NeoAnd/netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2025-12-19 11:52:22 -06:00
Code Issues Actions 12 Packages Projects Releases Wiki Activity

Fixes #20649: Enforce view permissions on REST API endpoint for custom scripts (#20871)
Some checks are pending
CI / build (20.x, 3.10) (push) Waiting to run
Details
CI / build (20.x, 3.11) (push) Waiting to run
Details
CI / build (20.x, 3.12) (push) Waiting to run
Details
CodeQL / Analyze (${{ matrix.language }}) (none, actions) (push) Waiting to run
Details
CodeQL / Analyze (${{ matrix.language }}) (none, javascript-typescript) (push) Waiting to run
Details
CodeQL / Analyze (${{ matrix.language }}) (none, python) (push) Waiting to run
Details

Browse Source
This commit is contained in:
Jeremy Stretch
2025-11-24 19:28:35 -05:00
committed by GitHub
parent b919868521
commit a44a79ec79
2 changed files with 10 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
netbox/extras/api/views.py
View File

@@ -267,6 +267,14 @@ class ScriptViewSet(ModelViewSet):
_ignore_model_permissions = True
lookup_value_regex = '[^/]+' # Allow dots
def initial(self, request, *args, **kwargs):
super().initial(request, *args, **kwargs)
# Restrict the view's QuerySet to allow only the permitted objects
if request.user.is_authenticated:
action = 'run' if request.method == 'POST' else 'view'
self.queryset = self.queryset.restrict(request.user, action)
def _get_script(self, pk):
# If pk is numeric, retrieve script by ID
if pk.isnumeric():