Permissions bug for creating virtual interfaces through API #4524

New Issue

Closed

opened 2025-12-29 18:36:57 +01:00 by adam · 6 comments

adam commented 2025-12-29 18:36:57 +01:00

Owner

Copy Link

Originally created by @RobertH1993 on GitHub (Feb 2, 2021).

Environment

• Python version: 3.9.1
• NetBox version: v2.9.10

Steps to Reproduce

1. Create user without superuser status.
2. Add API token to this user.
3. Try to create a virtual interface through api:
   curl -X POST -H "Authorization: Token " -H "Content-Type: application/json" --data '{virtual_machine: "549", name: "test", enabled: true}' https://ipam./api/virtualization/interfaces/
4. Get permission denied error:
   {"detail":"You do not have permission to perform this action."}
5. Verify that all permissions are enabled for the user this token belongs to, they are.
6. Enable superuser privileges on this user and try again, interface gets created.

Expected Behavior

I expected the interface to be created when my user with valid access token sends an API request to create one.

Observed Behavior

I got a permission denied error.

Originally created by @RobertH1993 on GitHub (Feb 2, 2021). <!-- NOTE: IF YOUR ISSUE DOES NOT FOLLOW THIS TEMPLATE, IT WILL BE CLOSED. This form is only for reporting reproducible bugs. If you need assistance with NetBox installation, or if you have a general question, please start a discussion instead: https://github.com/netbox-community/netbox/discussions Please describe the environment in which you are running NetBox. Be sure that you are running an unmodified instance of the latest stable release before submitting a bug report, and that any plugins have been disabled. --> ### Environment * Python version: 3.9.1 * NetBox version: v2.9.10 <!-- Describe in detail the exact steps that someone else can take to reproduce this bug using the current stable release of NetBox. Begin with the creation of any necessary database objects and call out every operation being performed explicitly. If reporting a bug in the REST API, be sure to reconstruct the raw HTTP request(s) being made: Don't rely on a client library such as pynetbox. --> ### Steps to Reproduce 1. Create user without superuser status. 2. Add API token to this user. 3. Try to create a virtual interface through api: curl -X POST -H "Authorization: Token <CENSORED> " -H "Content-Type: application/json" --data '{virtual_machine: "549", name: "test", enabled: true}' https://ipam.<CENSORED>/api/virtualization/interfaces/ 4. Get permission denied error: {"detail":"You do not have permission to perform this action."} 5. Verify that all permissions are enabled for the user this token belongs to, they are. 6. Enable superuser privileges on this user and try again, interface gets created. <!-- What did you expect to happen? --> ### Expected Behavior I expected the interface to be created when my user with valid access token sends an API request to create one. <!-- What happened instead? --> ### Observed Behavior I got a permission denied error.

adam closed this issue 2025-12-29 18:36:57 +01:00

adam commented 2025-12-29 18:36:58 +01:00

Author

Owner

Copy Link

@jeremystretch commented on GitHub (Feb 2, 2021):

It looks like you skipped assigning permissions to the user account. Just adding a REST API token isn't sufficient. Please add the necessary the permission (virtualization > interface in the admin UI) to add VM interfaces to the user and re-test.

@jeremystretch commented on GitHub (Feb 2, 2021): It looks like you skipped assigning permissions to the user account. Just adding a REST API token isn't sufficient. Please add the necessary the permission (`virtualization > interface` in the admin UI) to add VM interfaces to the user and re-test.

adam commented 2025-12-29 18:36:58 +01:00

Author

Owner

Copy Link

@chriswolske commented on GitHub (Apr 19, 2021):

We had the same issue when trying to add virtual interfaces via the web; is this a new permission, or is it possible that the permission was not carried forward properly though an upgrade? (I'm new to netbox, and my team is telling me that they were able to create the virtual interfaces before we upgraded)

@chriswolske commented on GitHub (Apr 19, 2021): We had the same issue when trying to add virtual interfaces via the web; is this a new permission, or is it possible that the permission was not carried forward properly though an upgrade? (I'm new to netbox, and my team is telling me that they were able to create the virtual interfaces before we upgraded)

adam commented 2025-12-29 18:36:58 +01:00

Author

Owner

Copy Link

@The-Only-God commented on GitHub (May 31, 2021):

I confirm that there is impossible to add virtualizaion.interface permission from web.
Workaround: superuser for API account

@The-Only-God commented on GitHub (May 31, 2021): I confirm that there is impossible to add virtualizaion.interface permission from web. Workaround: superuser for API account

adam commented 2025-12-29 18:36:58 +01:00

Author

Owner

Copy Link

@dsobon commented on GitHub (Jun 11, 2021):

The problem exists regardless via API or web UI.
If the user is not "Global Admin",

1. Web UI shows "Virtualization" > "Interface" as grayed out and click returns "You do not have permission to view this page"
2. API call returns "You do not have permission to perform this action."

