starred/netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2026-01-11 21:10:29 +01:00
Code Issues 273 Packages Projects Releases 10 Wiki Activity

permissions are not respected with /dcim/connected-device api #5241

New Issue
Closed
opened 2025-12-29 19:25:47 +01:00 by adam · 3 comments
adam commented 2025-12-29 19:25:47 +01:00
Owner
Copy Link

Originally created by @sthiriet on GitHub (Aug 27, 2021).

Originally assigned to: @jeremystretch, @xraurp on GitHub.

NetBox version

v2.11.12

Python version

3.8

Steps to Reproduce

  1. Enable permissions
  2. As admin, create objects required to have data returned by API /dcim/connected-device (devices, interfaces, cables,...)
  3. As admin, create a user with no permissions or only on virtualization->cluster for example
  4. Use this user to call GET ​/dcim​/connected-device​/ API with correct parameters
curl -X GET "https://demo.netbox.dev/api/dcim/connected-device/?peer_device=dmi01-akron-sw01&peer_interface=GigabitEthernet1%2F0%2F1" -H  "accept: application/json" -H "Authorization: ....."

Expected Behavior

As user has no permission on dcim, nothing should be returned, but hard to say what should be the necessary permissions.

Observed Behavior

response body contains data that user should probably not be able to access:

{
  "id": 1,
  "url": "https://demo.netbox.dev/api/dcim/devices/1/",
  "display": "dmi01-akron-rtr01",
  "name": "dmi01-akron-rtr01",
  "display_name": "dmi01-akron-rtr01",
  "device_type": {
    "id": 6,
    "url": "https://demo.netbox.dev/api/dcim/device-types/6/",
    "display": "ISR 1111-8P",
    "manufacturer": {
      "id": 3,
      "url": "https://demo.netbox.dev/api/dcim/manufacturers/3/",
      "display": "Cisco",
      "name": "Cisco",
      "slug": "cisco"
    },
    "model": "ISR 1111-8P",
    "slug": "isr1111",
    "display_name": "Cisco ISR 1111-8P"
  },
  "device_role": {
    "id": 1,
    "url": "https://demo.netbox.dev/api/dcim/device-roles/1/",
    "display": "Router",
    "name": "Router",
    "slug": "router"
  },
  "tenant": {
    "id": 5,
    "url": "https://demo.netbox.dev/api/tenancy/tenants/5/",
    "display": "Dunder-Mifflin, Inc.",
    "name": "Dunder-Mifflin, Inc.",
    "slug": "dunder-mifflin"
  },
  "platform": {
    "id": 1,
    "url": "https://demo.netbox.dev/api/dcim/platforms/1/",
    "display": "Cisco IOS",
    "name": "Cisco IOS",
    "slug": "cisco-ios"
  },
  "serial": "",
  "asset_tag": null,
  "site": {
    "id": 2,
    "url": "https://demo.netbox.dev/api/dcim/sites/2/",
    "display": "DM-Akron",
    "name": "DM-Akron",
    "slug": "dm-akron"
  },
  "location": null,
  "rack": {
    "id": 1,
    "url": "https://demo.netbox.dev/api/dcim/racks/1/",
    "display": "Comms closet",
    "name": "Comms closet",
    "display_name": "Comms closet"
  },
  "position": 4,
  "face": {
    "value": "front",
    "label": "Front"
  },
  "parent_device": null,
  "status": {
    "value": "active",
    "label": "Active"
  },
  "primary_ip": null,
  "primary_ip4": null,
  "primary_ip6": null,
  "cluster": null,
  "virtual_chassis": null,
  "vc_position": null,
  "vc_priority": null,
  "comments": "",
  "local_context_data": null,
  "tags": [],
  "custom_fields": {},
  "created": "2020-12-20",
  "last_updated": "2020-12-20T02:51:03.257000Z"
}
Originally created by @sthiriet on GitHub (Aug 27, 2021). Originally assigned to: @jeremystretch, @xraurp on GitHub. ### NetBox version v2.11.12 ### Python version 3.8 ### Steps to Reproduce 1. Enable permissions 2. As admin, create objects required to have data returned by API /dcim/connected-device (devices, interfaces, cables,...) 3. As admin, create a user with no permissions or only on virtualization->cluster for example 4. Use this user to call GET ​/dcim​/connected-device​/ API with correct parameters ``` curl -X GET "https://demo.netbox.dev/api/dcim/connected-device/?peer_device=dmi01-akron-sw01&peer_interface=GigabitEthernet1%2F0%2F1" -H "accept: application/json" -H "Authorization: ....." ``` ### Expected Behavior As user has no permission on dcim, nothing should be returned, but hard to say what should be the necessary permissions. ### Observed Behavior response body contains data that user should probably not be able to access: ```json { "id": 1, "url": "https://demo.netbox.dev/api/dcim/devices/1/", "display": "dmi01-akron-rtr01", "name": "dmi01-akron-rtr01", "display_name": "dmi01-akron-rtr01", "device_type": { "id": 6, "url": "https://demo.netbox.dev/api/dcim/device-types/6/", "display": "ISR 1111-8P", "manufacturer": { "id": 3, "url": "https://demo.netbox.dev/api/dcim/manufacturers/3/", "display": "Cisco", "name": "Cisco", "slug": "cisco" }, "model": "ISR 1111-8P", "slug": "isr1111", "display_name": "Cisco ISR 1111-8P" }, "device_role": { "id": 1, "url": "https://demo.netbox.dev/api/dcim/device-roles/1/", "display": "Router", "name": "Router", "slug": "router" }, "tenant": { "id": 5, "url": "https://demo.netbox.dev/api/tenancy/tenants/5/", "display": "Dunder-Mifflin, Inc.", "name": "Dunder-Mifflin, Inc.", "slug": "dunder-mifflin" }, "platform": { "id": 1, "url": "https://demo.netbox.dev/api/dcim/platforms/1/", "display": "Cisco IOS", "name": "Cisco IOS", "slug": "cisco-ios" }, "serial": "", "asset_tag": null, "site": { "id": 2, "url": "https://demo.netbox.dev/api/dcim/sites/2/", "display": "DM-Akron", "name": "DM-Akron", "slug": "dm-akron" }, "location": null, "rack": { "id": 1, "url": "https://demo.netbox.dev/api/dcim/racks/1/", "display": "Comms closet", "name": "Comms closet", "display_name": "Comms closet" }, "position": 4, "face": { "value": "front", "label": "Front" }, "parent_device": null, "status": { "value": "active", "label": "Active" }, "primary_ip": null, "primary_ip4": null, "primary_ip6": null, "cluster": null, "virtual_chassis": null, "vc_position": null, "vc_priority": null, "comments": "", "local_context_data": null, "tags": [], "custom_fields": {}, "created": "2020-12-20", "last_updated": "2020-12-20T02:51:03.257000Z" } ```
adam added the status: acceptedtype: feature labels 2025-12-29 19:25:47 +01:00
adam closed this issue 2025-12-29 19:25:47 +01:00
adam commented 2025-12-29 19:25:48 +01:00
Author
Owner
Copy Link

@xraurp commented on GitHub (Oct 4, 2021):

I wonder why this is not a bug. Other endpoints like /api/dcim/devices/ requires user permissions even if LOGIN_REQUIRED is false. Why this one should be left unsecured?

I guess the correct permissions should be dcim.view_device and dcim.view_interface because device and interface are passed in as query parameters. Other endpoints requires permissions based on parameters. For example the /api/dcim/devices/ takes device id as parameter and requires dcim.view_device.
Endpoint should respect permissions at least when LOGIN_REQUIRED is True.
Correct me if I'm mistaken.

@xraurp commented on GitHub (Oct 4, 2021): I wonder why this is not a bug. Other endpoints like /api/dcim/devices/ requires user permissions even if LOGIN_REQUIRED is false. Why this one should be left unsecured? I guess the correct permissions should be dcim.view_device and dcim.view_interface because device and interface are passed in as query parameters. Other endpoints requires permissions based on parameters. For example the /api/dcim/devices/ takes device id as parameter and requires dcim.view_device. Endpoint should respect permissions at least when LOGIN_REQUIRED is True. Correct me if I'm mistaken.
adam commented 2025-12-29 19:25:48 +01:00
Author
Owner
Copy Link

@xraurp commented on GitHub (Oct 4, 2021):

I have fix for this, assign me and I'll create pull request.

@xraurp commented on GitHub (Oct 4, 2021): I have fix for this, assign me and I'll create pull request.
adam commented 2025-12-29 19:25:48 +01:00
Author
Owner
Copy Link

@jeremystretch commented on GitHub (Oct 7, 2021):

After some digging, it's clear there's a bit more work needed on this endpoint. I'm going to merge a fix to both improve permissions handling and to avoid raising an exception when the connected object is not a device. Thanks @xraurp!

@jeremystretch commented on GitHub (Oct 7, 2021): After some digging, it's clear there's a bit more work needed on this endpoint. I'm going to merge a fix to both improve permissions handling and to avoid raising an exception when the connected object is not a device. Thanks @xraurp!
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
beta
breaking change
complexity: high
complexity: low
complexity: medium
needs milestone
netbox
pending closure
plugin candidate
pull-request
Mirrored from GitHub Pull Request
 severity: high
severity: low
severity: medium
status: accepted
status: backlog
status: blocked
status: duplicate
status: needs owner
status: needs triage
status: revisions needed
status: under review
topic: GraphQL
topic: Internationalization
topic: OpenAPI
topic: UI/UX
topic: cabling
topic: event rules
topic: htmx navigation
topic: industrialization
topic: migrations
topic: plugins
topic: scripts
topic: templating
topic: testing
type: bug
type: deprecation
type: documentation
type: feature
type: housekeeping
type: translation
No Label status: accepted type: feature
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/netbox#5241
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?