ObjectPermission object type selector includes internal/third-party models #673

New Issue

MrUnknownDE · 2026-04-05T17:05:56+02:00

MrUnknownDE commented

2026-04-05 17:05:56 +02:00

Originally created by @pheus on 12/29/2025

NetBox Edition

NetBox Community

NetBox Version

v4.4.8

Python Version

3.12

Steps to Reproduce

Navigate to Admin → Permissions (or go to /users/permissions/add/)
Click Add (create a new Object Permission)
In the Object types selector, scroll/search for terms like ObjectType, cached, queue, etc.
Observe that internal/third-party models appear in the selectable list

Expected Behavior

The Object types selector should only include object types that make sense for NetBox ObjectPermissions, for example:

user-facing NetBox models, and
plugin models intended to participate in NetBox’s object permission system

Internal metadata models and third-party dependency/tooling models (like the examples above) should not be offered as selectable object types.

Observed Behavior

The selector includes internal/third-party models such as:

core.ObjectType
debug_toolbar.historyentry *
django_rq.queue
extras.cached_value
migrations.migration *
thunmbnail.kv_store

*) only listed in a local dev environment

Additional Notes / Suggestion

First off: thank you for the recent improvements around the ObjectPermission UI (especially the object type grouping introduced around #20759). It makes the selector much easier to navigate.

From a quick look, this seems to be related to the queryset/filter used to build the choices. The current filter appears to be:

OBJECTPERMISSION_OBJECT_TYPES = Q(
    ~Q(app_label__in=['account', 'admin', 'auth', 'contenttypes', 'sessions', 'taggit', 'users']) |
    Q(app_label='users', model__in=['objectpermission', 'token', 'group', 'user'])
)

As written, this behaves like a small denylist (plus a special-case allowlist for users.*), which means any other installed Django app (including dev tooling / background worker apps) can show up as selectable object types.

I’d like to suggest a review of all object types that are currently eligible for ObjectPermissions. A short-term fix could be to exclude known internal and common third-party tooling apps/models.

Longer-term, it might be more robust to base the selector on a “user-facing/public models” concept (while still supporting plugins), rather than relying on a denylist of a few Django apps.

Happy to help test any changes.

*Originally created by @pheus on 12/29/2025* ### NetBox Edition NetBox Community ### NetBox Version v4.4.8 ### Python Version 3.12 ### Steps to Reproduce 1. Navigate to **Admin → Permissions** (or go to `/users/permissions/add/`) 2. Click **Add** (create a new Object Permission) 3. In the **Object types** selector, scroll/search for terms like `ObjectType`, `cached`, `queue`, etc. 4. Observe that internal/third-party models appear in the selectable list ### Expected Behavior The Object types selector should only include object types that make sense for NetBox ObjectPermissions, for example: - user-facing NetBox models, and - plugin models intended to participate in NetBox’s object permission system Internal metadata models and third-party dependency/tooling models (like the examples above) should not be offered as selectable object types. ### Observed Behavior The selector includes internal/third-party models such as: - `core.ObjectType` - `debug_toolbar.historyentry` * - `django_rq.queue` - `extras.cached_value` - `migrations.migration` * - `thunmbnail.kv_store` *) only listed in a local dev environment --- #### Additional Notes / Suggestion _First off_: thank you for the recent improvements around the ObjectPermission UI (especially the object type grouping introduced around #20759). It makes the selector much easier to navigate. From a quick look, this seems to be related to the queryset/filter used to build the choices. The current filter appears to be: OBJECTPERMISSION_OBJECT_TYPES = Q( ~Q(app_label__in=['account', 'admin', 'auth', 'contenttypes', 'sessions', 'taggit', 'users']) | Q(app_label='users', model__in=['objectpermission', 'token', 'group', 'user']) ) As written, this behaves like a small denylist (plus a special-case allowlist for `users.*`), which means *any other installed Django app* (including dev tooling / background worker apps) can show up as selectable object types. I’d like to suggest a review of **all** object types that are currently eligible for ObjectPermissions. A short-term fix could be to exclude known internal and common third-party tooling apps/models. Longer-term, it might be more robust to base the selector on a “user-facing/public models” concept (while still supporting plugins), rather than relying on a denylist of a few Django apps. Happy to help test any changes.

MrUnknownDE closed this issue

2026-04-05 17:05:56 +02:00

Sign in to join this conversation.

Branches Tags

main

21455-sql-indexes-audit

21357-register-model-actions

feature

20924-plugin-ui-components

21766-improve-test-coverage-for-sortable-table-columns

21157-export-template-public-models

21025-pre-render-config-contexts

21364-swagger

feature-ip-prefix-link

20911-dropdown-3

fix_module_substitution

21160-filterset

20911-dropdown-2

20044-elevation-stuck-lightmode

7604-filter-modifiers-v3

20660-script-load

19724-graphql

14884-script

19720-macaddress-interface-generic-relation

fix-19669-api-image-download

7604-filter-modifiers

19275-fixes-interface-bulk-edit

fix-17794-get_field_value_return_list

11507-show-aggregate-and-rir-on-api

9583-add_column_specific_search_field_to_tables

No Label netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox netbox severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low severity: low status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted status: accepted type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug type: bug

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/netbox#673