Skip to content

permissions are not respected with /dcim/connected-device api #7051

New issue
New issue
Closed
Closed
permissions are not respected with /dcim/connected-device api#7051
Assignees
jeremystretchxraurp
Labels
status: acceptedThis issue has been accepted for implementationtype: featureIntroduction of new functionality to the application
@sthiriet

Description

@sthiriet
sthiriet
opened on Aug 27, 2021

NetBox version

v2.11.12

Python version

3.8

Steps to Reproduce

  1. Enable permissions
  2. As admin, create objects required to have data returned by API /dcim/connected-device (devices, interfaces, cables,...)
  3. As admin, create a user with no permissions or only on virtualization->cluster for example
  4. Use this user to call GET ​/dcim​/connected-device​/ API with correct parameters
curl -X GET "https://demo.netbox.dev/api/dcim/connected-device/?peer_device=dmi01-akron-sw01&peer_interface=GigabitEthernet1%2F0%2F1" -H  "accept: application/json" -H "Authorization: ....."

Expected Behavior

As user has no permission on dcim, nothing should be returned, but hard to say what should be the necessary permissions.

Observed Behavior

response body contains data that user should probably not be able to access:

{
  "id": 1,
  "url": "https://demo.netbox.dev/api/dcim/devices/1/",
  "display": "dmi01-akron-rtr01",
  "name": "dmi01-akron-rtr01",
  "display_name": "dmi01-akron-rtr01",
  "device_type": {
    "id": 6,
    "url": "https://demo.netbox.dev/api/dcim/device-types/6/",
    "display": "ISR 1111-8P",
    "manufacturer": {
      "id": 3,
      "url": "https://demo.netbox.dev/api/dcim/manufacturers/3/",
      "display": "Cisco",
      "name": "Cisco",
      "slug": "cisco"
    },
    "model": "ISR 1111-8P",
    "slug": "isr1111",
    "display_name": "Cisco ISR 1111-8P"
  },
  "device_role": {
    "id": 1,
    "url": "https://demo.netbox.dev/api/dcim/device-roles/1/",
    "display": "Router",
    "name": "Router",
    "slug": "router"
  },
  "tenant": {
    "id": 5,
    "url": "https://demo.netbox.dev/api/tenancy/tenants/5/",
    "display": "Dunder-Mifflin, Inc.",
    "name": "Dunder-Mifflin, Inc.",
    "slug": "dunder-mifflin"
  },
  "platform": {
    "id": 1,
    "url": "https://demo.netbox.dev/api/dcim/platforms/1/",
    "display": "Cisco IOS",
    "name": "Cisco IOS",
    "slug": "cisco-ios"
  },
  "serial": "",
  "asset_tag": null,
  "site": {
    "id": 2,
    "url": "https://demo.netbox.dev/api/dcim/sites/2/",
    "display": "DM-Akron",
    "name": "DM-Akron",
    "slug": "dm-akron"
  },
  "location": null,
  "rack": {
    "id": 1,
    "url": "https://demo.netbox.dev/api/dcim/racks/1/",
    "display": "Comms closet",
    "name": "Comms closet",
    "display_name": "Comms closet"
  },
  "position": 4,
  "face": {
    "value": "front",
    "label": "Front"
  },
  "parent_device": null,
  "status": {
    "value": "active",
    "label": "Active"
  },
  "primary_ip": null,
  "primary_ip4": null,
  "primary_ip6": null,
  "cluster": null,
  "virtual_chassis": null,
  "vc_position": null,
  "vc_priority": null,
  "comments": "",
  "local_context_data": null,
  "tags": [],
  "custom_fields": {},
  "created": "2020-12-20",
  "last_updated": "2020-12-20T02:51:03.257000Z"
}

Metadata

Metadata

Assignees

Labels

status: acceptedThis issue has been accepted for implementationtype: featureIntroduction of new functionality to the application

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions