Permission constraints to endpoints are not applied over API when modifying record about nautobot HOT 4 OPEN

Prefix serializer validation not pulling restricted filter query to stop the update?
Which seems referenced here as well

from nautobot.

Can you clarify, is this issue with /ipam/prefixes/ or with /api/ipam/prefixes/ or both?

from nautobot.

Hi @glennmatthews Apologies, seems to only be affecting /api/ipam/prefixes/

I checked /ipam/prefixes/ using a proxy to modify the request and the server response indicates it is preventing the action per the constraint.

I also checked other api endpoints like /api/dcim/devices/ which also appear to be affected by this bug

from nautobot.

For the constraints I also tested an additional scenario originally I should include.

Instead of applying the permission constraint to the extras/tag object directly (from the report) which would prevent access to the specific tag object. I tried applying a constraint on the ipam/prefixes permission that applies if a specific tag is tag assigned to the prefix object. From my perspective I should not also be able to assign a given tag if I cant access the object that may be containing said tag? Maybe this portion has some nuance? The result when assigned a forbidden tag to an object it will then 'disappear' from the user.

For this I used a similar whitelist test scenario:
{"tags__slug__icontains": "test-whitelist-tag"}

from nautobot.