starred/netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2026-01-11 21:10:29 +01:00
Code Issues 273 Packages Projects Releases 10 Wiki Activity

API access to render-config needs add permissions and write enable for the api token #9007

New Issue
Closed
opened 2025-12-29 20:44:05 +01:00 by adam · 11 comments
adam commented 2025-12-29 20:44:05 +01:00
Owner
Copy Link

Originally created by @jiuka on GitHub (Dec 29, 2023).

Originally assigned to: @DanSheps on GitHub.

Deployment Type

Self-hosted

NetBox Version

v3.6.8

Python Version

3.10

Steps to Reproduce

  1. Create a User with View Permissions to all Object Types
  2. Create a API key for this User with out Wrire Enabled
  3. Create a Device (No configured render config is needed to trigger this bug)
  4. Try to use the dcim_devices_render_config_create API Endpoint with the created API key / user

Expected Behavior

The User with Read Access to the Device should be able to get the render config from the API. As there is no config set a No config template found for this device error is expected.

user@host:~$ curl -H 'Authorization: Token <YOURTOKEN>' https://netbox/api/dcim/devices/<ID>/render-config/
{"error":"No config template found for this device."}

Observed Behavior

The User with Read Access to the Device has no permission to access the render config from the API.

user@host:~$ curl -H 'Authorization: Token <YOURTOKEN>' https://netbox/api/dcim/devices/<ID>/render-config/
{"detail":"You do not have permission to perform this action."}

If the user is granted add permissions on the DCIM > Device Object Types and the API Token is set to Write Enabled the access works as expected.

user@host:~$ curl -H 'Authorization: Token <YOURTOKEN>' https://netbox/api/dcim/devices/<ID>/render-config/
{"error":"No config template found for this device."}
Originally created by @jiuka on GitHub (Dec 29, 2023). Originally assigned to: @DanSheps on GitHub. ### Deployment Type Self-hosted ### NetBox Version v3.6.8 ### Python Version 3.10 ### Steps to Reproduce 1. Create a User with View Permissions to all Object Types 2. Create a API key for this User with out `Wrire Enabled` 3. Create a Device (No configured render config is needed to trigger this bug) 4. Try to use the [dcim_devices_render_config_create](https://demo.netbox.dev/api/schema/swagger-ui/#/dcim/dcim_devices_render_config_create) API Endpoint with the created API key / user ### Expected Behavior The User with Read Access to the Device should be able to get the render config from the API. As there is no config set a `No config template found for this device` error is expected. ``` user@host:~$ curl -H 'Authorization: Token <YOURTOKEN>' https://netbox/api/dcim/devices/<ID>/render-config/ {"error":"No config template found for this device."} ``` ### Observed Behavior The User with Read Access to the Device has no permission to access the render config from the API. ``` user@host:~$ curl -H 'Authorization: Token <YOURTOKEN>' https://netbox/api/dcim/devices/<ID>/render-config/ {"detail":"You do not have permission to perform this action."} ``` If the user is granted add permissions on the `DCIM > Device` Object Types and the API Token is set to `Write Enabled` the access works as expected. ``` user@host:~$ curl -H 'Authorization: Token <YOURTOKEN>' https://netbox/api/dcim/devices/<ID>/render-config/ {"error":"No config template found for this device."} ```
adam added the type: bugstatus: acceptedseverity: low labels 2025-12-29 20:44:05 +01:00
adam closed this issue 2025-12-29 20:44:05 +01:00
adam commented 2025-12-29 20:44:06 +01:00
Author
Owner
Copy Link

@abhi1693 commented on GitHub (Dec 29, 2023):

I would consider this as an FR rather than a bug.

@abhi1693 commented on GitHub (Dec 29, 2023): I would consider this as an FR rather than a bug.
adam commented 2025-12-29 20:44:06 +01:00
Author
Owner
Copy Link

@jiuka commented on GitHub (Dec 29, 2023):

I would consider it a bug, as I assume the current behaviour is not the intended behaviour. In the UI a user with the view permission can view and download the renderd config. This is an inconsistency between the UI and the api.

