starred/netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2026-01-11 21:10:29 +01:00
Code Issues 273 Packages Projects Releases 10 Wiki Activity

superuser does not have rights to create/delete Config Revisions #5965

New Issue
Closed
opened 2025-12-29 19:34:59 +01:00 by adam · 6 comments
adam commented 2025-12-29 19:34:59 +01:00
Owner
Copy Link

Originally created by @candlerb on GitHub (Jan 19, 2022).

NetBox version

v3.1.6

Python version

3.8

Steps to Reproduce

  1. Login as an admin user (with superuser flag), but nothing linked to this user at /admin/users/objectpermission/
  2. Go to Admin > Admin > Config Revisions, Add (path: /admin/extras/configrevision/add/)
  3. Notice that most boxes are greyed out and cannot be edited, although "Comment" is editable
  4. Save
  5. In the list of config revisions, check the checkbox next to the config revision you just created
  6. Select "Delete selected config revisions" and click "Go"

Expected Behavior

I should be able to create a new config revision with chosen values.
I should be able to delete the config revision.

Observed Behavior

On creation, only the "Comment" field is editable.
Deletion is forbidden:

image

Originally created by @candlerb on GitHub (Jan 19, 2022). ### NetBox version v3.1.6 ### Python version 3.8 ### Steps to Reproduce 1. Login as an admin user (with superuser flag), but nothing linked to this user at `/admin/users/objectpermission/` 2. Go to Admin > Admin > Config Revisions, Add (path: `/admin/extras/configrevision/add/`) 3. Notice that most boxes are greyed out and cannot be edited, although "Comment" is editable 4. Save 5. In the list of config revisions, check the checkbox next to the config revision you just created 6. Select "Delete selected config revisions" and click "Go" ### Expected Behavior I should be able to create a new config revision with chosen values. I should be able to delete the config revision. ### Observed Behavior On creation, only the "Comment" field is editable. Deletion is forbidden: ![image](https://user-images.githubusercontent.com/44789/150149403-cbbd619f-b7b7-4cf6-9a4d-b53710ada90c.png)
adam added the type: bugstatus: under review labels 2025-12-29 19:34:59 +01:00
adam closed this issue 2025-12-29 19:34:59 +01:00
adam commented 2025-12-29 19:34:59 +01:00
Author
Owner
Copy Link

@candlerb commented on GitHub (Jan 19, 2022):

I tried the following workaround, but it didn't make a difference:

  • Permissions, Add
  • Name: "Issue 8387"
  • Check "Can Change", "Can Delete"
  • Object types: Extras > config revision
  • Assignment: select the relevant username(s) or groups(s) and move to right
  • Save
  • Log out and log back in

I still get the same error when trying to delete a config revision, and the template for creating a new one has most boxes greyed out.

@candlerb commented on GitHub (Jan 19, 2022): I tried the following workaround, but it didn't make a difference: * Permissions, Add * Name: "Issue 8387" * Check "Can Change", "Can Delete" * Object types: Extras > config revision * Assignment: select the relevant username(s) or groups(s) and move to right * Save * Log out and log back in I still get the same error when trying to delete a config revision, and the template for creating a new one has most boxes greyed out.
adam commented 2025-12-29 19:34:59 +01:00
Author
Owner
Copy Link

@candlerb commented on GitHub (Jan 19, 2022):

By comparing my system to demo.netbox.dev, I found some of the answers.

  1. my settings.py had CUSTOM_VALIDATORS={} in it, which was preventing that field from being edited - although the label (defined statically) was not shown in the display. By removing it, I can edit that field.
  2. if I create a second config object and attempt to delete only the first, it works. It seems you cannot delete the config revision which is active - even though the error message says something different ("your account doesn't have permission to delete the following types of objects")

So this may be working as intended, although I see no way to return to having zero config revisions once you've created one.

@candlerb commented on GitHub (Jan 19, 2022): By comparing my system to demo.netbox.dev, I found some of the answers. 1. my settings.py had `CUSTOM_VALIDATORS={}` in it, which was preventing that field from being edited - although the label `(defined statically)` was not shown in the display. By removing it, I can edit that field. 2. if I create a second config object and attempt to delete only the first, it works. It seems you cannot delete the config revision which is active - even though the error message says something different ("your account doesn't have permission to delete the following types of objects") So this may be working as intended, although I see no way to return to having zero config revisions once you've created one.
adam commented 2025-12-29 19:35:00 +01:00
Author
Owner
Copy Link

@candlerb commented on GitHub (Jan 19, 2022):

I found the reason for missing (defined statically):

        for param in PARAMS:
            value = getattr(config, param.name)
            is_static = hasattr(settings, param.name)
>>          if value:
                help_text = self.fields[param.name].help_text
                if help_text:
                    help_text += '<br />'  # Line break
                help_text += f'Current value: <strong>{value}</strong>'
>>              if is_static:
                    help_text += ' (defined statically)'

