ObjectPermission object type selector includes internal/third-party models

[pheus]

NetBox Edition

NetBox Community

NetBox Version

v4.4.8

Python Version

3.12

Steps to Reproduce

1. Navigate to Admin → Permissions (or go to /users/permissions/add/)
2. Click Add (create a new Object Permission)
3. In the Object types selector, scroll/search for terms like ObjectType, cached, queue, etc.
4. Observe that internal/third-party models appear in the selectable list

Expected Behavior

The Object types selector should only include object types that make sense for NetBox ObjectPermissions, for example:

• user-facing NetBox models, and
• plugin models intended to participate in NetBox’s object permission system

Internal metadata models and third-party dependency/tooling models (like the examples above) should not be offered as selectable object types.

Observed Behavior

The selector includes internal/third-party models such as:

• core.ObjectType
• debug_toolbar.historyentry *
• django_rq.queue
• extras.cached_value
• migrations.migration *
• thunmbnail.kv_store

*) only listed in a local dev environment

---

Additional Notes / Suggestion

First off: thank you for the recent improvements around the ObjectPermission UI (especially the object type grouping introduced around #20759). It makes the selector much easier to navigate.

From a quick look, this seems to be related to the queryset/filter used to build the choices. The current filter appears to be:

OBJECTPERMISSION_OBJECT_TYPES = Q(
    ~Q(app_label__in=['account', 'admin', 'auth', 'contenttypes', 'sessions', 'taggit', 'users']) |
    Q(app_label='users', model__in=['objectpermission', 'token', 'group', 'user'])
)

As written, this behaves like a small denylist (plus a special-case allowlist for users.*), which means any other installed Django app (including dev tooling / background worker apps) can show up as selectable object types.

I’d like to suggest a review of all object types that are currently eligible for ObjectPermissions. A short-term fix could be to exclude known internal and common third-party tooling apps/models.

Longer-term, it might be more robust to base the selector on a “user-facing/public models” concept (while still supporting plugins), rather than relying on a denylist of a few Django apps.

Happy to help test any changes.

[jnovinger]

Accepting this, with the caveat that perhaps it should be a housekeeping item.

[pheus]

Thanks! I can see how this could be considered housekeeping.

To be honest, I wasn’t entirely sure whether this should be treated as housekeeping or a bug. A full review of internal ObjectType entries is definitely housekeeping, but internal-only types showing up in the ObjectPermission selector feels like a user-facing bug.

If you’re okay with it, I’ll split this into a bug report for excluding internal-only types and a housekeeping issue for the broader review/long-term fix.

[jnovinger]

That's a good point. In retrospect, let's leave this as is and just tackle it as a bug.