

While still indicating that a connection exists between the visible device and the hidden device, the details of the device it is connected to in the interfaces table and when performing a cable trace should somehow be hidden.

How would you accomplish this considering the output above, bearing in mind that the format of the response must remain consistent?

@jeremystretch commented on GitHub (Aug 7, 2020): I'm not sure I agree with this. Let's start with the REST API representation of a cable trace. The response is a list of three-tuples, with each representing a (near end, cable, far end) set in the path. The near and far end serializations show a minimal representation of the connected termination and its parent device/circuit. For example: ```json [ { "id": 1, "url": "http://localhost:8000/api/dcim/console-ports/1/", "device": { "id": 1, "url": "http://localhost:8000/api/dcim/devices/1/", "name": "device1", "display_name": "device1" }, "name": "Console Port 1", "cable": 1, "connection_status": { "value": true, "label": "Connected" } }, { "id": 1, "url": "http://localhost:8000/api/dcim/cables/1/", "type": "" }, { "id": 1, "url": "http://localhost:8000/api/dcim/console-server-ports/2/", "device": { "id": 2, "url": "http://localhost:8000/api/dcim/devices/2/", "name": "device2", "display_name": "device2" }, "name": "Console Server Port 1", "cable": 1, "connection_status": { "value": true, "label": "Connected" } } ] ``` The goal of object-based permissions is not to entirely hide the existence of every non-viewable object: that would be impractical given the tightly integrated nature of NetBox's data model. Rather, it is to prevent an unauthorized use from viewing any specific details of an object beyond its unique identifier (e.g. its name). For example, a user viewing a device will be able to see what site it's assigned to, even if they don't have permission to view the site itself. > While still indicating that a connection exists between the visible device and the hidden device, the details of the device it is connected to in the interfaces table and when performing a cable trace should somehow be hidden. How would you accomplish this considering the output above, bearing in mind that the format of the response must remain consistent?
adam commented 2025-12-29 18:32:10 +01:00
Author
Owner
Copy Link

@yarnocobussen commented on GitHub (Aug 20, 2020):

I'd like to add another point into this topic for your consideration.

If a user only sees "hidden" on the far end of a trace, then it lacks an unique identifier for what's on the other end.
For their own administration, they'd have to come up with their own identifier, and somehow store it somewhere. This results in different tenants using different names to refer to the same object, with each using different methods to store that information.

I can't imagine this being in the spirit of Netbox.

@yarnocobussen commented on GitHub (Aug 20, 2020): I'd like to add another point into this topic for your consideration. If a user only sees "hidden" on the far end of a trace, then it lacks an unique identifier for what's on the other end. For their own administration, they'd have to come up with their own identifier, and somehow store it somewhere. This results in different tenants using different names to refer to the same object, with each using different methods to store that information. I can't imagine this being in the spirit of Netbox.
adam commented 2025-12-29 18:32:11 +01:00
Author
Owner
Copy Link

@jeremystretch commented on GitHub (Sep 15, 2020):

We discussed this in today's maintainers' meeting, and the consensus was to leave the current behavior as-is to avoid the problems mentioned above. For people who must have the ability to hide this information from individual users/groups, it probably makes sense to introduce a new dcim.trace_cable permission to toggle this ability entirely. I'll leave it to someone in the community to propose that in a separate feature request if desired.

@jeremystretch commented on GitHub (Sep 15, 2020): We discussed this in today's maintainers' meeting, and the consensus was to leave the current behavior as-is to avoid the problems mentioned above. For people who must have the ability to hide this information from individual users/groups, it probably makes sense to introduce a new `dcim.trace_cable` permission to toggle this ability entirely. I'll leave it to someone in the community to propose that in a separate feature request if desired.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
beta
breaking change
complexity: high
complexity: low
complexity: medium
needs milestone
netbox
pending closure
plugin candidate
pull-request
Mirrored from GitHub Pull Request
 severity: high
severity: low
severity: medium
status: accepted
status: backlog
status: blocked
status: duplicate
status: needs owner
status: needs triage
status: revisions needed
status: under review
topic: GraphQL
topic: Internationalization
topic: OpenAPI
topic: UI/UX
topic: cabling
topic: event rules
topic: htmx navigation
topic: industrialization
topic: migrations
topic: plugins
topic: scripts
topic: templating
topic: testing
type: bug
type: deprecation
type: documentation
type: feature
type: housekeeping
type: translation
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/netbox#3937
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?