The netbox.api.authentication.TokenPermissions requires the add permission for all POST requests and enforces the write_enabled too.

@jiuka commented on GitHub (Dec 29, 2023): I would consider it a bug, as I assume the current behaviour is not the intended behaviour. In the UI a user with the view permission can view and download the renderd config. This is an inconsistency between the UI and the api. The [netbox.api.authentication.TokenPermissions](https://github.com/netbox-community/netbox/blob/982ef3045d50b576ae1f73bbc0713fd9da6c7924/netbox/netbox/api/authentication.py#L81) requires the add permission for all POST requests and enforces the `write_enabled` too.
adam commented 2025-12-29 20:44:06 +01:00
Author
Owner
Copy Link

@abhi1693 commented on GitHub (Dec 29, 2023):

This is not inconsistent behaviour at all. When you view even in the UI, it makes a POST call.

@abhi1693 commented on GitHub (Dec 29, 2023): This is not inconsistent behaviour at all. When you view even in the UI, it makes a `POST` call.
adam commented 2025-12-29 20:44:06 +01:00
Author
Owner
Copy Link

@PhilipLoenneker commented on GitHub (Jan 3, 2024):

Please note that this was raised in issue #14184 with some suggestions for ways to make the render-config API endpoint available with a read-only token.

@PhilipLoenneker commented on GitHub (Jan 3, 2024): Please note that this was raised in issue #14184 with some suggestions for ways to make the render-config API endpoint available with a read-only token.
adam commented 2025-12-29 20:44:06 +01:00
Author
Owner
Copy Link

@jiuka commented on GitHub (Jan 8, 2024):

If viewed in the UI ist a GET call https://netbox/dcim/devices/<ID>/render-config/ or https://netbox/dcim/devices/<ID>/render-config/?export=True when downloaded. But this is not my point. If a login as a User with Read Only permission I can access GET https://netbox/dcim/devices/<ID>/render-config/?export=True but not POST https://netbox/api/dcim/devices/<ID>/render-config/ which both should return the same thing. This is the reason I consider this a bug and not a FR.

However to get this issue a step further towards beeing resolved, what is you final verdict on this mather and shoud new FR be created or can this issue be relabeld?

@jiuka commented on GitHub (Jan 8, 2024): If viewed in the UI ist a `GET` call `https://netbox/dcim/devices/<ID>/render-config/` or `https://netbox/dcim/devices/<ID>/render-config/?export=True` when downloaded. But this is not my point. If a login as a User with Read Only permission I can access `GET https://netbox/dcim/devices/<ID>/render-config/?export=True` but not POST `https://netbox/api/dcim/devices/<ID>/render-config/` which both should return the same thing. This is the reason I consider this a bug and not a FR. However to get this issue a step further towards beeing resolved, what is you final verdict on this mather and shoud new FR be created or can this issue be relabeld?
adam commented 2025-12-29 20:44:07 +01:00
Author
Owner
Copy Link

@DanSheps commented on GitHub (Jan 19, 2024):

However to get this issue a step further towards beeing resolved, what is you final verdict on this mather and shoud new FR be created or can this issue be relabeld?

@jiuka this is going to be a low priority bug

@DanSheps commented on GitHub (Jan 19, 2024): > However to get this issue a step further towards beeing resolved, what is you final verdict on this mather and shoud new FR be created or can this issue be relabeld? @jiuka this is going to be a low priority bug
adam commented 2025-12-29 20:44:07 +01:00
Author
Owner
Copy Link

@jiuka commented on GitHub (Jan 19, 2024):

Would this be something I could try my hands on? My approach would be to create a TokenViewPermissions class which then could be passed to the @render decorator in the RenderConfigMixin as permission_classes.