@dsobon commented on GitHub (Jun 11, 2021): The problem exists regardless via API or web UI. If the user is not "Global Admin", 1) Web UI shows "Virtualization" > "Interface" as grayed out and click returns "You do not have permission to view this page" 2) API call returns "You do not have permission to perform this action."

adam commented 2025-12-29 18:36:58 +01:00

Author

Owner

Copy Link

@RobertH1993 commented on GitHub (Jun 11, 2021):

Yeah to add to this, the problem started when I did an upgrade for netbox the permission was not present a version earlier and on update the permission was not granted to the user.

@RobertH1993 commented on GitHub (Jun 11, 2021): Yeah to add to this, the problem started when I did an upgrade for netbox the permission was not present a version earlier and on update the permission was not granted to the user.

adam commented 2025-12-29 18:36:58 +01:00

Author

Owner

Copy Link

@jeremystretch commented on GitHub (Jun 14, 2021):

This bug was reported for a very old release, and has since been closed due to a lack of reply from the original poster. If you would like to report a similar bug, please submit a new bug report including the detailed steps that can be taken on the current release to reproduced the reported behavior. No further work will be done under this bug report.

@jeremystretch commented on GitHub (Jun 14, 2021): This bug was reported for a very old release, and has since been closed due to a lack of reply from the original poster. If you would like to report a similar bug, please submit a new bug report including the detailed steps that can be taken on the current release to reproduced the reported behavior. No further work will be done under this bug report.

adam referenced this issue 2025-12-29 22:24:03 +01:00

[PR #4524] [MERGED] Fixes #4139: Extend forms for bulk device component creation #12865

