Skip to content

Permission constraint doesn't work on sync action #15582

New issue
New issue
Closed
#15704
Closed
Permission constraint doesn't work on sync action#15582
#15704
Assignees
arthanson
Labels
severity: mediumResults in substantial degraded or broken functionality for specfic workflowsstatus: acceptedThis issue has been accepted for implementationtype: bugA confirmed report of unexpected behavior in the application
@llamafilm

Description

@llamafilm
llamafilm
opened on Mar 29, 2024

Deployment Type

Self-hosted

NetBox Version

v3.7.3

Python Version

3.11

Steps to Reproduce

  1. Create a user permission with object type: Core > Data Source. Allow add, view, and sync actions. Add constraint: {"id": 4}.
  2. Create an API token for this user
  3. Sync a different data source: curl -X POST -H "Authorization: Token $TOKEN" -H "Accept: application/json" http://localhost:8001/api/core/data-sources/7/sync/

Additional Context

I'd like to sync this git data source it as a post-commit hook when I make changes to the scripts. So I want to restrict this user permission to only one data source.

The constraint works properly on the view action. If I GET /api/core/data-sources/7/ I get a response: {"detail":"Not found."}.

Expected Behavior

I should get a permission denied error.

Observed Behavior

It works.

Metadata

Metadata

Assignees

Labels

severity: mediumResults in substantial degraded or broken functionality for specfic workflowsstatus: acceptedThis issue has been accepted for implementationtype: bugA confirmed report of unexpected behavior in the application

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions