Skip to content

User and group queries are not properly restricted via GraphQL API in v4.0.2 Re-Open #16228

New issue
New issue
Closed
#16229
Closed
User and group queries are not properly restricted via GraphQL API in v4.0.2 Re-Open#16228
#16229
Assignees
jeremystretch
Labels
severity: highCompletely breaks certain functions, or substantially degrades performance application-widestatus: acceptedThis issue has been accepted for implementationtype: bugA confirmed report of unexpected behavior in the application
@marsteel

Description

@marsteel
marsteel
opened on May 21, 2024

Deployment Type

Self-hosted

NetBox Version

v4.0.2

Python Version

3.10

Steps to Reproduce

This is is to re-opent #7814

Create New Group netbox-graphql. Don't add any permission to the group.
Add new user to the group
Login as new user
Access https://netbox/graphql

query {
user_list{
username
password
}
}

Username and hash in password returned.

Expected Behavior

Empty result retured because the user in a group without permission to Group/User view.

Observed Behavior

All Username and hash in Database returned.

Metadata

Metadata

Assignees

Labels

severity: highCompletely breaks certain functions, or substantially degrades performance application-widestatus: acceptedThis issue has been accepted for implementationtype: bugA confirmed report of unexpected behavior in the application

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions