Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User and group queries are not properly restricted via GraphQL API in v4.0.2 Re-Open #16228

Closed
marsteel opened this issue May 21, 2024 · 2 comments · Fixed by #16229
Closed

User and group queries are not properly restricted via GraphQL API in v4.0.2 Re-Open #16228

marsteel opened this issue May 21, 2024 · 2 comments · Fixed by #16229
Assignees
@jeremystretch
Labels
severity: high Completely breaks certain functions, or substantially degrades performance application-wide status: accepted This issue has been accepted for implementation type: bug A confirmed report of unexpected behavior in the application

Comments

@marsteel
Copy link

Deployment Type

Self-hosted

NetBox Version

v4.0.2

Python Version

3.10

Steps to Reproduce

This is is to re-opent #7814

Create New Group netbox-graphql. Don't add any permission to the group.
Add new user to the group
Login as new user
Access https://netbox/graphql

query {
user_list{
username
password
}
}

Username and hash in password returned.

Expected Behavior

Empty result retured because the user in a group without permission to Group/User view.

Observed Behavior

All Username and hash in Database returned.
@marsteel marsteel added status: needs triage This issue is awaiting triage by a maintainer type: bug A confirmed report of unexpected behavior in the application labels May 21, 2024
@jeremystretch jeremystretch added status: accepted This issue has been accepted for implementation severity: high Completely breaks certain functions, or substantially degrades performance application-wide and removed status: needs triage This issue is awaiting triage by a maintainer labels May 21, 2024
jeremystretch added a commit that referenced this issue May 21, 2024
@jeremystretch
Fixes #16228: Fix permissions enforcement for GraphQL queries of user…
2f2a785 
…s & groups
@jeremystretch jeremystretch mentioned this issue May 21, 2024
Merged
@jeremystretch
Copy link
Member

Users who need to remediate this immediately can set GRAPHQL_ENABLED = False in configuration.py temporarily to disable the GraphQL API.

jeremystretch added a commit that referenced this issue May 21, 2024
@jeremystretch
Fixes #16228: Fix permissions enforcement for GraphQL queries of user…
a3b34c7 
…s & groups
jeremystretch added a commit that referenced this issue May 21, 2024
@jeremystretch
Changelog for #13764, #14653, #15082, #15603, #15962, #16164, #16173, #…
97f8f94 
…16228
@kiraum
Copy link

kiraum commented May 21, 2024

Just noticed the same, token without permissions, and able to get data via graphql.

>>> response.json()
{'data': {'asn': {'asn': 666}}

2024-05-21 21:06:52 UTC 67cf2994a159 (v4.0.2)

@jeremystretch jeremystretch mentioned this issue May 22, 2024
Merged
@arthanson arthanson mentioned this issue May 24, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jeremystretch jeremystretch

Labels
severity: high Completely breaks certain functions, or substantially degrades performance application-wide status: accepted This issue has been accepted for implementation type: bug A confirmed report of unexpected behavior in the application
Projects
None yet
Milestone
No milestone
3 participants
@marsteel @kiraum @jeremystretch