Skip to content

User and group queries are not properly restricted via GraphQL API #7814

New issue
New issue
Closed
Closed
User and group queries are not properly restricted via GraphQL API#7814
Assignees
jeremystretch
Labels
status: acceptedThis issue has been accepted for implementationtype: bugA confirmed report of unexpected behavior in the application
@jeremystretch

Description

@jeremystretch
jeremystretch
opened on Nov 12, 2021

NetBox version

v3.0.9

Python version

3.8

Steps to Reproduce

  1. Log into NetBox as a user without permission to view user or group objects
  2. Navigate to the GraphQL API view (/graphql/)
  3. Enter the following query:
query {
    user_list
     {
      username
      password
    }
  }

Expected Behavior

The query should return an empty list due to insufficient permissions.

Observed Behavior

The results are not filtered. This is due to a missing call to restrict() on the queryset for these models. (These models are provided by the Django framework, so they're handled a bit differently than native NetBox models.)

Metadata

Metadata

Assignees

Labels

status: acceptedThis issue has been accepted for implementationtype: bugA confirmed report of unexpected behavior in the application

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions