null-ifying some fields by users with limited privileges #7287

New Issue

Closed

opened 2025-12-29 20:21:14 +01:00 by adam · 5 comments

adam commented 2025-12-29 20:21:14 +01:00

Owner

Copy Link

Originally created by @opericgithub on GitHub (Nov 25, 2022).

NetBox version

v3.3.8

Python version

3.10

Steps to Reproduce

1. login as a superuser or a user that has all permissions.
2. go to devices > platforms and add new platform named "test_pf".
3. go to devices > devices and add new device, populate all required fields and select "test_pf" as its platform.
4. go to this newly created device, edit it and change its name. this step is to ensure that device's platform remains "test_pf".

5. go to NetBox Administration menu > USERS Permissions and add new permission: 1) name it "no_platform", 2) select all four actions (can view, can add, can change, can delete), 3) select ALL object types EXCEPT "dcim>platform", and 4) click save.

6. go to NetBox Administration menu > AUTHENTICATION AND AUTHORIZATION Groups, and add new group: 1) name it "no_platform_group" then 2) select "no_platform" for the objectpermission below and 3) click save.
7. go to NetBox Administration menu > AUTHENTICATION AND AUTHORIZATION Users and add new user: name it "no_platform_user" with some password, click save and then 2) choose "no_platform_group" as a group this user will belong to.
8. go to main netbox site, log out as a superuser and login as this newly created "no_platform_user".
9. go to the device created in step 3, verify that its platform is listed as "test_pf", then edit this device, change only its name and save it.
10. platform field is null-ified:

Expected Behavior

platform field should remain intact.

Observed Behavior

platform field is null-ified.

Originally created by @opericgithub on GitHub (Nov 25, 2022). ### NetBox version v3.3.8 ### Python version 3.10 ### Steps to Reproduce 1. login as a superuser or a user that has all permissions. 2. go to devices > platforms and add new platform named "test_pf". 3. go to devices > devices and add new device, populate all required fields and select "test_pf" as its platform. 4. go to this newly created device, edit it and change its name. this step is to ensure that device's platform remains "test_pf".  5. go to NetBox Administration menu > USERS Permissions and add new permission: 1) name it "no_platform", 2) select all four actions (can view, can add, can change, can delete), 3) select ALL object types EXCEPT "dcim>platform", and 4) click save.  6. go to NetBox Administration menu > AUTHENTICATION AND AUTHORIZATION Groups, and add new group: 1) name it "no_platform_group" then 2) select "no_platform" for the objectpermission below and 3) click save. 7. go to NetBox Administration menu > AUTHENTICATION AND AUTHORIZATION Users and add new user: name it "no_platform_user" with some password, click save and then 2) choose "no_platform_group" as a group this user will belong to. 8. go to main netbox site, log out as a superuser and login as this newly created "no_platform_user". 9. go to the device created in step 3, verify that its platform is listed as "test_pf", then edit this device, change only its name and save it. 10. platform field is null-ified:  ### Expected Behavior platform field should remain intact. ### Observed Behavior platform field is null-ified.

adam closed this issue 2025-12-29 20:21:14 +01:00

adam commented 2025-12-29 20:21:15 +01:00

Author

Owner

Copy Link

@jeremystretch commented on GitHub (Nov 28, 2022):

Thank you for opening a bug report. Unfortunately, the information you have provided is not sufficient for someone else to attempt to reproduce the reported behavior. Remember, each bug report must include detailed steps that someone else can follow on a clean, empty NetBox installation to reproduce the exact problem you're experiencing. These instructions should include the creation of any involved objects, any configuration changes, and complete accounting of the actions being taken. Also be sure that your report does not reference data on the public NetBox demo, as that is subject to change at any time by an outside party and cannot be relied upon for bug reports.

