Prevent race condition when using edit forms in GUI #7630

New Issue

Closed

opened 2025-12-29 20:26:15 +01:00 by adam · 5 comments

adam commented 2025-12-29 20:26:15 +01:00

Owner

Copy Link

Originally created by @tyler-8 on GitHub (Feb 10, 2023).

Originally assigned to: @jeremystretch on GitHub.

NetBox version

v3.4.4

Feature type

Change to existing functionality

Proposed functionality

In edit forms for primary models, when confirming/saving your changes, add a new validation check that the last_updated time has not changed from when you first started editing the object.

If the last_updated time is captured at the time the edit form is loaded, and check again when the Save button is clicked, we can check that the timestamp is the same as before, before finally saving the new change. Otherwise, a validation error is raised.

Use case

It's possible for two users to be editing an object in the GUI at the same time and overwrite each other's changes. Here's the scenario:

1. Bob creates a Site.
2. Joe clicks “Edit” on that Site and has the Edit Site form open.
3. Bob also clicks Edit on the same Site and makes some changes, clicks “Save”.
4. Joe make changes on his Edit Form and clicks save.
5. Bob’s changes are no longer present, and Joe’s change is - based on outdated data.

Database changes

N/A

External dependencies

N/A

Originally created by @tyler-8 on GitHub (Feb 10, 2023). Originally assigned to: @jeremystretch on GitHub. ### NetBox version v3.4.4 ### Feature type Change to existing functionality ### Proposed functionality In edit forms for primary models, when confirming/saving your changes, add a new validation check that the `last_updated` time has not changed from when you first started editing the object. If the `last_updated` time is captured at the time the edit form is loaded, and check again when the `Save` button is clicked, we can check that the timestamp is the same as before, before finally saving the new change. Otherwise, a validation error is raised. ### Use case It's possible for two users to be editing an object in the GUI at the same time and overwrite each other's changes. Here's the scenario: 1. Bob creates a Site. 2. Joe clicks “Edit” on that Site and has the Edit Site form open. 3. Bob also clicks Edit on the same Site and makes some changes, clicks “Save”. 4. Joe make changes on his Edit Form and clicks save. 5. Bob’s changes are no longer present, and Joe’s change is - based on outdated data. ### Database changes N/A ### External dependencies N/A

adam added the status: acceptedtype: feature labels 2025-12-29 20:26:15 +01:00

adam closed this issue 2025-12-29 20:26:15 +01:00

adam commented 2025-12-29 20:26:15 +01:00

Author

Owner

Copy Link

@jeremystretch commented on GitHub (Feb 11, 2023):

Typical Joe. I've been saying we ought to fire that guy.

This is a great idea, and we should be able to implement it pretty seamlessly for (nearly?) every model form.

@jeremystretch commented on GitHub (Feb 11, 2023): Typical Joe. I've been saying we ought to fire that guy. This is a great idea, and we should be able to implement it pretty seamlessly for (nearly?) every model form.

adam commented 2025-12-29 20:26:16 +01:00

Author

Owner

Copy Link

@sleepinggenius2 commented on GitHub (Feb 13, 2023):

For APIs, I've used the ETag/If-Match header method to support this in the past. For server-rendered pages, I suspect you could use something similar via form fields. Ideally, a similar method would be used for changes made via UI, REST API, and GraphQL (if that supports mutation).

@sleepinggenius2 commented on GitHub (Feb 13, 2023): For APIs, I've used the ETag/If-Match header method to support this in the past. For server-rendered pages, I suspect you could use something similar via form fields. Ideally, a similar method would be used for changes made via UI, REST API, and GraphQL (if that supports mutation).

adam commented 2025-12-29 20:26:16 +01:00

Author

Owner

Copy Link

@tyler-8 commented on GitHub (Feb 16, 2023):

For APIs, I've used the ETag/If-Match header method to support this in the past. For server-rendered pages, I suspect you could use something similar via form fields. Ideally, a similar method would be used for changes made via UI, REST API, and GraphQL (if that supports mutation).

I'd be hesitant to have this validation (using this particular logic) happen in the API. The additional query to lookup the "in between" last_updated value would likely slow down response times (which would be compounded in high request volume environments). In the GUI you're working at "human speed" so the likelihood of the issue manifesting goes up, but API work tends to have very fast turn around.

@tyler-8 commented on GitHub (Feb 16, 2023): > For APIs, I've used the ETag/If-Match header method to support this in the past. For server-rendered pages, I suspect you could use something similar via form fields. Ideally, a similar method would be used for changes made via UI, REST API, and GraphQL (if that supports mutation). I'd be hesitant to have this validation (using this particular logic) happen in the API. The additional query to lookup the "in between" `last_updated` value would likely slow down response times (which would be compounded in high request volume environments). In the GUI you're working at "human speed" so the likelihood of the issue manifesting goes up, but API work tends to have very fast turn around.

adam commented 2025-12-29 20:26:16 +01:00

Author

Owner

Copy Link

@sleepinggenius2 commented on GitHub (Feb 16, 2023):

My previous implementation was using the API for a SPA UI, so it already had to make a request to load the object for the view anyway. Depending on how the REST API is implemented here, you should be able to just issue a HEAD request to get the ETag, without having to retrieve the full resource. Those values could potentially leverage the redis cache, which should make the extra request negligible. However, if you are using only the API to update resources, then you should only need to grab the value once, then cache the ETag from the response each time a change is made, to use in the next request. If you are expecting a mix of UI and API changes on the same resource, then you're just going to run into the same potential for a race condition if you don't use the same safeguard in both places. It would also be dangerous in that circumstance to not already be retrieving the resource to validate current state before making the change via the API. This solution should actually be faster in that scenario, because if your request succeeds with the cached ETag value, then there is no need to make that additional request, as the current state has already been validated.

@sleepinggenius2 commented on GitHub (Feb 16, 2023): My previous implementation was using the API for a SPA UI, so it already had to make a request to load the object for the view anyway. Depending on how the REST API is implemented here, you should be able to just issue a HEAD request to get the ETag, without having to retrieve the full resource. Those values could potentially leverage the redis cache, which should make the extra request negligible. However, if you are using only the API to update resources, then you should only need to grab the value once, then cache the ETag from the response each time a change is made, to use in the next request. If you are expecting a mix of UI and API changes on the same resource, then you're just going to run into the same potential for a race condition if you don't use the same safeguard in both places. It would also be dangerous in that circumstance to not already be retrieving the resource to validate current state before making the change via the API. This solution should actually be faster in that scenario, because if your request succeeds with the cached ETag value, then there is no need to make that additional request, as the current state has already been validated.

adam commented 2025-12-29 20:26:16 +01:00

Author

Owner

Copy Link

@github-actions[bot] commented on GitHub (Aug 1, 2023):

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. NetBox is governed by a small group of core maintainers which means not all opened issues may receive direct feedback. Do not attempt to circumvent this process by "bumping" the issue; doing so will result in its immediate closure and you may be barred from participating in any future discussions. Please see our contributing guide.

@github-actions[bot] commented on GitHub (Aug 1, 2023): This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. NetBox is governed by a small group of core maintainers which means not all opened issues may receive direct feedback. **Do not** attempt to circumvent this process by "bumping" the issue; doing so will result in its immediate closure and you may be barred from participating in any future discussions. Please see our [contributing guide](https://github.com/netbox-community/netbox/blob/develop/CONTRIBUTING.md).

adam referenced this issue 2025-12-29 22:26:19 +01:00

[PR #7630] [MERGED] Closes #6238: Implement conditional webhooks #13262

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

update-changelog-comments-docs

feature-removal-issue-type

20911-dropdown

20239-plugin-menu-classes-mutable-state

21097-graphql-id-lookups

feature

fix_module_substitution

20923-dcim-templates

20044-elevation-stuck-lightmode

feature-ip-prefix-link

v4.5-beta1-release

20068-import-moduletype-attrs

20766-fix-german-translation-code-literals

20378-del-script

7604-filter-modifiers-v3

circuit-swap

12318-case-insensitive-uniqueness

20637-improve-device-q-filter

20660-script-load

19724-graphql

20614-update-ruff

14884-script

02496-max-page

19720-macaddress-interface-generic-relation

19408-circuit-terminations-export-templates

20203-openapi-check

fix-19669-api-image-download

7604-filter-modifiers

19275-fixes-interface-bulk-edit

fix-17794-get_field_value_return_list

11507-show-aggregate-and-rir-on-api

9583-add_column_specific_search_field_to_tables

v4.5.0

v4.4.10

v4.4.9

v4.5.0-beta1

v4.4.8

v4.4.7

v4.4.6

v4.4.5

v4.4.4

v4.4.3

v4.4.2

v4.4.1

v4.4.0

v4.3.7

v4.4.0-beta1

v4.3.6

v4.3.5

v4.3.4

v4.3.3

v4.3.2

v4.3.1

v4.3.0

v4.2.9

v4.3.0-beta2

v4.2.8

v4.3.0-beta1

v4.2.7

v4.2.6

v4.2.5

v4.2.4

v4.2.3

v4.2.2

v4.2.1

v4.2.0

v4.1.11

v4.1.10

v4.1.9

v4.1.8

v4.2-beta1

v4.1.7

v4.1.6

v4.1.5

v4.1.4

v4.1.3

v4.1.2

v4.1.1

v4.1.0

v4.0.11

v4.0.10

v4.0.9

v4.1-beta1

v4.0.8

v4.0.7

v4.0.6

v4.0.5

v4.0.3

v4.0.2

v4.0.1

v4.0.0

v3.7.8

v3.7.7

v4.0-beta2

v3.7.6

v3.7.5

v4.0-beta1

v3.7.4

v3.7.3

v3.7.2

v3.7.1

v3.7.0

v3.6.9

v3.6.8

v3.6.7

v3.7-beta1

v3.6.6

v3.6.5

v3.6.4

v3.6.3

v3.6.2

v3.6.1

v3.6.0

v3.5.9

v3.6-beta2

v3.5.8

v3.6-beta1

v3.5.7

v3.5.6

v3.5.5

v3.5.4

v3.5.3

v3.5.2

v3.5.1

v3.5.0

v3.4.10

v3.4.9

v3.5-beta2

v3.4.8

v3.5-beta1

v3.4.7

v3.4.6

v3.4.5

v3.4.4

v3.4.3

v3.4.2

v3.4.1

v3.4.0

v3.3.10

v3.3.9

v3.4-beta1

v3.3.8

v3.3.7

v3.3.6

v3.3.5

v3.3.4

v3.3.3

v3.3.2

v3.3.1

v3.3.0

v3.2.9

v3.2.8

v3.3-beta2

v3.2.7

v3.3-beta1

v3.2.6

v3.2.5

v3.2.4

v3.2.3

v3.2.2

v3.2.1

v3.2.0

v3.1.11

v3.1.10

v3.2-beta2

v3.1.9

v3.2-beta1

v3.1.8

v3.1.7

v3.1.6

v3.1.5

v3.1.4

v3.1.3

v3.1.2

v3.1.1

v3.1.0

v3.0.12

v3.0.11

v3.0.10

v3.1-beta1

v3.0.9

v3.0.8

v3.0.7

v3.0.6

v3.0.5

v3.0.4

v3.0.3

v3.0.2

v3.0.1

v3.0.0

v2.11.12

v3.0-beta2

v2.11.11

v2.11.10

v3.0-beta1

v2.11.9

v2.11.8

v2.11.7

v2.11.6

v2.11.5

v2.11.4

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.10

v2.10.9

v2.11-beta1

v2.10.8

v2.10.7

v2.10.6

v2.10.5

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.11

v2.10-beta2

v2.9.10

v2.10-beta1

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.9-beta2

v2.8.9

v2.9-beta1

v2.8.8

v2.8.7

v2.8.6

v2.8.5

v2.8.4

v2.8.3

v2.8.2

v2.8.1

v2.8.0

v2.7.12

v2.7.11

v2.7.10

v2.7.9

v2.7.8

v2.7.7

v2.7.6

v2.7.5

v2.7.4

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.12

v2.6.11

v2.6.10

v2.6.9

v2.7-beta1

Solcon-2020-01-06

v2.6.8

v2.6.7

v2.6.6

v2.6.5

v2.6.4

v2.6.3

v2.6.2

v2.6.1

v2.6.0

v2.5.13

v2.5.12

v2.6-beta1

v2.5.11

v2.5.10

v2.5.9

v2.5.8

v2.5.7

v2.5.6

v2.5.5

v2.5.4

v2.5.3

v2.5.2

v2.5.1

v2.5.0

v2.4.9

v2.5-beta2

v2.4.8

v2.5-beta1

v2.4.7

v2.4.6

v2.4.5

v2.4.4

v2.4.3

v2.4.2

v2.4.1

v2.4.0

v2.3.7

v2.4-beta1

v2.3.6

v2.3.5

v2.3.4

v2.3.3

v2.3.2

v2.3.1

v2.3.0

v2.2.10

v2.3-beta2

v2.2.9

v2.3-beta1

v2.2.8

v2.2.7

v2.2.6

v2.2.5

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.6

v2.2-beta2

v2.1.5

v2.2-beta1

v2.1.4

v2.1.3

v2.1.2

v2.1.1

v2.1.0

v2.0.10

v2.1-beta1

v2.0.9

v2.0.8

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v2.0-beta3

v1.9.6

v1.9.5

v2.0-beta2

v1.9.4-r1

v1.9.3

v2.0-beta1

v1.9.2

v1.9.1

v1.9.0-r1

v1.8.4

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.7.3

v1.7.2-r1

v1.7.1

v1.7.0

v1.6.3

v1.6.2-r1

v1.6.1-r1

1.6.1

v1.6.0

v1.5.2

v1.5.1

v1.5.0

v1.4.2

v1.4.1

v1.4.0

v1.3.2

v1.3.1

v1.3.0

v1.2.2

v1.2.1

v1.2.0

v1.1.0

v1.0.7-r1

v1.0.7

v1.0.6

v1.0.5

v1.0.4

v1.0.3-r1

v1.0.3

1.0.0

Labels

Clear labels

beta

breaking change

complexity: high

complexity: low

complexity: medium

needs milestone

netbox

pending closure

plugin candidate

pull-request

Mirrored from GitHub Pull Request

severity: high

severity: low

severity: medium

status: accepted

status: backlog

status: blocked

status: duplicate

status: needs owner

status: needs triage

status: revisions needed

status: under review

topic: GraphQL

topic: Internationalization

topic: OpenAPI

topic: UI/UX

topic: cabling

topic: event rules

topic: htmx navigation

topic: industrialization

topic: migrations

topic: plugins

topic: scripts

topic: templating

topic: testing

type: bug

type: deprecation

type: documentation

type: feature

type: housekeeping

type: translation

No Label status: accepted type: feature

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/netbox#7630