Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Plugin bypassing user permissions #19

Closed
Azmodeszer opened this issue Jun 21, 2024 · 7 comments
Closed

Plugin bypassing user permissions #19

Azmodeszer opened this issue Jun 21, 2024 · 7 comments
Assignees
@minitriga
Labels
enhancement New feature or request

Comments

@Azmodeszer
Copy link

Azmodeszer commented Jun 21, 2024
edited
Loading

netbox-reorder-rack version

1.1.1

Python version

3.11

Steps to Reproduce

I have a permission system in place that essentially creates a special group that cannot edit existing objects per se, but can only add new data provided a certain status value is selected for the object (edits work only if that status is still present). However, I discovered that these users can still use the reordering plugin and adjust a device's position, even though that is explicitly prohibited by the permissions.

Expected Behavior

Reordering a device (i.e. changing its rack unit) as a user within the restricted group without the status required by the permissions throws an object-level permissions violation.

Alternately, the Reorder button does not appear in the first place.

Observed Behavior

The button is available to users within the restricted group and the edit is saved.
@cruse1977
Copy link
Member

Hi, which permission is this directly related to

@Azmodeszer
Copy link
Author

Azmodeszer commented Jun 28, 2024
edited
Loading 

View/add/change/delete


Object Types

    Circuits | circuit
    DCIM | device
    DCIM | rack
    DCIM | site
    IPAM | IP address
    IPAM | prefix
    IPAM | VLAN
    DCIM | location
    IPAM | IP range
    DCIM | module
    Wireless | wireless LAN

Constraints

{
    "status": "submitted"
}

However, users falling into this permission group can still drag around devices and save new positions via the plugin, even if the status constraint is not met.

@Azmodeszer
Copy link
Author

Any updates?

@julianstolp
Copy link

I can confirm this. I'm also having this issue. It looks like it is directly related to the permission DCIM>Device with action Change. The permission constraint is ignored. In my case { "site__slug__startswith": "test" }.

@minitriga minitriga self-assigned this Sep 27, 2024
@minitriga
Copy link
Collaborator

I have pushed a fix that will check for user permissions on page load this will disable any devices in the rack from being able to be moved and also prevent other devices moving it out the way when dragging devices. I have implemented pop ups to show issues with permissions when it occurs. I will issue a new release within the next few days.

@minitriga minitriga added the enhancement New feature or request label Sep 28, 2024
@Azmodeszer
Copy link
Author

Azmodeszer commented Oct 2, 2024
edited
Loading

@minitriga hm, I've updated the plugin (says 1.1.2 now), but the code changes for the fix don't seem to apply?

Requirement already satisfied: netbox-reorder-rack in /opt/netbox/venv/lib/python3.11/site-packages (1.1.2)
Yet none of the new code is present in the local files.

@minitriga
Copy link
Collaborator

@Azmodeszer Thank you for spotting this. Upgrade to 1.1.3 looks like there was an issue with the 1.1.2 build.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@minitriga minitriga

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@cruse1977 @minitriga @julianstolp @Azmodeszer