@jeremystretch commented on GitHub (Nov 28, 2022): Thank you for opening a bug report. Unfortunately, the information you have provided is not sufficient for someone else to attempt to reproduce the reported behavior. Remember, each bug report must include detailed steps that someone else can follow on a clean, empty NetBox installation to reproduce the exact problem you're experiencing. These instructions should include the creation of any involved objects, any configuration changes, and complete accounting of the actions being taken. Also be sure that your report does not reference data on the public NetBox demo, as that is subject to change at any time by an outside party and cannot be relied upon for bug reports.

adam commented 2025-12-29 20:21:15 +01:00

Author

Owner

Copy Link

@opericgithub commented on GitHub (Nov 28, 2022):

I have edited the original post. I hope there is enough information now.

@opericgithub commented on GitHub (Nov 28, 2022): I have edited the original post. I hope there is enough information now.

adam commented 2025-12-29 20:21:15 +01:00

Author

Owner

Copy Link

@opericgithub commented on GitHub (Dec 13, 2022):

what is the procedure now? should someone take over this case?

@opericgithub commented on GitHub (Dec 13, 2022): what is the procedure now? should someone take over this case?

adam commented 2025-12-29 20:21:17 +01:00

Author

Owner

Copy Link

@jeremystretch commented on GitHub (Dec 16, 2022):

@opericgithub thanks for providing those detailed instructions. This is happening because the user you created does not have permission to view platforms. When the device edit form loads, there is no way for the user to select a platform, so the field is left empty.

You have two options to work around this:

1. Assign to the user (or group) a separate permission granting view access for platforms
2. Add dcim.platform to EXEMPT_VIEW_PERMISSIONS

Either solution will grant the permissions necessary for the user to retain or change a device's platform. Hope that helps!

@jeremystretch commented on GitHub (Dec 16, 2022): @opericgithub thanks for providing those detailed instructions. This is happening because the user you created does not have permission to view platforms. When the device edit form loads, there is no way for the user to select a platform, so the field is left empty. You have two options to work around this: 1. Assign to the user (or group) a separate permission granting view access for platforms 2. Add `dcim.platform` to [`EXEMPT_VIEW_PERMISSIONS`](https://docs.netbox.dev/en/stable/configuration/security/#exempt_view_permissions) Either solution will grant the permissions necessary for the user to retain or change a device's platform. Hope that helps!

adam commented 2025-12-29 20:21:19 +01:00

Author

Owner

Copy Link

@opericgithub commented on GitHub (Dec 19, 2022):

hello @jeremystretch, I must say this doesn't relate only to platform field, but to any other fields.
Unfortunately this workaround doesn't apply to my usecase.

In my usecase I intentionally want to have two general groups of users, light and strong. One of them, light one, lets call them network technicians, and the other, strong one is network admins.

Tehcnicians don't need to be loaded with lots of informations, they don't require a ton of knowledge. They simply need access to a very tiny or constrained set of data.
However, administrators must have access to all information.

Technicians don't need to be aware of platform, ip addresses, ranges, l2vpns, tenant groups etc. In the current constellation, if they modify some components which use any of these, they will null-ify some data that is very important to network admins.

Using your proposed workaroung would mean that technicians would have to see and have access to all of these components, which is the thing I want to evade.

In my opinion, one of the solutions would be not to allow certain fields to be visible at all on the edit page, if that user doesn't have proper rights. For ie, if the user has only the read-only (viewing) privileges, the field could be grayed out, and similarly if the user doesn't have any privileges, including viewing privileges, then the field shouldn't be displayed at all.

@opericgithub commented on GitHub (Dec 19, 2022): hello @jeremystretch, I must say this doesn't relate only to platform field, but to any other fields. Unfortunately this workaround doesn't apply to my usecase. In my usecase I intentionally want to have two general groups of users, light and strong. One of them, light one, lets call them network technicians, and the other, strong one is network admins. Tehcnicians don't need to be loaded with lots of informations, they don't require a ton of knowledge. They simply need access to a very tiny or constrained set of data. However, administrators must have access to all information. Technicians don't need to be aware of platform, ip addresses, ranges, l2vpns, tenant groups etc. In the current constellation, if they modify some components which use any of these, they will null-ify some data that is very important to network admins. Using your proposed workaroung would mean that technicians would have to see and have access to all of these components, which is the thing I want to evade. In my opinion, one of the solutions would be not to allow certain fields to be visible at all on the edit page, if that user doesn't have proper rights. For ie, if the user has only the read-only (viewing) privileges, the field could be grayed out, and similarly if the user doesn't have any privileges, including viewing privileges, then the field shouldn't be displayed at all.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

