starred/netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2026-01-11 21:10:29 +01:00
Code Issues 273 Packages Projects Releases 10 Wiki Activity

Controlling user creation of tokens #5988

New Issue
Closed
opened 2025-12-29 19:35:23 +01:00 by adam · 1 comment
adam commented 2025-12-29 19:35:23 +01:00
Owner
Copy Link

Originally created by @candlerb on GitHub (Jan 23, 2022).

Originally assigned to: @jeremystretch on GitHub.

Change Type

Correction

Area

REST API

Proposed Changes

The documentation says:

The creation and modification of API tokens can be restricted per user by an administrator.

However it doesn't say how this is controlled, and I've been unable to find out how.

As admin, I created a completely unprivileged user ("Active" but no object permissions), and when logged in, it was able to create its own tokens.

I cannot see any setting at /admin/auth/user/<N>/change/ which would control this.

Looking at the source code, I can see nothing which prevents an individual user from creating their own token, as long as they are logged in:

    path('api-tokens/add/', views.TokenEditView.as_view(), name='token_add'),

class TokenEditView(LoginRequiredMixin, View):
...
    def post(self, request, pk=None):

        if pk:
            token = get_object_or_404(Token.objects.filter(user=request.user), pk=pk)
            form = TokenForm(request.POST, instance=token)
        else:
            token = Token(user=request.user)
            form = TokenForm(request.POST)

        if form.is_valid():
            token = form.save(commit=False)
            token.user = request.user
            token.save()

Therefore I propose either:

  • Update the documentation to say how the per-user restriction of token creation is actually done, if it's true; or
  • Remove this note if it's not true; or
  • Implement the functionality, if it's not currently implemented
Originally created by @candlerb on GitHub (Jan 23, 2022). Originally assigned to: @jeremystretch on GitHub. ### Change Type Correction ### Area REST API ### Proposed Changes The [documentation](https://netbox.readthedocs.io/en/stable/rest-api/authentication/#tokens) says: > The creation and modification of API tokens can be restricted per user by an administrator. However it doesn't say how this is controlled, and I've been unable to find out how. As admin, I created a completely unprivileged user ("Active" but no object permissions), and when logged in, it was able to create its own tokens. I cannot see any setting at `/admin/auth/user/<N>/change/` which would control this. Looking at the [source code](https://github.com/netbox-community/netbox/blob/v3.1.6/netbox/users/views.py#L214-L259), I can see nothing which prevents an individual user from creating their own token, as long as they are logged in: ``` path('api-tokens/add/', views.TokenEditView.as_view(), name='token_add'), ``` ``` class TokenEditView(LoginRequiredMixin, View): ... def post(self, request, pk=None): if pk: token = get_object_or_404(Token.objects.filter(user=request.user), pk=pk) form = TokenForm(request.POST, instance=token) else: token = Token(user=request.user) form = TokenForm(request.POST) if form.is_valid(): token = form.save(commit=False) token.user = request.user token.save() ``` Therefore I propose either: * Update the documentation to say how the per-user restriction of token creation is actually done, if it's true; or * Remove this note if it's not true; or * Implement the functionality, if it's not currently implemented
adam added the status: acceptedtype: documentation labels 2025-12-29 19:35:23 +01:00
adam closed this issue 2025-12-29 19:35:24 +01:00
adam commented 2025-12-29 19:35:24 +01:00
Author
Owner
Copy Link

@github-actions[bot] commented on GitHub (Mar 25, 2022):

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. NetBox is governed by a small group of core maintainers which means not all opened issues may receive direct feedback. Please see our contributing guide.

@github-actions[bot] commented on GitHub (Mar 25, 2022): This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. NetBox is governed by a small group of core maintainers which means not all opened issues may receive direct feedback. Please see our [contributing guide](https://github.com/netbox-community/netbox/blob/develop/CONTRIBUTING.md).
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
beta
breaking change
complexity: high
complexity: low
complexity: medium
needs milestone
netbox
pending closure
plugin candidate
pull-request
Mirrored from GitHub Pull Request
 severity: high
severity: low
severity: medium
status: accepted
status: backlog
status: blocked
status: duplicate
status: needs owner
status: needs triage
status: revisions needed
status: under review
topic: GraphQL
topic: Internationalization
topic: OpenAPI
topic: UI/UX
topic: cabling
topic: event rules
topic: htmx navigation
topic: industrialization
topic: migrations
topic: plugins
topic: scripts
topic: templating
topic: testing
type: bug
type: deprecation
type: documentation
type: feature
type: housekeeping
type: translation
No Label status: accepted type: documentation
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/netbox#5988
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?