Implemented permissions for scripts

2026-01-09 21:32:17 -06:00 · 2019-08-12 11:39:36 -04:00
parent 042f6bc8bd
commit cad46f81e6
5 changed files with 58 additions and 5 deletions
--- a/netbox/extras/migrations/0024_scripts.py
+++ b/netbox/extras/migrations/0024_scripts.py
@@ -0,0 +1,23 @@
+# Generated by Django 2.2 on 2019-08-12 15:28
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('extras', '0023_fix_tag_sequences'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='Script',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False)),
+            ],
+            options={
+                'permissions': (('run_script', 'Can run script'),),
+                'managed': False,
+            },
+        ),
+    ]
--- a/netbox/extras/models.py
+++ b/netbox/extras/models.py
@@ -826,6 +826,21 @@ class ConfigContextModel(models.Model):
        return data


+#
+# Custom scripts
+#
+
+class Script(models.Model):
+    """
+    Dummy model used to generate permissions for custom scripts. Does not exist in the database.
+    """
+    class Meta:
+        managed = False
+        permissions = (
+            ('run_script', 'Can run script'),
+        )
+
+
 #
 # Report results
 #
--- a/netbox/extras/views.py
+++ b/netbox/extras/views.py
@@ -1,11 +1,11 @@
 from django import template
 from django.conf import settings
 from django.contrib import messages
-from django.contrib.auth.mixins import LoginRequiredMixin, PermissionRequiredMixin
+from django.contrib.auth.mixins import PermissionRequiredMixin
 from django.contrib.contenttypes.models import ContentType
 from django.db import transaction
 from django.db.models import Count, Q
-from django.http import Http404
+from django.http import Http404, HttpResponseForbidden
 from django.shortcuts import get_object_or_404, redirect, render
 from django.utils.safestring import mark_safe
 from django.views.generic import View
@@ -363,7 +363,8 @@ class ReportRunView(PermissionRequiredMixin, View):
 # Scripts
 #

-class ScriptListView(LoginRequiredMixin, View):
+class ScriptListView(PermissionRequiredMixin, View):
+    permission_required = 'extras.view_script'

    def get(self, request):

@@ -372,7 +373,8 @@ class ScriptListView(LoginRequiredMixin, View):
        })


-class ScriptView(LoginRequiredMixin, View):
+class ScriptView(PermissionRequiredMixin, View):
+    permission_required = 'extras.view_script'

    def _get_script(self, module, name):
        scripts = get_scripts()
@@ -394,6 +396,10 @@ class ScriptView(LoginRequiredMixin, View):

    def post(self, request, module, name):

+        # Permissions check
+        if not request.user.has_perm('extras.run_script'):
+            return HttpResponseForbidden()
+
        script = self._get_script(module, name)
        form = script.as_form(request.POST)
        output = None