Skip to content

Permisson to view secrets does not work #2869

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
marendres opened this issue Feb 11, 2019 · 4 comments
Closed

Permisson to view secrets does not work #2869

marendres opened this issue Feb 11, 2019 · 4 comments

Comments

@marendres
Copy link

Environment

  • Python version: 3.5.2
  • NetBox version: 2.5.5

Detailed Description

We are using secrets to store passwords and they are only available for users with the superuser flag. Normal users are not permitted to decrypt and view them, even if they have been granted all permissions (which should be the same as the superuser status). It is possible for normal users to create and delete secrets and also possible to strip them from those permissions, but they can not view them, even if they created the secret themselves.

Steps to Reproduce

  1. create secret
  2. login as user with permissions to view secrets, but no superuser
  3. try to open/display secret

decrypt and display the secret

"You do not have permission to decrypt this secret."
@jeremystretch
Copy link
Member

The view permissions were introduced in Django 2.1 and are not yet used by NetBox. Please see the v2.5 release notes. The error message is displayed because the user does not have an active user key for decryption.

@apallier
Copy link

Hi, I have the same issue with Netbox 2.6.6.

Behavior observed:

  • Only a superuser can decrypt password everywhere.
  • At "view" screen, a "normal" user can't decrypt even if her user key is active (gray "Unlock" button).
  • The only way for a "normal" user to see a secret is to go at the "editing" screen ("Edit this secret" button). Here, the password can be decrypted (green "Unlock" button).

Is it the expected behavior?

@DanSheps
Copy link
Member

First, upgrade to the latest stable

Second, if you experience the same issue, provide reproducible steps here for us to follow. If it is a slightly different issues please open a new issue following one of the templates

@marendres
Copy link
Author

Upgraded to the latest stable version (2.7.4) but the problem still persists. It is the same problem @apallier seems to have. A user can have all permissions but is not able to decrypt secrets in the device overview, only in the editing screen of the secret itself.
On the device overview the "Unlock" is grey and there is an alttext "Permission denied" if you hoover over it.

@anatole-tol anatole-tol mentioned this issue Feb 12, 2020
Closed
@lock lock bot locked as resolved and limited conversation to collaborators May 20, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@apallier @DanSheps @jeremystretch @marendres