search

netbox-community / netbox

The premier source of truth powering network automation. Open source under Apache 2. Try NetBox Cloud free: https://netboxlabs.com/free-netbox-cloud/
http://netboxlabs.com/oss/netbox/
Apache License 2.0
16.15k stars 2.58k forks source link

GraphQL related objects are not properly restricted #17310

Closed DanSheps closed 2 months ago

DanSheps commented 2 months ago

Deployment Type

NetBox Cloud

NetBox Version

v4.0.10

Python Version

3.12

Steps to Reproduce

  1. Create a site
  2. Create an ASN in the site (Ex: 64511, pk=1)
  3. Create a user with permissions to only view ASN's (not sites)
  4. Run the following GQL: { asn(id: 1) { id, sites {} } }

Expected Behavior

Will show the ASN but not the related site

Observed Behavior

Related site is shown

DanSheps commented 2 months ago

Credit to Jeremy for actually finding this bug when testing the GraphQL PR.