mirror of
https://github.com/netbox-community/netbox.git
synced 2026-01-11 21:10:29 +01:00
Restore API ability to query all choices via a client without write permissions #4281
Closed
opened 2025-12-29 18:34:23 +01:00 by adam
·
12 comments
No Branch/Tag Specified
main
update-changelog-comments-docs
feature-removal-issue-type
20911-dropdown
20239-plugin-menu-classes-mutable-state
21097-graphql-id-lookups
feature
fix_module_substitution
20923-dcim-templates
20044-elevation-stuck-lightmode
feature-ip-prefix-link
v4.5-beta1-release
20068-import-moduletype-attrs
20766-fix-german-translation-code-literals
20378-del-script
7604-filter-modifiers-v3
circuit-swap
12318-case-insensitive-uniqueness
20637-improve-device-q-filter
20660-script-load
19724-graphql
20614-update-ruff
14884-script
02496-max-page
19720-macaddress-interface-generic-relation
19408-circuit-terminations-export-templates
20203-openapi-check
fix-19669-api-image-download
7604-filter-modifiers
19275-fixes-interface-bulk-edit
fix-17794-get_field_value_return_list
11507-show-aggregate-and-rir-on-api
9583-add_column_specific_search_field_to_tables
v4.5.0
v4.4.10
v4.4.9
v4.5.0-beta1
v4.4.8
v4.4.7
v4.4.6
v4.4.5
v4.4.4
v4.4.3
v4.4.2
v4.4.1
v4.4.0
v4.3.7
v4.4.0-beta1
v4.3.6
v4.3.5
v4.3.4
v4.3.3
v4.3.2
v4.3.1
v4.3.0
v4.2.9
v4.3.0-beta2
v4.2.8
v4.3.0-beta1
v4.2.7
v4.2.6
v4.2.5
v4.2.4
v4.2.3
v4.2.2
v4.2.1
v4.2.0
v4.1.11
v4.1.10
v4.1.9
v4.1.8
v4.2-beta1
v4.1.7
v4.1.6
v4.1.5
v4.1.4
v4.1.3
v4.1.2
v4.1.1
v4.1.0
v4.0.11
v4.0.10
v4.0.9
v4.1-beta1
v4.0.8
v4.0.7
v4.0.6
v4.0.5
v4.0.3
v4.0.2
v4.0.1
v4.0.0
v3.7.8
v3.7.7
v4.0-beta2
v3.7.6
v3.7.5
v4.0-beta1
v3.7.4
v3.7.3
v3.7.2
v3.7.1
v3.7.0
v3.6.9
v3.6.8
v3.6.7
v3.7-beta1
v3.6.6
v3.6.5
v3.6.4
v3.6.3
v3.6.2
v3.6.1
v3.6.0
v3.5.9
v3.6-beta2
v3.5.8
v3.6-beta1
v3.5.7
v3.5.6
v3.5.5
v3.5.4
v3.5.3
v3.5.2
v3.5.1
v3.5.0
v3.4.10
v3.4.9
v3.5-beta2
v3.4.8
v3.5-beta1
v3.4.7
v3.4.6
v3.4.5
v3.4.4
v3.4.3
v3.4.2
v3.4.1
v3.4.0
v3.3.10
v3.3.9
v3.4-beta1
v3.3.8
v3.3.7
v3.3.6
v3.3.5
v3.3.4
v3.3.3
v3.3.2
v3.3.1
v3.3.0
v3.2.9
v3.2.8
v3.3-beta2
v3.2.7
v3.3-beta1
v3.2.6
v3.2.5
v3.2.4
v3.2.3
v3.2.2
v3.2.1
v3.2.0
v3.1.11
v3.1.10
v3.2-beta2
v3.1.9
v3.2-beta1
v3.1.8
v3.1.7
v3.1.6
v3.1.5
v3.1.4
v3.1.3
v3.1.2
v3.1.1
v3.1.0
v3.0.12
v3.0.11
v3.0.10
v3.1-beta1
v3.0.9
v3.0.8
v3.0.7
v3.0.6
v3.0.5
v3.0.4
v3.0.3
v3.0.2
v3.0.1
v3.0.0
v2.11.12
v3.0-beta2
v2.11.11
v2.11.10
v3.0-beta1
v2.11.9
v2.11.8
v2.11.7
v2.11.6
v2.11.5
v2.11.4
v2.11.3
v2.11.2
v2.11.1
v2.11.0
v2.10.10
v2.10.9
v2.11-beta1
v2.10.8
v2.10.7
v2.10.6
v2.10.5
v2.10.4
v2.10.3
v2.10.2
v2.10.1
v2.10.0
v2.9.11
v2.10-beta2
v2.9.10
v2.10-beta1
v2.9.9
v2.9.8
v2.9.7
v2.9.6
v2.9.5
v2.9.4
v2.9.3
v2.9.2
v2.9.1
v2.9.0
v2.9-beta2
v2.8.9
v2.9-beta1
v2.8.8
v2.8.7
v2.8.6
v2.8.5
v2.8.4
v2.8.3
v2.8.2
v2.8.1
v2.8.0
v2.7.12
v2.7.11
v2.7.10
v2.7.9
v2.7.8
v2.7.7
v2.7.6
v2.7.5
v2.7.4
v2.7.3
v2.7.2
v2.7.1
v2.7.0
v2.6.12
v2.6.11
v2.6.10
v2.6.9
v2.7-beta1
Solcon-2020-01-06
v2.6.8
v2.6.7
v2.6.6
v2.6.5
v2.6.4
v2.6.3
v2.6.2
v2.6.1
v2.6.0
v2.5.13
v2.5.12
v2.6-beta1
v2.5.11
v2.5.10
v2.5.9
v2.5.8
v2.5.7
v2.5.6
v2.5.5
v2.5.4
v2.5.3
v2.5.2
v2.5.1
v2.5.0
v2.4.9
v2.5-beta2
v2.4.8
v2.5-beta1
v2.4.7
v2.4.6
v2.4.5
v2.4.4
v2.4.3
v2.4.2
v2.4.1
v2.4.0
v2.3.7
v2.4-beta1
v2.3.6
v2.3.5
v2.3.4
v2.3.3
v2.3.2
v2.3.1
v2.3.0
v2.2.10
v2.3-beta2
v2.2.9
v2.3-beta1
v2.2.8
v2.2.7
v2.2.6
v2.2.5
v2.2.4
v2.2.3
v2.2.2
v2.2.1
v2.2.0
v2.1.6
v2.2-beta2
v2.1.5
v2.2-beta1
v2.1.4
v2.1.3
v2.1.2
v2.1.1
v2.1.0
v2.0.10
v2.1-beta1
v2.0.9
v2.0.8
v2.0.7
v2.0.6
v2.0.5
v2.0.4
v2.0.3
v2.0.2
v2.0.1
v2.0.0
v2.0-beta3
v1.9.6
v1.9.5
v2.0-beta2
v1.9.4-r1
v1.9.3
v2.0-beta1
v1.9.2
v1.9.1
v1.9.0-r1
v1.8.4
v1.8.3
v1.8.2
v1.8.1
v1.8.0
v1.7.3
v1.7.2-r1
v1.7.1
v1.7.0
v1.6.3
v1.6.2-r1
v1.6.1-r1
1.6.1
v1.6.0
v1.5.2
v1.5.1
v1.5.0
v1.4.2
v1.4.1
v1.4.0
v1.3.2
v1.3.1
v1.3.0
v1.2.2
v1.2.1
v1.2.0
v1.1.0
v1.0.7-r1
v1.0.7
v1.0.6
v1.0.5
v1.0.4
v1.0.3-r1
v1.0.3
1.0.0
Labels
Clear labels
beta
breaking change
complexity: high
complexity: low
complexity: medium
needs milestone
netbox
pending closure
plugin candidate
pull-request
severity: high
severity: low
severity: medium
status: accepted
status: backlog
status: blocked
status: duplicate
status: needs owner
status: needs triage
status: revisions needed
status: under review
topic: GraphQL
topic: Internationalization
topic: OpenAPI
topic: UI/UX
topic: cabling
topic: event rules
topic: htmx navigation
topic: industrialization
topic: migrations
topic: plugins
topic: scripts
topic: templating
topic: testing
type: bug
type: deprecation
type: documentation
type: feature
type: housekeeping
type: translation
Mirrored from GitHub Pull Request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: starred/netbox#4281
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @ajknv on GitHub (Nov 16, 2020).
Environment
Proposed Functionality
The API should expose endpoints that are fully functionally equivalent to the old "_choices" endpoints, in that they will return all of the available choices even when queried by a read-only client. The deprecation of the "_choices" endpoints was motivated by the purported claim that the OPTIONS queries could substitute for the existing behavior (https://github.com/netbox-community/netbox/issues/3416), however this is not true given that OPTIONS requests do not return valid information to clients without write permissions.
The simplest approach to addressing this situation therefore is of course to simply resurrect the _choices endpoints. issues/5351 If there are reasons why that is not preferred, a suggested alternative is to provide endpoints for the choice types that support GET requests and return responses equivalent to what _choices requests previously returned, as an example:
GET https:///api/dcim/cables/status"
Use Case
Clients implement abstraction wrappers that query for choices and encapsulate them in symbolic references. Those enum-reference objects can then internally handle mapping to actual choice values in later API queries (including as filters in read-only GET queries) or to do things like filter client-side on result sets. This avoids the need to spread constants around in client-side code, and/or maintain manual encodings inside code of all known choices -- which might change on upgrades to Netbox -- or to compromise security posture by giving clients write permissions that aren't otherwise needed.
Database Changes
None.
External Dependencies
None.
@sdktr commented on GitHub (Nov 16, 2020):
Would allowing OPTION queries for read only clients suffice? (I'm blindly assuming that a user needs write access for this ATM, as you're stating)
@ajknv commented on GitHub (Nov 16, 2020):
Technically the OPTION queries are "allowed" to a read-only client, it's just that they don't return any information about the choices in the response payload -- namely the choices information is only made available under an ["actions"]["POST"] subkey, and that action, and thus key, is omitted for a read-only client. BTW -- I know this from direct comparison of requests using tokens for a read-only user vs a write-enabled user.
So if the choices information could be allowed (in the sense of made available) via response content delivered under a different subkey -- the obvious candidate would be ["actions"]["GET"] -- then yes that would solve the problem. The output of the queries using a read-only token (which contain no "actions" subkeys) suggest that such a key doesn't even theoretically exist, though.
@jeremystretch commented on GitHub (Nov 16, 2020):
An
OPTIONSrequest returns the specific actions permissible for the authenticated client. For example, it would returnPATCHbut notPOSTif the current user has permission to modify but not create records. This is valuable information for the API client, so the existing behavior must remain intact.@candlerb commented on GitHub (Nov 27, 2020):
On a system that permits read-only access to unauthenticated users, it does seem odd that:
curl localhost/api/dcim/interfaces/returns all the interfacescurl -XOPTIONS localhost/api/dcim/interfaces/doesn't return the choices data:To see the available interface choices, I have to provide a valid API token.
It's odd because case (1) is the "valuable" data, which I'm happy not to restrict. The choices (2) are nothing more than generic information that I could get from any Netbox installation, or the source code, and yet they are restricted.
@jeremystretch commented on GitHub (Nov 30, 2020):
Right, because an unauthenticated user has no ability to write to this (or any) field, and thus has no choices: By design, an unauthenticated user cannot be permitted to make changes. Again, the API is informing the user of his options.
You can, but attempting to write them to a field will obviously fail.
Here's an example that might help clarify the constraint: Suppose a user has permission to create interfaces, but only with Ethernet types (by leveraging the object-based permissions introduce in v2.9). It would be helpful if an
OPTIONSrequest initiated by that user returned only the permitted types. By contrast, a user without this restriction would see all possible types. (This doesn't currently work, unfortunately, but it might be worth tackling.)@candlerb commented on GitHub (Nov 30, 2020):
My use case is: "As a developer, or as someone preparing a CSV file to be uploaded, I want to refer to documentation with a list of permitted interface types".
I can see all the API documentation under
/api/docs/, but I can't see the allowed constants for the API unless I first authenticate to it.@candlerb commented on GitHub (Nov 30, 2020):
Update: when logged into the GUI, I do indeed see the Enum choices.
But this only shows the API values not the descriptions, and unfortunately, CSV upload only works with the descriptions.
@jeremystretch commented on GitHub (Nov 30, 2020):
That's perfectly valid for justifying some new functionality; e.g. a separate endpoint or other mechanism. I was just explaining why I believe the existing behavior for
OPTIONSrequests should remain intact.@candlerb commented on GitHub (Nov 30, 2020):
Agreed, and as the OP said, resurrecting the
_choicesendpoint would be one way to do that.@jeremystretch commented on GitHub (Dec 22, 2020):
Work on #5470 introduced a new custom MetaData class to support bulk update and delete operations. What we could do is tweak this to check for a specific request parameter (e.g.
?show_all=Trueor similar); if present, NetBox would return all supported actions regardless of the user's permissions.@stale[bot] commented on GitHub (Feb 6, 2021):
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. NetBox is governed by a small group of core maintainers which means not all opened issues may receive direct feedback. Please see our contributing guide.
@stale[bot] commented on GitHub (Feb 22, 2021):
This issue has been automatically closed due to lack of activity. In an effort to reduce noise, please do not comment any further. Note that the core maintainers may elect to reopen this issue at a later date if deemed necessary.