Define a robust mechanism for selecting permissionable ObjectTypes #540

New Issue

MrUnknownDE · 2026-04-05T16:41:27+02:00

MrUnknownDE commented

2026-04-05 16:41:27 +02:00

Originally created by @pheus on 1/17/2026

Proposed Changes

As a follow-up to #21051 (where we applied a short-term filter to keep internal/third-party models out of the ObjectPermission object type selector), I’d like to propose defining a long-term, explicit mechanism for determining which models/ObjectTypes are eligible for object permissions.

High-level ideas (one or a combination):

Introduce an explicit “permissionable” signal for models (e.g. a new model flag or a feature on ObjectType) and use that to build the selector.
Ensure this mechanism cleanly supports:
- user-facing/public models, and
- private/internal models that still need object permission support (e.g. for scripts/files/tagged objects), without relying on hardcoded exceptions.
Add/adjust tests so that dependency/tooling apps cannot accidentally appear in the selector again.
(Optional) Align this with the broader “user-facing models” work (e.g. #13427) so we have one consistent source of truth.

Justification

The short-term fix improves the UX immediately, but it still leaves us with a maintenance challenge: deciding which ObjectTypes are valid targets for ObjectPermissions shouldn’t require continually updating denylists or adding special cases whenever NetBox (or an environment) gains new models.

A dedicated, explicit mechanism would:

prevent regressions where internal/dependency models show up in the selector,
provide a clear contract for core + plugin models,
avoid accidentally hiding models that legitimately need permission enforcement,
and make future changes easier to review and reason about.

*Originally created by @pheus on 1/17/2026* ### Proposed Changes As a follow-up to #21051 (where we applied a short-term filter to keep internal/third-party models out of the ObjectPermission object type selector), I’d like to propose defining a **long-term, explicit mechanism** for determining which models/ObjectTypes are eligible for object permissions. High-level ideas (one or a combination): - Introduce an explicit “permissionable” signal for models (e.g. a new model flag or a feature on `ObjectType`) and use that to build the selector. - Ensure this mechanism cleanly supports: - user-facing/public models, and - private/internal models that *still* need object permission support (e.g. for scripts/files/tagged objects), without relying on hardcoded exceptions. - Add/adjust tests so that dependency/tooling apps cannot accidentally appear in the selector again. - (Optional) Align this with the broader “user-facing models” work (e.g. #13427) so we have one consistent source of truth. ### Justification The short-term fix improves the UX immediately, but it still leaves us with a maintenance challenge: deciding which ObjectTypes are valid targets for ObjectPermissions shouldn’t require continually updating denylists or adding special cases whenever NetBox (or an environment) gains new models. A dedicated, explicit mechanism would: - prevent regressions where internal/dependency models show up in the selector, - provide a clear contract for core + plugin models, - avoid accidentally hiding models that legitimately need permission enforcement, - and make future changes easier to review and reason about.

Sign in to join this conversation.

Branches Tags

main

21455-sql-indexes-audit

21357-register-model-actions

feature

20924-plugin-ui-components

21766-improve-test-coverage-for-sortable-table-columns

21157-export-template-public-models

21025-pre-render-config-contexts

21364-swagger

feature-ip-prefix-link

20911-dropdown-3

fix_module_substitution

21160-filterset

20911-dropdown-2

20044-elevation-stuck-lightmode

7604-filter-modifiers-v3

20660-script-load

19724-graphql

14884-script

19720-macaddress-interface-generic-relation

fix-19669-api-image-download

7604-filter-modifiers

19275-fixes-interface-bulk-edit

fix-17794-get_field_value_return_list

11507-show-aggregate-and-rir-on-api

9583-add_column_specific_search_field_to_tables

No Label netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox type: housekeeping type: housekeeping type: housekeeping type: housekeeping type: housekeeping type: housekeeping type: housekeeping type: housekeeping type: housekeeping type: housekeeping type: housekeeping type: housekeeping type: housekeeping type: housekeeping type: housekeeping type: housekeeping type: housekeeping type: housekeeping type: housekeeping type: housekeeping type: housekeeping type: housekeeping type: housekeeping

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/netbox#540