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

update-changelog-comments-docs

feature-removal-issue-type

20911-dropdown

20239-plugin-menu-classes-mutable-state

21097-graphql-id-lookups

feature

fix_module_substitution

20923-dcim-templates

20044-elevation-stuck-lightmode

feature-ip-prefix-link

v4.5-beta1-release

20068-import-moduletype-attrs

20766-fix-german-translation-code-literals

20378-del-script

7604-filter-modifiers-v3

circuit-swap

12318-case-insensitive-uniqueness

20637-improve-device-q-filter

20660-script-load

19724-graphql

20614-update-ruff

14884-script

02496-max-page

19720-macaddress-interface-generic-relation

19408-circuit-terminations-export-templates

20203-openapi-check

fix-19669-api-image-download

7604-filter-modifiers

19275-fixes-interface-bulk-edit

fix-17794-get_field_value_return_list

11507-show-aggregate-and-rir-on-api

9583-add_column_specific_search_field_to_tables

v4.5.0

v4.4.10

v4.4.9

v4.5.0-beta1

v4.4.8

v4.4.7

v4.4.6

v4.4.5

v4.4.4

v4.4.3

v4.4.2

v4.4.1

v4.4.0

v4.3.7

v4.4.0-beta1

v4.3.6

v4.3.5

v4.3.4

v4.3.3

v4.3.2

v4.3.1

v4.3.0

v4.2.9

v4.3.0-beta2

v4.2.8

v4.3.0-beta1

v4.2.7

v4.2.6

v4.2.5

v4.2.4

v4.2.3

v4.2.2

v4.2.1

v4.2.0

v4.1.11

v4.1.10

v4.1.9

v4.1.8

v4.2-beta1

v4.1.7

v4.1.6

v4.1.5

v4.1.4

v4.1.3

v4.1.2

v4.1.1

v4.1.0

v4.0.11

v4.0.10

v4.0.9

v4.1-beta1

v4.0.8

v4.0.7

v4.0.6

v4.0.5

v4.0.3

v4.0.2

v4.0.1

v4.0.0

v3.7.8

v3.7.7

v4.0-beta2

v3.7.6

v3.7.5

v4.0-beta1

v3.7.4

v3.7.3

v3.7.2

v3.7.1

v3.7.0

v3.6.9

v3.6.8

v3.6.7

v3.7-beta1

v3.6.6

v3.6.5

v3.6.4

v3.6.3

v3.6.2

v3.6.1

v3.6.0

v3.5.9

v3.6-beta2

v3.5.8

v3.6-beta1

v3.5.7

v3.5.6

v3.5.5

v3.5.4

v3.5.3

v3.5.2

v3.5.1

v3.5.0

v3.4.10

v3.4.9

v3.5-beta2

v3.4.8

v3.5-beta1

v3.4.7

v3.4.6

v3.4.5

v3.4.4

v3.4.3

v3.4.2

v3.4.1

v3.4.0

v3.3.10

v3.3.9

v3.4-beta1

v3.3.8

v3.3.7

v3.3.6

v3.3.5

v3.3.4

v3.3.3

v3.3.2

v3.3.1

v3.3.0

v3.2.9

v3.2.8

v3.3-beta2

v3.2.7

v3.3-beta1

v3.2.6

v3.2.5

v3.2.4

v3.2.3

v3.2.2

v3.2.1

v3.2.0

v3.1.11

v3.1.10

v3.2-beta2

v3.1.9

v3.2-beta1

v3.1.8

v3.1.7

v3.1.6

v3.1.5

v3.1.4

v3.1.3

v3.1.2

v3.1.1

v3.1.0

v3.0.12

v3.0.11

v3.0.10

v3.1-beta1

v3.0.9

v3.0.8

v3.0.7

v3.0.6

v3.0.5

v3.0.4

v3.0.3

v3.0.2

v3.0.1

v3.0.0

v2.11.12

v3.0-beta2

v2.11.11

v2.11.10

v3.0-beta1

v2.11.9

v2.11.8

v2.11.7

v2.11.6

v2.11.5

v2.11.4

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.10

v2.10.9

v2.11-beta1

v2.10.8

v2.10.7

v2.10.6

v2.10.5

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.11

v2.10-beta2

v2.9.10

v2.10-beta1

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.9-beta2

v2.8.9

v2.9-beta1

v2.8.8

v2.8.7

v2.8.6

v2.8.5

v2.8.4

v2.8.3

v2.8.2

v2.8.1

v2.8.0

v2.7.12

v2.7.11

v2.7.10

v2.7.9

v2.7.8

v2.7.7

v2.7.6

v2.7.5

v2.7.4

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.12

v2.6.11

v2.6.10

v2.6.9

v2.7-beta1

Solcon-2020-01-06

v2.6.8

v2.6.7

v2.6.6

v2.6.5

v2.6.4

v2.6.3

v2.6.2

v2.6.1

v2.6.0

v2.5.13

v2.5.12

v2.6-beta1

v2.5.11

v2.5.10

v2.5.9

v2.5.8

v2.5.7

v2.5.6

v2.5.5

v2.5.4

v2.5.3

v2.5.2

v2.5.1

v2.5.0

v2.4.9

v2.5-beta2

v2.4.8

v2.5-beta1

v2.4.7

v2.4.6

v2.4.5

v2.4.4

v2.4.3

v2.4.2

v2.4.1

v2.4.0

v2.3.7

v2.4-beta1

v2.3.6

v2.3.5

v2.3.4

v2.3.3

v2.3.2

v2.3.1

v2.3.0

v2.2.10

v2.3-beta2

v2.2.9

v2.3-beta1

v2.2.8

v2.2.7

v2.2.6

v2.2.5

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.6

v2.2-beta2

v2.1.5

v2.2-beta1

v2.1.4

v2.1.3

v2.1.2

v2.1.1

v2.1.0

v2.0.10

v2.1-beta1

v2.0.9

v2.0.8

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v2.0-beta3

v1.9.6

v1.9.5

v2.0-beta2

v1.9.4-r1

v1.9.3

v2.0-beta1

v1.9.2

v1.9.1

v1.9.0-r1

v1.8.4

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.7.3

v1.7.2-r1

v1.7.1

v1.7.0

v1.6.3

v1.6.2-r1

v1.6.1-r1

1.6.1

v1.6.0

v1.5.2

v1.5.1

v1.5.0

v1.4.2

v1.4.1

v1.4.0

v1.3.2

v1.3.1

v1.3.0

v1.2.2

v1.2.1

v1.2.0

v1.1.0

v1.0.7-r1

v1.0.7

v1.0.6

v1.0.5

v1.0.4

v1.0.3-r1

v1.0.3

1.0.0

Labels

Clear labels

beta

breaking change

complexity: high

complexity: low

complexity: medium

needs milestone

netbox

pending closure

plugin candidate

pull-request

Mirrored from GitHub Pull Request

severity: high

severity: low

severity: medium

status: accepted

status: backlog

status: blocked

status: duplicate

status: needs owner

status: needs triage

status: revisions needed

status: under review

topic: GraphQL

topic: Internationalization

topic: OpenAPI

topic: UI/UX

topic: cabling

topic: event rules

topic: htmx navigation

topic: industrialization

topic: migrations

topic: plugins

topic: scripts

topic: templating

topic: testing

type: bug

type: deprecation

type: documentation

type: feature

type: housekeeping

type: translation

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/netbox#4524