Permission madness #420
Labels
status: under review
Further discussion is needed to determine this issue's scope and/or implementation
type: housekeeping
Changes to the application which do not directly impact the end user
Comments
dreng
added
status: under review
|
A lot of those are from older code and can indeed be cleaned up. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
NetBox version
v3.6.4
Topology Views version
v3.8.1
Steps to Reproduce
Check permissions in the following files:
Expected Behavior
Permission should make sense.
Observed Behavior
navigation.py:
The entry for plugins:netbox_topology_views:images wants these permissions:
This entry is for making the menu item visible. Why should this item make use of Sites or Device Roles? The correct permission should be imho:
views.py
The class TopologyImagesView wants:
The Images View does not need any Site information. I think this was just copy-pasted from the Topology View (where it is needed indeed). In addition, the view only displays something in the first step. Write permissions are only required when saving images. However, the permission to display the view should be controlled via the "Role Image" permission.
This seems to be reasonable and sufficient:
api/views.py
This is the one I don't understand. The class SaveRoleImagesViewSet wants:
Here, too, the authorisation should be controlled via "Role Image" and being able to read the Device Role model should be sufficient. But why does it need the other permissions? Nothing will be written to Device Role model. Instead, Role Image model must be writable. When I tried to remove these permissions and set view permissions instead (in both, source code and admin panel), saving didn't work anymore.
In my opinion it should be:
But as stated before, that didn't work for me. @mattieserver Hope you can contribute here.
The text was updated successfully, but these errors were encountered: