permission for revoking add tag doesn't work

[a31amit]

Environment

• Python version: 3.7
• NetBox version: 2.5.2

Steps to Reproduce

Revoke "taggit|tag|can add tag" permission.
Add a new tag to any device

Also, I could not understand what is different between permission of taggit|tag vs taggit|tagged item, Having an explanation could be helpful.

Expected Behavior

The user should not be able to add any new tag.

Observed Behavior

Netbox Allow to add new or update tags to the device.

[DanSheps]

@a31amit When you say "new" tag, is it a completely new tag in all of netbox, or is it a new tag specific to that device?

[jeremystretch]

NetBox doesn't enforce permissions specifically for creating or assigning tags. Adding or removing a tag is considered modifying an object, so object type permissions (e.g. "can change devices") are used. Do you have a use case where users should be able to modify an object but not add/remove tags? That might be tricky to implement.

Also, I could not understand what is different between permission of taggit|tag vs taggit|tagged item

This is an unfortunate artifact of the database schema through which tags are represented. A tag is the tag itself, whereas a "tagged item" is the generic relationship between an object and an assigned tag.

[a31amit]

@DanSheps

@a31amit When you say "new" tag, is it a completely new tag in all of netbox, or is it a new tag specific to that device?

I think the behavior is the same for both situations

NetBox doesn't enforce permissions specifically for creating or assigning tags. Adding or removing a tag is considered modifying an object, so object type permissions (e.g. "can change devices") are used. Do you have a use case where users should be able to modify an object but not add/remove tags? That might be tricky to implement.

Well, I originally wanted to retrict users for not creating/change/delete a tags as different people can add a tags with different names but most likely those are similar or same. so that I can keep a consitant names. And During testing permission I found that this issue.

So my usecase which I was trying to handle is user shouldn't able to create a new tag or assign. Only few people who have access can do it as to maintain a consitantcy with tags names.

for example User A, can add "API_SERVICE" as tag where as another user can add "SERVICE_API". Different tags but same meaning.

This could be tricky too. But I propose if we could add some check if user doesn't have a create permission on tags, user should only be assign/remove tags from devices objects rather to create new tag during assignment of tags.

[tb-killa]

We use Tags for some query stuff and need this options too.
With Tags we allow the Stuff behind netbox to do things automaticly.
If e.g. someone remove tag "nagios" it would result that the automatic check doesnt poll anymore.

The Permissions should be [ADD] , [DELETE] , [MODIFY]
Maybe somethings like [ADD-OWN] and [ADD-Fixed] would be great.
[ADD-Fixed] could be some predefined Tags who are only selectable.

[XioNoX]

+1 for [ADD-Fixed]
It would be useful for an admin to define a fixed fist of tags that users are allowed to use.
This is to avoid fragmentation and typoes in the tags (eg. "production", "prod", etc...), while letting the users manage their tags.

[candlerb]

I just came across this problem. I had a number of device with tag "move1". I edited another device and gave it tag "Move1". This was treated as a a completely separate tag but I had no warning.

Worse: I did a bulk remove of tag "Move2" but this had no effect, because the tags were actually "move2".

My suggestion is different: I think you should define allowed tags up-front, and then you should only be allowed to add tags which come from this pre-defined set - rather than allowing arbitrary tags to be added.

This would be consistent with (e.g.) Manufacturer - you have to define Manufacturers up front, and then you can pick from them.

It would also give an opportunity for adding attributes to tags, such as colour and description - I think this feature may have been requested separately. Potentially it would allow tags to be renamed. You could have tags in exclusivity groups (i.e. you are only allowed to assign one tag out of the group at any one time) - I'd really like that. You could define which types of object each tag is permitted to be associated with - in the same way that Device Roles can be marked as applicable to VMs or not.

Maybe this requires a separate feature request, but I think it would also solve the permissions issue here, which boils down to "I don't want random users to be able to create new tags, but to pick from the existing set"

[candlerb]

Found the other tickets: #2324 (Add color picker for tags) and #2791 (Add comment field for tags)

It looks like #2324 is already implemented in develop-2.6, where an explicit tag model has been created. I would expect that as a side effect of this, there will be permissions for creation, editing and deletion of tags.

[jeremystretch]

@candlerb There has always been an explicit Tag model; #2324 does not have any effect on permissions.

[jeremystretch]

I've marked this as a bug because NetBox's behavior deviates from what a user would expect in this context. However, I don't believe this is feasible to implement while automatic tag creation is enabled; there's simply no sane point in the workflow to evaluate tag-related permissions and return a clean error.

Marking this as blocked by #3703.

[jeremystretch]

#3703 has been implemented for the v2.9 release. Permissions will be enforced as automatic tag creation will no longer be supported beginning with v2.9.0.