update-changelog-comments-docs

feature-removal-issue-type

20911-dropdown

20239-plugin-menu-classes-mutable-state

21097-graphql-id-lookups

feature

fix_module_substitution

20923-dcim-templates

20044-elevation-stuck-lightmode

feature-ip-prefix-link

v4.5-beta1-release

20068-import-moduletype-attrs

20766-fix-german-translation-code-literals

20378-del-script

7604-filter-modifiers-v3

circuit-swap

12318-case-insensitive-uniqueness

20637-improve-device-q-filter

20660-script-load

19724-graphql

20614-update-ruff

14884-script

02496-max-page

19720-macaddress-interface-generic-relation

19408-circuit-terminations-export-templates

20203-openapi-check

fix-19669-api-image-download

7604-filter-modifiers

19275-fixes-interface-bulk-edit

fix-17794-get_field_value_return_list

11507-show-aggregate-and-rir-on-api

9583-add_column_specific_search_field_to_tables

v4.5.0

v4.4.10

v4.4.9

v4.5.0-beta1

v4.4.8

v4.4.7

v4.4.6

v4.4.5

v4.4.4

v4.4.3

v4.4.2

v4.4.1

v4.4.0

v4.3.7

v4.4.0-beta1

v4.3.6

v4.3.5

v4.3.4

v4.3.3

v4.3.2

v4.3.1

v4.3.0

v4.2.9

v4.3.0-beta2

v4.2.8

v4.3.0-beta1

v4.2.7

v4.2.6

v4.2.5

v4.2.4

v4.2.3

v4.2.2

v4.2.1

v4.2.0

v4.1.11

v4.1.10

v4.1.9

v4.1.8

v4.2-beta1

v4.1.7

v4.1.6

v4.1.5

v4.1.4

v4.1.3

v4.1.2

v4.1.1

v4.1.0

v4.0.11

v4.0.10

v4.0.9

v4.1-beta1

v4.0.8

v4.0.7

v4.0.6

v4.0.5

v4.0.3

v4.0.2

v4.0.1

v4.0.0

v3.7.8

v3.7.7

v4.0-beta2

v3.7.6

v3.7.5

v4.0-beta1

v3.7.4

v3.7.3

v3.7.2

v3.7.1

v3.7.0

v3.6.9

v3.6.8

v3.6.7

v3.7-beta1

v3.6.6

v3.6.5

v3.6.4

v3.6.3

v3.6.2

v3.6.1

v3.6.0

v3.5.9

v3.6-beta2

v3.5.8

v3.6-beta1

v3.5.7

v3.5.6

v3.5.5

v3.5.4

v3.5.3

v3.5.2

v3.5.1

v3.5.0

v3.4.10

v3.4.9

v3.5-beta2

v3.4.8

v3.5-beta1

v3.4.7

v3.4.6

v3.4.5

v3.4.4

v3.4.3

v3.4.2

v3.4.1

v3.4.0

v3.3.10

v3.3.9

v3.4-beta1

v3.3.8

v3.3.7

v3.3.6

v3.3.5

v3.3.4

v3.3.3

v3.3.2

v3.3.1

v3.3.0

v3.2.9

v3.2.8

v3.3-beta2

v3.2.7

v3.3-beta1

v3.2.6

v3.2.5

v3.2.4

v3.2.3

v3.2.2

v3.2.1

v3.2.0

v3.1.11

v3.1.10

v3.2-beta2

v3.1.9

v3.2-beta1

v3.1.8

v3.1.7

v3.1.6

v3.1.5

v3.1.4

v3.1.3

v3.1.2

v3.1.1

v3.1.0

v3.0.12

v3.0.11

v3.0.10

v3.1-beta1

v3.0.9

v3.0.8

v3.0.7

v3.0.6

v3.0.5

v3.0.4

v3.0.3

v3.0.2

v3.0.1

v3.0.0

v2.11.12

v3.0-beta2

v2.11.11

v2.11.10

v3.0-beta1

v2.11.9

v2.11.8

v2.11.7

v2.11.6

v2.11.5

v2.11.4

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.10

