extras.view_reportresult permission does not grant viewing rights on reports #4105

New Issue

Closed

opened 2025-12-29 18:33:09 +01:00 by adam · 6 comments

adam commented 2025-12-29 18:33:09 +01:00

Owner

Copy Link

Originally created by @mobarre on GitHub (Sep 16, 2020).

Originally assigned to: @jeremystretch on GitHub.

Environment

• Python version: 3.6.9
• NetBox version: 2.9.3

Steps to Reproduce

1. Create a new user
2. Assign it the extras.view_reportresult permission (or assign it to a group that has this permission)
3. Log as this new user
4. Attempt to access the report section
5. Attempt to access the result page of a report

Expected Behavior

I would expect this user to be able to browse the list of available reports and look at their results

Observed Behavior

Attempts to access the report section results in an Access Denied
Attempts to access the result page of a report (with URL) directly also results in an Access Denied

Originally created by @mobarre on GitHub (Sep 16, 2020). Originally assigned to: @jeremystretch on GitHub. ### Environment * Python version: 3.6.9 * NetBox version: 2.9.3 ### Steps to Reproduce 1. Create a new user 2. Assign it the extras.view_reportresult permission (or assign it to a group that has this permission) 3. Log as this new user 4. Attempt to access the report section 5. Attempt to access the result page of a report ### Expected Behavior I would expect this user to be able to browse the list of available reports and look at their results ### Observed Behavior Attempts to access the report section results in an Access Denied Attempts to access the result page of a report (with URL) directly also results in an Access Denied

adam added the type: bugstatus: accepted labels 2025-12-29 18:33:09 +01:00

adam closed this issue 2025-12-29 18:33:09 +01:00

adam commented 2025-12-29 18:33:10 +01:00

Author

Owner

Copy Link

@ledgley commented on GitHub (Sep 17, 2020):

Also have the same issue described, plus the same issue with Scripts. Though I can 'read' the script, I get 'You do not have permission to run scripts' regardless of the permissions given.

@ledgley commented on GitHub (Sep 17, 2020): Also have the same issue described, plus the same issue with Scripts. Though I can 'read' the script, I get 'You do not have permission to run scripts' regardless of the permissions given.

adam commented 2025-12-29 18:33:10 +01:00

Author

Owner

Copy Link

@ledgley commented on GitHub (Sep 17, 2020):

To add to the above, I have tried with LDAP users and local users. Only Superusers are able to perform the actions described.

@ledgley commented on GitHub (Sep 17, 2020): To add to the above, I have tried with LDAP users and local users. Only Superusers are able to perform the actions described.

adam commented 2025-12-29 18:33:10 +01:00

Author

Owner

Copy Link

@jeremystretch commented on GitHub (Sep 23, 2020):

Attempts to access the report section results in an Access Denied

I cannot replicate this behavior on v2.9.3. Logged in as a user with the extras.view_reportresult permission, I am able to view the reports list and individual reports. It is only the report results that return a permission denied error.

Also have the same issue described, plus the same issue with Scripts.

@ledgley different issue. Scripts require the extras.view_script permission.

@jeremystretch commented on GitHub (Sep 23, 2020): > Attempts to access the report section results in an Access Denied I cannot replicate this behavior on v2.9.3. Logged in as a user with the `extras.view_reportresult` permission, I am able to view the reports list and individual reports. It is only the report results that return a permission denied error. > Also have the same issue described, plus the same issue with Scripts. @ledgley different issue. Scripts require the `extras.view_script` permission.

adam commented 2025-12-29 18:33:10 +01:00

Author

Owner

Copy Link

@mobarre commented on GitHub (Sep 23, 2020):

Could this be due to the migration script moving from the old permission system to the new ? (although I doubt it can be as I tested with a newly created user and newly created groups too).

@mobarre commented on GitHub (Sep 23, 2020): Could this be due to the migration script moving from the old permission system to the new ? (although I doubt it can be as I tested with a newly created user and newly created groups too).

adam commented 2025-12-29 18:33:10 +01:00

Author

Owner

Copy Link

@jeremystretch commented on GitHub (Sep 23, 2020):

@mobarre Nah, it's just a bug in the view. The view is looking for extras.view_report as opposed to extras.view_reportresult. I'll fix this for v2.9.x, however note that we're currently planning to merge reports into scripts for v2.10 (see #4735).

@jeremystretch commented on GitHub (Sep 23, 2020): @mobarre Nah, it's just a bug in the view. The view is looking for `extras.view_report` as opposed to `extras.view_reportresult`. I'll fix this for v2.9.x, however note that we're currently planning to merge reports into scripts for v2.10 (see #4735).

adam commented 2025-12-29 18:33:10 +01:00

Author

Owner

Copy Link

@rebortg commented on GitHub (Sep 23, 2020):

i say here this is the case but i was confused and the PR c0b94e4e8e don't fix this issue.
i try it at the moment with the current develop branch.
The correct permission string must be extras.view_report not extras.view_reportresult
reportresult shouldn't be there as a contenttype i bet if one of you, who can set this permission, a python manage.py remove_stale_contenttypes will remove this contenttype.

on a fresh 2.9.3 this are the list of contenttypes in the DB:

>>> from django.contrib.contenttypes.models import ContentType
>>> for c in ContentType.objects.filter(app_label='extras'):
...     c
...
<ContentType: extras | report>
<ContentType: extras | export template>
<ContentType: extras | graph>
<ContentType: extras | custom field>
<ContentType: extras | custom field choice>
<ContentType: extras | custom field value>
<ContentType: extras | image attachment>
<ContentType: extras | webhook>
<ContentType: extras | object change>
<ContentType: extras | config context>
<ContentType: extras | tag>
<ContentType: extras | tagged item>
<ContentType: extras | custom link>
<ContentType: extras | script>
<ContentType: extras | job result>```

@rebortg commented on GitHub (Sep 23, 2020): i say [here](https://github.com/netbox-community/netbox/issues/5066) this is the case but i was confused and the PR https://github.com/netbox-community/netbox/commit/c0b94e4e8e861c0287e1a45be95211d1ec50e78a don't fix this issue. i try it at the moment with the current develop branch. The correct permission string must be `extras.view_report` not `extras.view_reportresult` `reportresult` shouldn't be there as a contenttype i bet if one of you, who can set this permission, a `python manage.py remove_stale_contenttypes` will remove this contenttype. on a fresh 2.9.3 this are the list of contenttypes in the DB: ```python manage.py nbshell >>> from django.contrib.contenttypes.models import ContentType >>> for c in ContentType.objects.filter(app_label='extras'): ... c ... <ContentType: extras | report> <ContentType: extras | export template> <ContentType: extras | graph> <ContentType: extras | custom field> <ContentType: extras | custom field choice> <ContentType: extras | custom field value> <ContentType: extras | image attachment> <ContentType: extras | webhook> <ContentType: extras | object change> <ContentType: extras | config context> <ContentType: extras | tag> <ContentType: extras | tagged item> <ContentType: extras | custom link> <ContentType: extras | script> <ContentType: extras | job result>```

