Skip to content

Closes #16137: Remove is_staff boolean from User model #20306

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Sep 10, 2025
Merged

Closes #16137: Remove is_staff boolean from User model #20306

merged 6 commits into from
Sep 10, 2025

Conversation

jeremystretch
Copy link
Member

@jeremystretch jeremystretch commented Sep 9, 2025
edited
Loading

Closes: #16137

  • Remove the is_staff boolean field from our custom User model
  • Remove the REMOTE_AUTH_STAFF_GROUPS and REMOTE_AUTH_STAFF_USERS configuration parameters
  • Introduced the IsSuperuser REST API permission to replace DRF's IsAdminUser (which evaluates is_staff)
  • Accessing UI & REST API views for RQ tasks now requires superuser permission
  • Accessing the installed plugins API view now requires superuser permission
  • Extend the RQ tasks view tests to check permissions enforcement consistently
  • RemoteUserBackend now infers is_staff from is_superuser
  • PluginMenuItem still supports the staff_only attribute, but it now maps to the is_superuser attribute on a user
  • Remove references to is_staff from the LDAP authentication docs

@jeremystretch jeremystretch changed the title Closes #16137: Remove is_staff boolean from User model Closes #16137: Remove is_staff boolean from User model Sep 10, 2025
@jeremystretch jeremystretch requested review from a team and jnovinger and removed request for a team September 10, 2025 14:25
@jeremystretch jeremystretch marked this pull request as ready for review September 10, 2025 14:25
jnovinger
jnovinger reviewed Sep 10, 2025
View reviewed changes
Copy link
Member

@jnovinger jnovinger left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Had one question about why were still setting user.is_staff in RemoteUserAuth, but this looks good otherwise.

netbox/netbox/authentication/__init__.py Outdated
# Set is_staff attribute for compatibility with pre-v4.5
user.is_staff = user.is_superuser
if user.is_staff:
logger.debug(f"Marked user {user} as staff due to superuser status")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hopefully it's just my lack of familiarity with our use of RemoteUserBackend, but I don't understand why we need to do this (temporarily setting user.is_staff) here, now.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Honestly I'm not sure that we do, but I figured it might be less disruptive to keep it. That said, I'm okay removing it for v4.5.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm +0 on removing it. Happy to defer if you think it's best to leave it, but otherwise it's just one more thing for us to remember to get back to later.

Going to approve this PR and let you decide.

@jeremystretch jeremystretch merged commit c0e4d1c into feature Sep 10, 2025
7 checks passed
@jeremystretch jeremystretch deleted the 16137-remove-user-is_staff branch September 10, 2025 20:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jnovinger jnovinger jnovinger approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jeremystretch @jnovinger