v2.10.9

v2.11-beta1

v2.10.8

v2.10.7

v2.10.6

v2.10.5

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.11

v2.10-beta2

v2.9.10

v2.10-beta1

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.9-beta2

v2.8.9

v2.9-beta1

v2.8.8

v2.8.7

v2.8.6

v2.8.5

v2.8.4

v2.8.3

v2.8.2

v2.8.1

v2.8.0

v2.7.12

v2.7.11

v2.7.10

v2.7.9

v2.7.8

v2.7.7

v2.7.6

v2.7.5

v2.7.4

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.12

v2.6.11

v2.6.10

v2.6.9

v2.7-beta1

Solcon-2020-01-06

v2.6.8

v2.6.7

v2.6.6

v2.6.5

v2.6.4

v2.6.3

v2.6.2

v2.6.1

v2.6.0

v2.5.13

v2.5.12

v2.6-beta1

v2.5.11

v2.5.10

v2.5.9

v2.5.8

v2.5.7

v2.5.6

v2.5.5

v2.5.4

v2.5.3

v2.5.2

v2.5.1

v2.5.0

v2.4.9

v2.5-beta2

v2.4.8

v2.5-beta1

v2.4.7

v2.4.6

v2.4.5

v2.4.4

v2.4.3

v2.4.2

v2.4.1

v2.4.0

v2.3.7

v2.4-beta1

v2.3.6

v2.3.5

v2.3.4

v2.3.3

v2.3.2

v2.3.1

v2.3.0

v2.2.10

v2.3-beta2

v2.2.9

v2.3-beta1

v2.2.8

v2.2.7

v2.2.6

v2.2.5

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.6

v2.2-beta2

v2.1.5

v2.2-beta1

v2.1.4

v2.1.3

v2.1.2

v2.1.1

v2.1.0

v2.0.10

v2.1-beta1

v2.0.9

v2.0.8

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v2.0-beta3

v1.9.6

v1.9.5

v2.0-beta2

v1.9.4-r1

v1.9.3

v2.0-beta1

v1.9.2

v1.9.1

v1.9.0-r1

v1.8.4

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.7.3

v1.7.2-r1

v1.7.1

v1.7.0

v1.6.3

v1.6.2-r1

v1.6.1-r1

1.6.1

v1.6.0

v1.5.2

v1.5.1

v1.5.0

v1.4.2

v1.4.1

v1.4.0

v1.3.2

v1.3.1

v1.3.0

v1.2.2

v1.2.1

v1.2.0

v1.1.0

v1.0.7-r1

v1.0.7

v1.0.6

v1.0.5

v1.0.4

v1.0.3-r1

v1.0.3

1.0.0

Labels

Clear labels

beta

breaking change

complexity: high

complexity: low

complexity: medium

needs milestone

netbox

pending closure

plugin candidate

pull-request

Mirrored from GitHub Pull Request

severity: high

severity: low

severity: medium

status: accepted

status: backlog

status: blocked

status: duplicate

status: needs owner

status: needs triage

status: revisions needed

status: under review

topic: GraphQL

topic: Internationalization

topic: OpenAPI

topic: UI/UX

topic: cabling

topic: event rules

topic: htmx navigation

topic: industrialization

topic: migrations

topic: plugins

topic: scripts

topic: templating

topic: testing

type: bug

type: deprecation

type: documentation

type: feature

type: housekeeping

type: translation

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/netbox#7287