netbox icon indicating copy to clipboard operation
netbox copied to clipboard
verified publisher icon netbox-community

Fixes: #15924 - Prevent API payload from allowing tagged_vlans while interface mode is set to tagged-all

Open DanSheps opened this issue 1 year ago • 2 comments

Fixes: #15924 and #17249 - Prevent API payload from allowing tagged_vlans while interface mode is set to taged-all and prevent API from allowing untagged_vlan when no 802.1q mode is set.

  • Prevent API (or any API write function) which includes untagged_vlan with interface 802.1q mode is not set
  • Prevent API (or any API write function) which includes tagged_vlans with interface mode set to tagged-all

DanSheps avatar Aug 20 '24 01:08 DanSheps

This PR has been automatically marked as stale because it has not had recent activity. It will be closed automatically if no further action is taken.

github-actions[bot] avatar Sep 15 '24 04:09 github-actions[bot]

Per maintainer meeting, need to refactor logic to try and streamline the checks.

DanSheps avatar Sep 16 '24 14:09 DanSheps

We should really have a code standard for this - validation in one central place. Note: Asking, if you don't think it's feasible please push back.

You cannot check the many to many relationship on the clean in the model, which is the main driver of this change. You wouldn't set the many to many field and save on the model anyways, you would need to set() or add().

Now, we could make a Mixin which handles the validation and call that from both the API and form and at least consolidate the logic there (I did briefly think about this), but the datastructure in the API and the form is slightly different.

I would have preferred to do this on the database too but alas there is no way to perform the check.

DanSheps avatar Feb 25 '25 22:02 DanSheps

FYI: Tested this, the code between the form validation and the serializer validation is unfortunately too different to really support a common check (ex: form uses self.get_intial_for_field to obtain the field data from the instance, whereas api just checks the instance. Changing this to only use instance might have worked, but form as a non "None" instance for creation which means you need to check for pk in the validating function vs api which just has a None.

There are other differences too, I think, unfortunately, it makes more sense to just check on the serializer/form.

DanSheps avatar Feb 26 '25 14:02 DanSheps

After some discussion, we've decided to ship this fix in v4.2 as it doesn't quite rise to the threshold of a breaking change. I'll merge this into main as well.

jeremystretch avatar Feb 27 '25 17:02 jeremystretch