Enable referencing the current user when evaluating permission constraints

[jeremystretch]

NetBox version

v3.2.0

Feature type

New functionality

Proposed functionality

When assigning user and group permissions in NetBox, an administrator can attach certain constraints to effect object-level permissions. These constraints can evaluate object attributes but are currently limited to referencing static values.

This FR proposes a mechanism to allow constraints to reference the current user when evaluating rules. For example, the following constraint might be used to permit a user to delete only his or her own journal entries:

{
  "created_by": "$USER"
}

(I'm open to ideas about the preferred variable structure; $USER seemed like a reasonable placeholder.)

I still need to look more into the implementation details, but it seems reasonable to assume that the current user will always be available in the context of permissions evaluation.

Use case

This would allow for more dynamic constraint definitions, and avoid the need to define unique rules per user.

Database changes

No response

External dependencies

No response

[sdktr]

Do you want to limit this to the static (referencing the database record) $user context, or allow the expansion to other 'session variables'? Like: $request.headers.x-rbac-tenant?

[jeremystretch]

The request isn't available as context when evaluating the permissions.

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. NetBox is governed by a small group of core maintainers which means not all opened issues may receive direct feedback. Do not attempt to circumvent this process by "bumping" the issue; doing so will result in its immediate closure and you may be barred from participating in any future discussions. Please see our contributing guide.