search

netbox-community / netbox-reorder-rack

NetBox plugin to allow users to reorder devices within a rack using a drag and drop UI.
Apache License 2.0
41 stars 4 forks source link

Plugin bypassing user permissions #19

Open Azmodeszer opened 3 weeks ago

Azmodeszer commented 3 weeks ago

netbox-reorder-rack version

1.1.1

Python version

3.11

Steps to Reproduce

I have a permission system in place that essentially creates a special group that cannot edit existing objects per se, but can only add new data provided a certain status value is selected for the object (edits work only if that status is still present). However, I discovered that these users can still use the reordering plugin and adjust a device's position, even though that is explicitly prohibited by the permissions.

Expected Behavior

Reordering a device (i.e. changing its rack unit) as a user within the restricted group without the status required by the permissions throws an object-level permissions violation.

Alternately, the Reorder button does not appear in the first place.

Observed Behavior

The button is available to users within the restricted group and the edit is saved.

cruse1977 commented 2 weeks ago

Hi, which permission is this directly related to

Azmodeszer commented 2 weeks ago 
View/add/change/delete

Object Types

    Circuits | circuit
    DCIM | device
    DCIM | rack
    DCIM | site
    IPAM | IP address
    IPAM | prefix
    IPAM | VLAN
    DCIM | location
    IPAM | IP range
    DCIM | module
    Wireless | wireless LAN

Constraints

{
    "status": "submitted"
}

However, users falling into this permission group can still drag around devices and save new positions via the plugin, even if the status constraint is not met.