"if value" doesn't trigger if the value provided is empty like {}. If think the if is_static test still needs to be done, even if the current value is empty. (And probably the help text should be displayed anyway)

@candlerb commented on GitHub (Jan 19, 2022): I found the reason for missing `(defined statically)`: ``` for param in PARAMS: value = getattr(config, param.name) is_static = hasattr(settings, param.name) >> if value: help_text = self.fields[param.name].help_text if help_text: help_text += '<br />' # Line break help_text += f'Current value: <strong>{value}</strong>' >> if is_static: help_text += ' (defined statically)' ``` "if value" doesn't trigger if the value provided is empty like `{}`. If think the `if is_static` test still needs to be done, even if the current value is empty. (And probably the help text should be displayed anyway)
adam commented 2025-12-29 19:35:00 +01:00
Author
Owner
Copy Link

@candlerb commented on GitHub (Jan 19, 2022):

I also see that the statically-configured NAPALM_PASSWORD is displayed here in clear text, which I wasn't expecting (although it's arguably not a major problem since it's limited to superusers). Also it seems to me that values should be HTML-escaped.

How about this:

from django.utils.html import escape
...
        for param in PARAMS:
            value = getattr(config, param.name)
            is_static = hasattr(settings, param.name)
            extra_text = ''
            if value and 'PASSWORD' not in param.name:
                extra_text += f'Current value: <strong>{escape(value)}</strong>'
            if is_static:
                extra_text += ' (defined statically)'
                self.fields[param.name].disabled = True
            elif value == param.default:
                extra_text += ' (default)'
            help_text = self.fields[param.name].help_text or ""
            if extra_text:
                if help_text:
                    help_text += '<br />'
                help_text += extra_text
            self.fields[param.name].help_text = help_text

This now displays "(statically defined)" for fields which are empty (e.g. login banner) or null (e.g. napalm arguments) but defined as such in configuration.py

@candlerb commented on GitHub (Jan 19, 2022): I also see that the statically-configured NAPALM_PASSWORD is displayed here in clear text, which I wasn't expecting (although it's arguably not a major problem since it's limited to superusers). Also it seems to me that values should be HTML-escaped. How about this: ``` from django.utils.html import escape ... for param in PARAMS: value = getattr(config, param.name) is_static = hasattr(settings, param.name) extra_text = '' if value and 'PASSWORD' not in param.name: extra_text += f'Current value: <strong>{escape(value)}</strong>' if is_static: extra_text += ' (defined statically)' self.fields[param.name].disabled = True elif value == param.default: extra_text += ' (default)' help_text = self.fields[param.name].help_text or "" if extra_text: if help_text: help_text += '<br />' help_text += extra_text self.fields[param.name].help_text = help_text ``` This now displays "(statically defined)" for fields which are empty (e.g. login banner) or null (e.g. napalm arguments) but defined as such in configuration.py
adam commented 2025-12-29 19:35:00 +01:00
Author
Owner
Copy Link

@jeremystretch commented on GitHub (Jan 24, 2022):

I should be able to create a new config revision with chosen values.

You can, however any configuration parameter that is statically defined in configuration.py will be disabled. Removing these values from configuration.py and restarting the NetBox service will permit their modification via the admin UI.

I should be able to delete the config revision.

The currently active config revision cannot be deleted. This is a safeguard to prevent the current configuration from being deleted erroneously and returning the installation to an entirely default config.

@jeremystretch commented on GitHub (Jan 24, 2022): > I should be able to create a new config revision with chosen values. You can, however any configuration parameter that is statically defined in `configuration.py` will be disabled. Removing these values from `configuration.py` and restarting the NetBox service will permit their modification via the admin UI. > I should be able to delete the config revision. The currently active config revision cannot be deleted. This is a safeguard to prevent the current configuration from being deleted erroneously and returning the installation to an entirely default config.
adam commented 2025-12-29 19:35:00 +01:00
Author
Owner
Copy Link

@jeremystretch commented on GitHub (Mar 1, 2022):

I'm going to close this as I don't believe there's any action to be taken.

@jeremystretch commented on GitHub (Mar 1, 2022): I'm going to close this as I don't believe there's any action to be taken.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
beta
breaking change
complexity: high
complexity: low
complexity: medium
needs milestone
netbox
pending closure
plugin candidate
pull-request
Mirrored from GitHub Pull Request
 severity: high
severity: low
severity: medium
status: accepted
status: backlog
status: blocked
status: duplicate
status: needs owner
status: needs triage
status: revisions needed
status: under review
topic: GraphQL
topic: Internationalization
topic: OpenAPI
topic: UI/UX
topic: cabling
topic: event rules
topic: htmx navigation
topic: industrialization
topic: migrations
topic: plugins
topic: scripts
topic: templating
topic: testing
type: bug
type: deprecation
type: documentation
type: feature
type: housekeeping
type: translation
No Label status: under review type: bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/netbox#5965
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?