Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Define a configurable set of default permissions #13038

Closed
jeremystretch opened this issue Jun 28, 2023 · 1 comment
Closed

Define a configurable set of default permissions #13038

jeremystretch opened this issue Jun 28, 2023 · 1 comment
Assignees
@jeremystretch
Labels
status: accepted This issue has been accepted for implementation type: feature Introduction of new functionality to the application
Milestone
v3.6

Comments

@jeremystretch
Copy link
Member

NetBox version

v3.5.4

Feature type

New functionality

Proposed functionality

Expose a new configuration parameter DEFAULT_PERMISSIONS defining a two-tuple of permission names and constraints. For example:

DEFAULT_PERMISSIONS = (
    ("dcim.delete_site", {"status": "retired"}),
)

The defined permissions and constraints will apply to all authenticated users, obviating the need for an administrator to explicitly assign them. Administrators can define their own DEFAULT_PERMISSIONS to override or extend the default values.

At some point in the future, this might replace the need for the EXEMPT_VIEW_PERMISSIONS configuration parameter, however its deprecation is not implied by this proposal.

Use case

There are two specific use cases driving this proposal.

API Tokens

NetBox currently allows every user to manage their own API tokens via the web user interface, regardless of permissions assigned. There have been requests to restrict this ability, however to date no specific solution has been proposed.

This FR would unlock the ability to restrict token creation by setting the following default permissions:

DEFAULT_PERMISSIONS = (
    ("users.add_token", {"user": "$user"}),
    ("users.change_token", {"user": "$user"}),
    ("users.delete_token", {"user": "$user"}),
)

These default permissions would grant the ability to each user to create, edit, and delete their own tokens, obviating the need for unique logic effecting this in the UI views. Administrators who wish to restrict this ability can override the DEFAULT_PERMISSIONS configuration parameter to remove these permissions.

Bookmarks

#8248 proposes the ability for users to bookmark arbitrary objects in NetBox for their convenience (similar to how a web browser allows it user to bookmark web pages). As bookmarks are only ever relevant to the user who owns them, it seems reasonable to grant all users permission to bookmark objects by default. Similar to API tokens, this could be done by declaring default permissions to this effect, which can be overridden by a local administrator if needed.

Database changes

None

External dependencies

None
@jeremystretch jeremystretch added type: feature Introduction of new functionality to the application status: under review Further discussion is needed to determine this issue's scope and/or implementation labels Jun 28, 2023
@ITJamie
Copy link
Contributor

ITJamie commented Jun 28, 2023

one possible permission addition on this. the ability to "view" tokens.
so that users with view permission could be allowed view their existing tokens but users without it would not be able to see their token strings in full

if a user doesn't have the "view" they wouldn't be able to see their token strings in full (maybe allow the first few or last few characters)

@jeremystretch jeremystretch self-assigned this Jul 30, 2023
@jeremystretch jeremystretch added status: accepted This issue has been accepted for implementation and removed status: under review Further discussion is needed to determine this issue's scope and/or implementation labels Jul 30, 2023
@jeremystretch jeremystretch added this to the v3.6 milestone Jul 30, 2023
@jeremystretch jeremystretch mentioned this issue Jul 30, 2023
Merged
jeremystretch added a commit that referenced this issue Jul 30, 2023
@jeremystretch
Closes #13038: Establish DEFAULT_PERMISSIONS config parameter (#13308)
07f68ae 
* Introduce the DEFAULT_PERMISSIONS config parameter

* Establish default permissions for user token management
@jeremystretch jeremystretch mentioned this issue Aug 30, 2023
Merged
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 29, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@jeremystretch jeremystretch

Labels
status: accepted This issue has been accepted for implementation type: feature Introduction of new functionality to the application
Projects
None yet
Milestone
v3.6
Development

No branches or pull requests
2 participants
@ITJamie @jeremystretch