netbox icon indicating copy to clipboard operation
netbox copied to clipboard
verified publisher icon netbox-community

Omit non-permitted item groups in views

Open markkuleinio opened this issue 1 year ago • 1 comments

NetBox version

v3.7.3

Feature type

Change to existing functionality

Proposed functionality

Currently the menu items for which the user doesn't have permission are not shown in the main menu.

I'm proposing also omitting the related item groups in the views.

Example: user does not have permission to view IPAM>Services. When the user views a device, there is an empty Services box:

image

I'm proposing that the empty box is omitted.

At the same time (when viewing the device) a Django warning is logged (provided that django logger is configured):

2024-02-28 09:35:40,339 django.request WARNING: Forbidden (Permission denied): /ipam/services/
Traceback (most recent call last):
...
  File "/opt/netbox/netbox/netbox/views/generic/base.py", line 77, in dispatch
    return super().dispatch(request, *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/netbox/netbox/utilities/views.py", line 104, in dispatch
    return self.handle_no_permission()
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/netbox/venv/lib/python3.11/site-packages/django/contrib/auth/mixins.py", line 48, in handle_no_permission
    raise PermissionDenied(self.get_permission_denied_message())
django.core.exceptions.PermissionDenied

I'd expect there would be no PermissionDenied errors in the logs when the users themselves are accessing the views they are permitted to (it's the app that generates the non-permitted attempts in the background, not the user). But this is a side note.

Use case

One major use case for removing the View permissions for models is to improve the user experience for non-admin users: don't show the models (menu items) that are not accessible anyway, or used at all in the specific NetBox implementation. This proposal extends the same idea to the model views (= don't show the boxes that won't be populated anyway, preventing questions like "what does Services mean in our devices, there aren't any").

I believe quite many model views are concerned, examples (potentially non-permitted boxes mentioned):

  • Site view (Images, Locations, Non-Racked Devices)
  • Location view (Images, Non-Racked Devices)
  • Rack view (Images)
  • Device view (Services, Images, Virtual Device Contexts)
  • VLAN view (Prefixes)
  • and so on

Database changes

None I think

External dependencies

None

markkuleinio avatar Feb 28 '24 08:02 markkuleinio

Seems like a pretty steep effort-to-value ratio IMO but I've opened this for volunteers.

jeremystretch avatar Apr 03 '24 14:04 jeremystretch

@abhi1693 are you still planning to work on this?

jeremystretch avatar May 21 '24 18:05 jeremystretch

I think we can add this functionality with the changes of #15876 by simply filtering the generated list of relations by "can view" permissions.

alehaa avatar May 28 '24 21:05 alehaa