permissions are not respected with /dcim/connected-device api

[sthiriet]

NetBox version

v2.11.12

Python version

3.8

Steps to Reproduce

1. Enable permissions
2. As admin, create objects required to have data returned by API /dcim/connected-device (devices, interfaces, cables,...)
3. As admin, create a user with no permissions or only on virtualization->cluster for example
4. Use this user to call GET ​/dcim​/connected-device​/ API with correct parameters

curl -X GET "https://demo.netbox.dev/api/dcim/connected-device/?peer_device=dmi01-akron-sw01&peer_interface=GigabitEthernet1%2F0%2F1" -H  "accept: application/json" -H "Authorization: ....."

Expected Behavior

As user has no permission on dcim, nothing should be returned, but hard to say what should be the necessary permissions.

Observed Behavior

response body contains data that user should probably not be able to access:

{
  "id": 1,
  "url": "https://demo.netbox.dev/api/dcim/devices/1/",
  "display": "dmi01-akron-rtr01",
  "name": "dmi01-akron-rtr01",
  "display_name": "dmi01-akron-rtr01",
  "device_type": {
    "id": 6,
    "url": "https://demo.netbox.dev/api/dcim/device-types/6/",
    "display": "ISR 1111-8P",
    "manufacturer": {
      "id": 3,
      "url": "https://demo.netbox.dev/api/dcim/manufacturers/3/",
      "display": "Cisco",
      "name": "Cisco",
      "slug": "cisco"
    },
    "model": "ISR 1111-8P",
    "slug": "isr1111",
    "display_name": "Cisco ISR 1111-8P"
  },
  "device_role": {
    "id": 1,
    "url": "https://demo.netbox.dev/api/dcim/device-roles/1/",
    "display": "Router",
    "name": "Router",
    "slug": "router"
  },
  "tenant": {
    "id": 5,
    "url": "https://demo.netbox.dev/api/tenancy/tenants/5/",
    "display": "Dunder-Mifflin, Inc.",
    "name": "Dunder-Mifflin, Inc.",
    "slug": "dunder-mifflin"
  },
  "platform": {
    "id": 1,
    "url": "https://demo.netbox.dev/api/dcim/platforms/1/",
    "display": "Cisco IOS",
    "name": "Cisco IOS",
    "slug": "cisco-ios"
  },
  "serial": "",
  "asset_tag": null,
  "site": {
    "id": 2,
    "url": "https://demo.netbox.dev/api/dcim/sites/2/",
    "display": "DM-Akron",
    "name": "DM-Akron",
    "slug": "dm-akron"
  },
  "location": null,
  "rack": {
    "id": 1,
    "url": "https://demo.netbox.dev/api/dcim/racks/1/",
    "display": "Comms closet",
    "name": "Comms closet",
    "display_name": "Comms closet"
  },
  "position": 4,
  "face": {
    "value": "front",
    "label": "Front"
  },
  "parent_device": null,
  "status": {
    "value": "active",
    "label": "Active"
  },
  "primary_ip": null,
  "primary_ip4": null,
  "primary_ip6": null,
  "cluster": null,
  "virtual_chassis": null,
  "vc_position": null,
  "vc_priority": null,
  "comments": "",
  "local_context_data": null,
  "tags": [],
  "custom_fields": {},
  "created": "2020-12-20",
  "last_updated": "2020-12-20T02:51:03.257000Z"
}

[xraurp]

I wonder why this is not a bug. Other endpoints like /api/dcim/devices/ requires user permissions even if LOGIN_REQUIRED is false. Why this one should be left unsecured?

I guess the correct permissions should be dcim.view_device and dcim.view_interface because device and interface are passed in as query parameters. Other endpoints requires permissions based on parameters. For example the /api/dcim/devices/ takes device id as parameter and requires dcim.view_device.
Endpoint should respect permissions at least when LOGIN_REQUIRED is True.
Correct me if I'm mistaken.

[xraurp]

I have fix for this, assign me and I'll create pull request.

[jeremystretch]

After some digging, it's clear there's a bit more work needed on this endpoint. I'm going to merge a fix to both improve permissions handling and to avoid raising an exception when the connected object is not a device. Thanks @xraurp!