@jiuka commented on GitHub (Jan 19, 2024): Would this be something I could try my hands on? My approach would be to create a `TokenViewPermissions` class which then could be passed to the @render decorator in the RenderConfigMixin as permission_classes.
adam commented 2025-12-29 20:44:07 +01:00
Author
Owner
Copy Link

@DanSheps commented on GitHub (Jan 19, 2024):

IMO, the render config should be a get, not a post.

You aren't altering the NetBox database, you are only fetching pre-existing data.

This does require a API change and our stance is API changes must be done on non-patch releases.

@DanSheps commented on GitHub (Jan 19, 2024): IMO, the render config should be a get, not a post. You aren't altering the NetBox database, you are only fetching pre-existing data. This does require a API change and our stance is API changes must be done on non-patch releases.
adam commented 2025-12-29 20:44:08 +01:00
Author
Owner
Copy Link

@jeremystretch commented on GitHub (Jan 19, 2024):

The request must be a POST to facilitate passing data in the body of the request (as opposed to query parameters) per the HTTP spec.

@jeremystretch commented on GitHub (Jan 19, 2024): The request must be a POST to facilitate passing data in the body of the request (as opposed to query parameters) per the HTTP spec.
adam commented 2025-12-29 20:44:08 +01:00
Author
Owner
Copy Link

@DanSheps commented on GitHub (Jan 30, 2024):

Are we good with @jiuka's proposal then to override the permissions?

@DanSheps commented on GitHub (Jan 30, 2024): Are we good with @jiuka's proposal then to override the permissions?
adam commented 2025-12-29 20:44:08 +01:00
Author
Owner
Copy Link

@jeremystretch commented on GitHub (Jun 21, 2024):

If a login as a User with Read Only permission I can access GET https://netbox/dcim/devices/<ID>/render-config/?export=True but not POST https://netbox/api/dcim/devices/<ID>/render-config/ which both should return the same thing. This is the reason I consider this a bug and not a FR.

There is a subtle different between these two views, however: The UI view does not accept user input whereas the REST API endpoint does.

While I agree that rendering a device configuration should not require the add_device permission, I'm going to assert that it should enforce write permission generally (i.e. by requiring a write-enabled token). The justification for this is simply that the API endpoint accepts, processes, and returns arbitrary user data for inclusion in the template context: Enforcing write ability protects against potential abuse from a malicious actor.

I've opened #16681 to introduce a new permission action specifically for rendering device & VM configurations, which I believe will address the root problem here (the inordinate requirement for "add" permission).

@jeremystretch commented on GitHub (Jun 21, 2024): > If a login as a User with Read Only permission I can access `GET https://netbox/dcim/devices/<ID>/render-config/?export=True` but not `POST https://netbox/api/dcim/devices/<ID>/render-config/` which both should return the same thing. This is the reason I consider this a bug and not a FR. There is a subtle different between these two views, however: The UI view does not accept user input whereas the REST API endpoint does. While I agree that rendering a device configuration should not require the `add_device` permission, I'm going to assert that it **should** enforce write permission generally (i.e. by requiring a write-enabled token). The justification for this is simply that the API endpoint accepts, processes, and returns arbitrary user data for inclusion in the template context: Enforcing write ability protects against potential abuse from a malicious actor. I've opened #16681 to introduce a new permission action specifically for rendering device & VM configurations, which I believe will address the root problem here (the inordinate requirement for "add" permission).
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
beta
breaking change
complexity: high
complexity: low
complexity: medium
needs milestone
netbox
pending closure
plugin candidate
pull-request
Mirrored from GitHub Pull Request
 severity: high
severity: low
severity: medium
status: accepted
status: backlog
status: blocked
status: duplicate
status: needs owner
status: needs triage
status: revisions needed
status: under review
topic: GraphQL
topic: Internationalization
topic: OpenAPI
topic: UI/UX
topic: cabling
topic: event rules
topic: htmx navigation
topic: industrialization
topic: migrations
topic: plugins
topic: scripts
topic: templating
topic: testing
type: bug
type: deprecation
type: documentation
type: feature
type: housekeeping
type: translation
No Label severity: low status: accepted type: bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/netbox#9007
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?