netbox-reorder-rack icon indicating copy to clipboard operation
netbox-reorder-rack copied to clipboard

Published 20 hours ago verified publisher icon netbox-community

Plugin bypassing user permissions

Open Azmodeszer opened this issue 8 months ago • 3 comments

netbox-reorder-rack version

1.1.1

Python version

3.11

Steps to Reproduce

I have a permission system in place that essentially creates a special group that cannot edit existing objects per se, but can only add new data provided a certain status value is selected for the object (edits work only if that status is still present). However, I discovered that these users can still use the reordering plugin and adjust a device's position, even though that is explicitly prohibited by the permissions.

Expected Behavior

Reordering a device (i.e. changing its rack unit) as a user within the restricted group without the status required by the permissions throws an object-level permissions violation.

Alternately, the Reorder button does not appear in the first place.

Observed Behavior

The button is available to users within the restricted group and the edit is saved.

Azmodeszer avatar Jun 21 '24 08:06 Azmodeszer