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

update-changelog-comments-docs

feature-removal-issue-type

20911-dropdown

20239-plugin-menu-classes-mutable-state

21097-graphql-id-lookups

feature

fix_module_substitution

20923-dcim-templates

20044-elevation-stuck-lightmode

feature-ip-prefix-link

v4.5-beta1-release

20068-import-moduletype-attrs

20766-fix-german-translation-code-literals

20378-del-script

7604-filter-modifiers-v3

circuit-swap

12318-case-insensitive-uniqueness

20637-improve-device-q-filter

20660-script-load

19724-graphql

20614-update-ruff

14884-script

02496-max-page

19720-macaddress-interface-generic-relation

19408-circuit-terminations-export-templates

20203-openapi-check

fix-19669-api-image-download

7604-filter-modifiers

19275-fixes-interface-bulk-edit

fix-17794-get_field_value_return_list

11507-show-aggregate-and-rir-on-api

9583-add_column_specific_search_field_to_tables

v4.5.0

v4.4.10

v4.4.9

v4.5.0-beta1

v4.4.8

v4.4.7

v4.4.6

v4.4.5

v4.4.4

v4.4.3

v4.4.2

v4.4.1

v4.4.0

v4.3.7

v4.4.0-beta1

v4.3.6

v4.3.5

v4.3.4

v4.3.3

v4.3.2

v4.3.1

v4.3.0

v4.2.9

v4.3.0-beta2

v4.2.8

v4.3.0-beta1

v4.2.7

v4.2.6

v4.2.5

v4.2.4

v4.2.3

v4.2.2

v4.2.1

v4.2.0

v4.1.11

v4.1.10

v4.1.9

v4.1.8

v4.2-beta1

v4.1.7

v4.1.6

v4.1.5

v4.1.4

v4.1.3

v4.1.2

v4.1.1

v4.1.0

v4.0.11

v4.0.10

v4.0.9

v4.1-beta1

v4.0.8

v4.0.7

v4.0.6

v4.0.5

v4.0.3

v4.0.2

v4.0.1

v4.0.0

v3.7.8

v3.7.7

v4.0-beta2

v3.7.6

v3.7.5

v4.0-beta1

v3.7.4

v3.7.3

v3.7.2

v3.7.1

v3.7.0

v3.6.9

v3.6.8

v3.6.7

v3.7-beta1

v3.6.6

v3.6.5

v3.6.4

v3.6.3

v3.6.2

v3.6.1

v3.6.0

v3.5.9

v3.6-beta2

v3.5.8

v3.6-beta1

v3.5.7

v3.5.6

v3.5.5

v3.5.4

v3.5.3

v3.5.2

v3.5.1

v3.5.0

v3.4.10

v3.4.9

v3.5-beta2

v3.4.8

v3.5-beta1

v3.4.7

v3.4.6

v3.4.5

v3.4.4

v3.4.3

v3.4.2

v3.4.1

v3.4.0

v3.3.10

v3.3.9

v3.4-beta1

v3.3.8

v3.3.7

v3.3.6

v3.3.5

v3.3.4

v3.3.3

v3.3.2

v3.3.1

v3.3.0

v3.2.9

v3.2.8

v3.3-beta2

v3.2.7

v3.3-beta1

v3.2.6

v3.2.5

v3.2.4

v3.2.3

v3.2.2

v3.2.1

v3.2.0

v3.1.11

v3.1.10

v3.2-beta2

v3.1.9

v3.2-beta1

v3.1.8

v3.1.7

v3.1.6

v3.1.5

v3.1.4

v3.1.3

v3.1.2

v3.1.1

v3.1.0

v3.0.12

v3.0.11

v3.0.10

v3.1-beta1

v3.0.9

v3.0.8

v3.0.7

v3.0.6

v3.0.5

v3.0.4

v3.0.3

v3.0.2

v3.0.1

v3.0.0

v2.11.12

v3.0-beta2

v2.11.11

v2.11.10

v3.0-beta1

v2.11.9

v2.11.8

v2.11.7

v2.11.6

v2.11.5

v2.11.4

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.10

v2.10.9

v2.11-beta1

v2.10.8

v2.10.7

v2.10.6

v2.10.5

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.11

v2.10-beta2

v2.9.10

v2.10-beta1

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.9-beta2

v2.8.9

v2.9-beta1

v2.8.8

v2.8.7

v2.8.6

v2.8.5

v2.8.4

v2.8.3

v2.8.2

v2.8.1

v2.8.0

v2.7.12

v2.7.11

v2.7.10

v2.7.9

v2.7.8

v2.7.7

v2.7.6

v2.7.5

v2.7.4

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.12

v2.6.11

v2.6.10

v2.6.9

v2.7-beta1

Solcon-2020-01-06

v2.6.8

v2.6.7

v2.6.6

v2.6.5

v2.6.4

v2.6.3

v2.6.2

v2.6.1

v2.6.0

v2.5.13

v2.5.12

v2.6-beta1

v2.5.11

v2.5.10

v2.5.9

v2.5.8

v2.5.7

v2.5.6

v2.5.5

v2.5.4

v2.5.3

v2.5.2

v2.5.1

v2.5.0

v2.4.9

v2.5-beta2

v2.4.8

v2.5-beta1

v2.4.7

v2.4.6

v2.4.5

v2.4.4

v2.4.3

v2.4.2

v2.4.1

v2.4.0

v2.3.7

v2.4-beta1

v2.3.6

v2.3.5

v2.3.4

v2.3.3

v2.3.2

v2.3.1

v2.3.0

v2.2.10

v2.3-beta2

v2.2.9

v2.3-beta1

v2.2.8

v2.2.7

v2.2.6

v2.2.5

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.6

v2.2-beta2

v2.1.5

v2.2-beta1

v2.1.4

v2.1.3

v2.1.2

v2.1.1

v2.1.0

v2.0.10

v2.1-beta1

v2.0.9

v2.0.8

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v2.0-beta3

v1.9.6

v1.9.5

v2.0-beta2

v1.9.4-r1

v1.9.3

v2.0-beta1

v1.9.2

v1.9.1

v1.9.0-r1

v1.8.4

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.7.3

v1.7.2-r1

v1.7.1

v1.7.0

v1.6.3

v1.6.2-r1

v1.6.1-r1

1.6.1

v1.6.0

v1.5.2

v1.5.1

v1.5.0

v1.4.2

v1.4.1

v1.4.0

v1.3.2

v1.3.1

v1.3.0

v1.2.2

v1.2.1

v1.2.0

v1.1.0

v1.0.7-r1

v1.0.7

v1.0.6

v1.0.5

v1.0.4

v1.0.3-r1

v1.0.3

1.0.0

Labels

Clear labels

beta

breaking change

complexity: high

complexity: low

complexity: medium

needs milestone

netbox

pending closure

plugin candidate

pull-request

Mirrored from GitHub Pull Request

severity: high

severity: low

severity: medium

status: accepted

status: backlog

status: blocked

status: duplicate

status: needs owner

status: needs triage

status: revisions needed

status: under review

topic: GraphQL

topic: Internationalization

topic: OpenAPI

topic: UI/UX

topic: cabling

topic: event rules

topic: htmx navigation

topic: industrialization

topic: migrations

topic: plugins

topic: scripts

topic: templating

topic: testing

type: bug

type: deprecation

type: documentation

type: feature

type: housekeeping

type: translation

No Label status: accepted type: bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/netbox#4105