Omit non-permitted item groups in views

[markkuleinio]

NetBox version

v3.7.3

Feature type

Change to existing functionality

Proposed functionality

Currently the menu items for which the user doesn't have permission are not shown in the main menu.

I'm proposing also omitting the related item groups in the views.

Example: user does not have permission to view IPAM>Services. When the user views a device, there is an empty Services box:

I'm proposing that the empty box is omitted.

At the same time (when viewing the device) a Django warning is logged (provided that django logger is configured):

2024-02-28 09:35:40,339 django.request WARNING: Forbidden (Permission denied): /ipam/services/
Traceback (most recent call last):
...
  File "/opt/netbox/netbox/netbox/views/generic/base.py", line 77, in dispatch
    return super().dispatch(request, *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/netbox/netbox/utilities/views.py", line 104, in dispatch
    return self.handle_no_permission()
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/netbox/venv/lib/python3.11/site-packages/django/contrib/auth/mixins.py", line 48, in handle_no_permission
    raise PermissionDenied(self.get_permission_denied_message())
django.core.exceptions.PermissionDenied

I'd expect there would be no PermissionDenied errors in the logs when the users themselves are accessing the views they are permitted to (it's the app that generates the non-permitted attempts in the background, not the user). But this is a side note.

Use case

One major use case for removing the View permissions for models is to improve the user experience for non-admin users: don't show the models (menu items) that are not accessible anyway, or used at all in the specific NetBox implementation. This proposal extends the same idea to the model views (= don't show the boxes that won't be populated anyway, preventing questions like "what does Services mean in our devices, there aren't any").

I believe quite many model views are concerned, examples (potentially non-permitted boxes mentioned):

• Site view (Images, Locations, Non-Racked Devices)
• Location view (Images, Non-Racked Devices)
• Rack view (Images)
• Device view (Services, Images, Virtual Device Contexts)
• VLAN view (Prefixes)
• and so on

Database changes

None I think

External dependencies

None

[jeremystretch]

Seems like a pretty steep effort-to-value ratio IMO but I've opened this for volunteers.

[jeremystretch]

@abhi1693 are you still planning to work on this?

[alehaa]

I think we can add this functionality with the changes of #15876 by simply filtering the generated list of relations by "can view" permissions.

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. NetBox is governed by a small group of core maintainers which means not all opened issues may receive direct feedback. Do not attempt to circumvent this process by "bumping" the issue; doing so will result in its immediate closure and you may be barred from participating in any future discussions. Please see our contributing guide.

[github-actions]

This issue has been automatically closed due to lack of activity. In an effort to reduce noise, please do not comment any further. Note that the core maintainers may elect to reopen this issue at a later date if deemed necessary.