Broken Report permission constraint queryset processing #4222

New Issue

adam · 2025-12-29T18:33:58+01:00

adam commented

2025-12-29 18:33:58 +01:00

Originally created by @jokvar on GitHub (Oct 28, 2020).

Environment

Python version: 3.7.3
NetBox version: 2.9.4

Steps to Reproduce

Create a report and place it in your configured reports root (default is netbox/netbox/reports). It does not need to do anything particular, simply must be correctly formatted.
Attempt to create a permission to run only the created report for a given user. Admin > Permissions > Add. Specify any name, enable it, tick the "Can view" permission and add "run" to the "Additional actions" field. In "Object types" select "extras > report". In "Assignment", select your user.
So far so good, the user can now view and run any report.
In the "constraints" field, specify { "name" : "reportName" }. Any valid JSON will work, but fields can be whatever, since we are after the helpful error message. Select save and you will be greeted with the error Invalid filter for <class 'extras.models.models.Report'>: Cannot resolve keyword 'A' into field. Choices are: id .
Navigate to /api/extras/reports and you will note that the "id" field of each report is the filename and class name. In my case these are UpdateVlan.UpdateFromRouter. Note down your report id, and update the "constraints" accordingly. In my case this was {"id": "UpdateVlan.UpdateFromRouter"}. Save your permission.

Expected Behavior

The permission is saved successfully, user can only see and run the report with the specified id.

Observed Behavior

Server error.

<class 'ValueError'>

Field 'id' expected a number but got 'UpdateVlan.UpdateFromRouter'.

Python version: 3.7.3
NetBox version: 2.9.4

I don't think a debug dump is necessary to see this is a simple edge case for the object filtering of permission management. Since reports are not saved in the database, some additional logic is needed to give more choices regarding report querying, as according to /api/docs it seems currently there is no filtering available for report queries.

Note

Out of curiosity, I tried specifying a random integer as the "id", e.g.: {" id" : "0" }, which resulted in a Django ProgrammingError:

<class 'django.db.utils.ProgrammingError'>

relation "extras_report" does not exist
LINE 1: SELECT (1) AS "a" FROM "extras_report" WHERE "extras_report"...
                               ^

Python version: 3.7.3
NetBox version: 2.9.4

Originally created by @jokvar on GitHub (Oct 28, 2020). ### Environment * Python version: 3.7.3 * NetBox version: 2.9.4 ### Steps to Reproduce 1. Create a report and place it in your configured reports root (default is `netbox/netbox/reports`). It does not need to do anything particular, simply must be correctly formatted. 2. Attempt to create a permission to run only the created report for a given user. Admin > Permissions > Add. Specify any name, enable it, tick the "Can view" permission and add "run" to the "Additional actions" field. In "Object types" select "extras > report". In "Assignment", select your user. **So far so good, the user can now view and run any report.** 3. In the "constraints" field, specify `{ "name" : "reportName" }`. Any valid JSON will work, but fields can be whatever, since we are after the helpful error message. Select save and you will be greeted with the error `Invalid filter for <class 'extras.models.models.Report'>: Cannot resolve keyword 'A' into field. Choices are: id` . 4. Navigate to `/api/extras/reports` and you will note that the "id" field of each report is the filename and class name. In my case these are `UpdateVlan.UpdateFromRouter`. Note down your report id, and update the "constraints" accordingly. In my case this was `{"id": "UpdateVlan.UpdateFromRouter"}`. Save your permission.  ### Expected Behavior The permission is saved successfully, user can only see and run the report with the specified id.  ### Observed Behavior Server error. ``` <class 'ValueError'> Field 'id' expected a number but got 'UpdateVlan.UpdateFromRouter'. Python version: 3.7.3 NetBox version: 2.9.4 ``` I don't think a debug dump is necessary to see this is a simple edge case for the object filtering of permission management. Since reports are not saved in the database, some additional logic is needed to give more choices regarding report querying, as according to `/api/docs` it seems currently there is no filtering available for report queries. ### Note Out of curiosity, I tried specifying a random integer as the "id", e.g.: `{" id" : "0" }`, which resulted in a Django ProgrammingError: ``` <class 'django.db.utils.ProgrammingError'> relation "extras_report" does not exist LINE 1: SELECT (1) AS "a" FROM "extras_report" WHERE "extras_report"... ^ Python version: 3.7.3 NetBox version: 2.9.4 ```

adam closed this issue

2025-12-29 18:33:58 +01:00

adam commented

2025-12-29 18:33:59 +01:00

@jeremystretch commented on GitHub (Oct 28, 2020):

The exception is raised because reports (also scripts) are not models, so constraints cannot be used. We can add validation logic to catch these errors, but note that enforcing constraints for non-model classes is not possible. (You can, of course, modify your report or script to control who may execute it.)

@jeremystretch commented on GitHub (Oct 28, 2020): The exception is raised because reports (also scripts) are not models, so constraints cannot be used. We can add validation logic to catch these errors, but note that enforcing constraints for non-model classes is not possible. (You can, of course, modify your report or script to control who may execute it.)

adam commented

2025-12-29 18:33:59 +01:00

@jokvar commented on GitHub (Oct 28, 2020):

I see. How can I access the user('s name) who sent the request to run the script from inside the Report?

@jokvar commented on GitHub (Oct 28, 2020): I see. How can I access the user('s name) who sent the request to run the script from inside the Report?

adam commented

2025-12-29 18:33:59 +01:00

@DanSheps commented on GitHub (Oct 28, 2020):

Thank you for your interest in NetBox. GitHub issues are intended for reporting reproducible bugs and requesting features, and must be submitted using one of the templates provided here. For general discussion, questions, or assistance with installation issues, please post to our mailing list instead.

@DanSheps commented on GitHub (Oct 28, 2020): Thank you for your interest in NetBox. GitHub issues are intended for reporting reproducible bugs and requesting features, and must be submitted using one of the templates provided [here](https://github.com/netbox-community/netbox/issues/new/choose). For general discussion, questions, or assistance with installation issues, please post to our [mailing list](https://groups.google.com/forum/#!forum/netbox-discuss) instead.

Sign in to join this conversation.

Branches Tags

main

update-changelog-comments-docs

feature-removal-issue-type

20911-dropdown

20239-plugin-menu-classes-mutable-state

21097-graphql-id-lookups

feature

fix_module_substitution

20923-dcim-templates

20044-elevation-stuck-lightmode

feature-ip-prefix-link

v4.5-beta1-release

20068-import-moduletype-attrs

20766-fix-german-translation-code-literals

20378-del-script

7604-filter-modifiers-v3

circuit-swap

12318-case-insensitive-uniqueness

20637-improve-device-q-filter

20660-script-load

19724-graphql

20614-update-ruff

14884-script

02496-max-page

19720-macaddress-interface-generic-relation

19408-circuit-terminations-export-templates

20203-openapi-check

fix-19669-api-image-download

7604-filter-modifiers

19275-fixes-interface-bulk-edit

fix-17794-get_field_value_return_list

11507-show-aggregate-and-rir-on-api

9583-add_column_specific_search_field_to_tables

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/netbox#4222