NeoAnd/netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2025-08-23 07:56:44 -06:00
Code Issues Actions 9 Packages Projects Releases Wiki Activity

14025 fix script name checking

Browse Source
This commit is contained in:
Arthur 2023-10-13 10:10:45 -07:00
parent 3538508639
commit d337283095
1 changed files with 22 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
netbox/extras/views.py
View File

@ -3,7 +3,7 @@ from django.contrib.auth.mixins import LoginRequiredMixin
from django.contrib.contenttypes.models import ContentType from django.contrib.contenttypes.models import ContentType
from django.core.paginator import EmptyPage from django.core.paginator import EmptyPage
from django.db.models import Count, Q from django.db.models import Count, Q
from django.http import HttpResponseBadRequest, HttpResponseForbidden, HttpResponse from django.http import HttpResponseBadRequest, HttpResponseForbidden, HttpResponse, Http404
from django.shortcuts import get_object_or_404, redirect, render from django.shortcuts import get_object_or_404, redirect, render
from django.urls import reverse from django.urls import reverse
from django.utils.translation import gettext as _ from django.utils.translation import gettext as _
@ -1151,13 +1151,30 @@ class ScriptListView(ContentTypePermissionRequiredMixin, View):
}) })
def get_script_module(module, request):
modules = ScriptModule.objects.restrict(request.user).filter(file_path__startswith=module)
if not modules:
raise Http404
if len(modules) == 1:
return modules[0]
# module is without the ".py" so startswith=module can return multiple if the file_path has
# two modules starting with the same characters "test.py" and "testfile.py"
for obj in modules:
if obj.file_path == module or obj.file_path == module + ".py":
return obj
raise Http404
class ScriptView(ContentTypePermissionRequiredMixin, View): class ScriptView(ContentTypePermissionRequiredMixin, View):
def get_required_permission(self): def get_required_permission(self):
return 'extras.view_script' return 'extras.view_script'
def get(self, request, module, name): def get(self, request, module, name):
module = get_object_or_404(ScriptModule.objects.restrict(request.user), file_path__startswith=module + ".py") module = get_script_module(module, request)
script = module.scripts[name]() script = module.scripts[name]()
form = script.as_form(initial=normalize_querydict(request.GET)) form = script.as_form(initial=normalize_querydict(request.GET))
@ -1181,7 +1198,7 @@ class ScriptView(ContentTypePermissionRequiredMixin, View):
if not request.user.has_perm('extras.run_script'): if not request.user.has_perm('extras.run_script'):
return HttpResponseForbidden() return HttpResponseForbidden()
module = get_object_or_404(ScriptModule.objects.restrict(request.user), file_path__startswith=module) module = get_script_module(module, request)
script = module.scripts[name]() script = module.scripts[name]()
form = script.as_form(request.POST, request.FILES) form = script.as_form(request.POST, request.FILES)
@ -1218,7 +1235,7 @@ class ScriptSourceView(ContentTypePermissionRequiredMixin, View):
return 'extras.view_script' return 'extras.view_script'
def get(self, request, module, name): def get(self, request, module, name):
module = get_object_or_404(ScriptModule.objects.restrict(request.user), file_path__startswith=module) module = get_script_module(module, request)
script = module.scripts[name]() script = module.scripts[name]()
return render(request, 'extras/script/source.html', { return render(request, 'extras/script/source.html', {
@ -1234,7 +1251,7 @@ class ScriptJobsView(ContentTypePermissionRequiredMixin, View):
return 'extras.view_script' return 'extras.view_script'
def get(self, request, module, name): def get(self, request, module, name):
module = get_object_or_404(ScriptModule.objects.restrict(request.user), file_path__startswith=module) module = get_script_module(module, request)
script = module.scripts[name]() script = module.scripts[name]()
object_type = ContentType.objects.get(app_label='extras', model='scriptmodule') object_type = ContentType.objects.get(app_label='extras', model='scriptmodule')