Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

API access to render-config needs add permissions and write enable for the api token #14634

Open
jiuka opened this issue Dec 29, 2023 · 10 comments · May be fixed by #15251
Open

API access to render-config needs add permissions and write enable for the api token #14634

jiuka opened this issue Dec 29, 2023 · 10 comments · May be fixed by #15251
Assignees
@DanSheps
Labels
severity: low Does not significantly disrupt application functionality, or a workaround is available status: accepted This issue has been accepted for implementation type: bug A confirmed report of unexpected behavior in the application

Comments

@jiuka
Copy link

jiuka commented Dec 29, 2023

Deployment Type

Self-hosted

NetBox Version

v3.6.8

Python Version

3.10

Steps to Reproduce

  1. Create a User with View Permissions to all Object Types
  2. Create a API key for this User with out Wrire Enabled
  3. Create a Device (No configured render config is needed to trigger this bug)
  4. Try to use the dcim_devices_render_config_create API Endpoint with the created API key / user

Expected Behavior

The User with Read Access to the Device should be able to get the render config from the API. As there is no config set a No config template found for this device error is expected.

user@host:~$ curl -H 'Authorization: Token <YOURTOKEN>' https://netbox/api/dcim/devices/<ID>/render-config/
{"error":"No config template found for this device."}

Observed Behavior

The User with Read Access to the Device has no permission to access the render config from the API.

user@host:~$ curl -H 'Authorization: Token <YOURTOKEN>' https://netbox/api/dcim/devices/<ID>/render-config/
{"detail":"You do not have permission to perform this action."}

If the user is granted add permissions on the DCIM > Device Object Types and the API Token is set to Write Enabled the access works as expected.

user@host:~$ curl -H 'Authorization: Token <YOURTOKEN>' https://netbox/api/dcim/devices/<ID>/render-config/
{"error":"No config template found for this device."}
@jiuka jiuka added the type: bug A confirmed report of unexpected behavior in the application label Dec 29, 2023
@abhi1693
Copy link
Member

I would consider this as an FR rather than a bug.

@jiuka
Copy link
Author

jiuka commented Dec 29, 2023

I would consider it a bug, as I assume the current behaviour is not the intended behaviour. In the UI a user with the view permission can view and download the renderd config. This is an inconsistency between the UI and the api.

The netbox.api.authentication.TokenPermissions requires the add permission for all POST requests and enforces the write_enabled too.

@abhi1693
Copy link
Member

This is not inconsistent behaviour at all. When you view even in the UI, it makes a POST call.

@PhilipLoenneker
Copy link

PhilipLoenneker commented Jan 3, 2024
edited

Please note that this was raised in issue #14184 with some suggestions for ways to make the render-config API endpoint available with a read-only token.

@jiuka
Copy link
Author

jiuka commented Jan 8, 2024

If viewed in the UI ist a GET call https://netbox/dcim/devices/<ID>/render-config/ or https://netbox/dcim/devices/<ID>/render-config/?export=True when downloaded. But this is not my point. If a login as a User with Read Only permission I can access GET https://netbox/dcim/devices/<ID>/render-config/?export=True but not POST https://netbox/api/dcim/devices/<ID>/render-config/ which both should return the same thing. This is the reason I consider this a bug and not a FR.

However to get this issue a step further towards beeing resolved, what is you final verdict on this mather and shoud new FR be created or can this issue be relabeld?

@DanSheps DanSheps added status: needs owner This issue is tentatively accepted pending a volunteer committed to its implementation severity: low Does not significantly disrupt application functionality, or a workaround is available labels Jan 19, 2024
@DanSheps
Copy link
Member

However to get this issue a step further towards beeing resolved, what is you final verdict on this mather and shoud new FR be created or can this issue be relabeld?

@jiuka this is going to be a low priority bug

@jiuka
Copy link
Author

jiuka commented Jan 19, 2024

Would this be something I could try my hands on? My approach would be to create a TokenViewPermissions class which then could be passed to the @render decorator in the RenderConfigMixin as permission_classes.

@DanSheps
Copy link
Member

DanSheps commented Jan 19, 2024
edited

IMO, the render config should be a get, not a post.

You aren't altering the NetBox database, you are only fetching pre-existing data.

This does require a API change and our stance is API changes must be done on non-patch releases.

@jeremystretch
Copy link
Member

The request must be a POST to facilitate passing data in the body of the request (as opposed to query parameters) per the HTTP spec.

@DanSheps
Copy link
Member

DanSheps commented Jan 30, 2024
edited

Are we good with @jiuka's proposal then to override the permissions?

@DanSheps DanSheps self-assigned this Feb 15, 2024
@DanSheps DanSheps added status: accepted This issue has been accepted for implementation and removed status: needs owner This issue is tentatively accepted pending a volunteer committed to its implementation labels Feb 15, 2024
@DanSheps DanSheps linked a pull request Feb 23, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DanSheps DanSheps

Labels
severity: low Does not significantly disrupt application functionality, or a workaround is available status: accepted This issue has been accepted for implementation type: bug A confirmed report of unexpected behavior in the application
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fixes: #14634 - Bypass Write permissions for render endpoint netbox-community/netbox
5 participants
@jiuka @abhi1693 @DanSheps @jeremystretch @PhilipLoenneker