ACSP Suggestion 2026.4: Fix API permission checks on NET.
Suggestion
Author: Richard Laager
Submitted On: 03 March 2026
Description:
If there are multiple ways to do the same thing, they should require the same permissions. They should not be inconsistent.
Steps to reproduce:
- Perform a Detailed Reassignment out of one of your NETs to another ORG.
- Try to GET that NET by handle using your API key.
Expected results: The GET succeeds.
Actual results: The GET is rejected for lack of permission. Only an API key of the “another ORG” can GET the NET.
Additional discussion:
- I created the NET in the first place. If I created it, surely I should be able to GET it (assuming nothing else has changed in the state of the world).
- I can DELETE the NET. If I can DELETE something, surely I should be able to GET it.
- I can GET the NET if I ask using the start and end IP address (via a mostSpecificNet call), but I cannot GET it by its handle.
- Anyone, without authentication, can view the same information using the WHOIS protocol, by handle or by IP address. This is equivalent to a GET.
- Accordingly, the correct permission check for a GET on a NET is “return True”.
- Similarly, if I can DELETE and then recreate something, I should be able to modify it using a PUT. So the PUT permission check should also allow those with access to the parent NET to PUT a (direct) child NET (since they could otherwise DELETE and recreate it with the same effect).
Value to Community: The NRPM requires documenting reassignments. ARIN discontinued the email interface in favor of the API. Having a correctly working API is useful.
Timeframe: Not specified
Status: Confirmed Updated: 03 March 2026
Tracking Information
No tracking information available.