Add filtering of Script objects based on object permissions with custom constraints

docs/customization/custom-scripts.md

@@ -18,7 +18,17 @@ They can also be used as a mechanism for validating the integrity of data within
 Custom scripts are Python code which exists outside the NetBox code base, so they can be updated and changed without interfering with the core NetBox installation. And because they're completely custom, there is no inherent limitation on what a script can accomplish.
 
 !!! danger "Only install trusted scripts"
-    Custom scripts have unrestricted access to change anything in the databse and are inherently unsafe and should only be installed and run from trusted sources.  You should also review and set permissions for who can run scripts if the script can modify any data.
+    Custom scripts have unrestricted access to change anything in the database and are inherently unsafe and should only be installed and run from trusted sources.  You should also review and set permissions for who can run scripts if the script can modify any data.
+
+!!! tip "Permissions for Custom Scripts"
+    A user can be granted permissions on all Custom Scripts via the "Managed File" object-level permission. To further restrict a user to only be able to access certain scripts, create an additional permission on the "Script" object type, with appropriate queryset-style constraints matching fields available on Script. For example:
+    ```json
+    {
+        "name__in": [
+            "MyScript"
+        ]
+    }
+    ```
 
 ## Writing Custom Scripts
 

netbox/dcim/graphql/filter_mixins.py

@@ -13,7 +13,6 @@ if TYPE_CHECKING:
     from netbox.graphql.filter_lookups import IntegerLookup
     from extras.graphql.filters import ConfigTemplateFilter
     from ipam.graphql.filters import VLANFilter, VLANTranslationPolicyFilter
-    from dcim.graphql.filters import LocationFilter, RegionFilter, SiteFilter, SiteGroupFilter
     from .filters import *
 
 __all__ = (
@@ -36,20 +35,6 @@ class ScopedFilterMixin:
     )
     scope_id: ID | None = strawberry_django.filter_field()
 
-    # Cached relations
-    _location: Annotated['LocationFilter', strawberry.lazy('dcim.graphql.filters')] | None = (
-        strawberry_django.filter_field(name='location')
-    )
-    _region: Annotated['RegionFilter', strawberry.lazy('dcim.graphql.filters')] | None = (
-        strawberry_django.filter_field(name='region')
-    )
-    _site_group: Annotated['SiteGroupFilter', strawberry.lazy('dcim.graphql.filters')] | None = (
-        strawberry_django.filter_field(name='site_group')
-    )
-    _site: Annotated['SiteFilter', strawberry.lazy('dcim.graphql.filters')] | None = (
-        strawberry_django.filter_field(name='site')
-    )
-
 
 @dataclass
 class ComponentModelFilterMixin:

netbox/extras/views.py

@@ -24,9 +24,11 @@ from extras.utils import SharedObjectViewMixin
 from netbox.object_actions import *
 from netbox.views import generic
 from netbox.views.generic.mixins import TableMixin
+from users.models import ObjectPermission
 from utilities.forms import ConfirmationForm, get_field_value
 from utilities.htmx import htmx_partial, htmx_maybe_redirect_current_page
 from utilities.paginator import EnhancedPaginator, get_paginate_count
+from utilities.permissions import qs_filter_from_constraints
 from utilities.query import count_related
 from utilities.querydict import normalize_querydict
 from utilities.request import copy_safe_request
@@ -1441,12 +1443,24 @@ class ScriptListView(ContentTypePermissionRequiredMixin, View):
         return 'extras.view_script'
 
     def get(self, request):
+        # Permissions for the Scripts page are given via the "Managed File" object permission. To further restrict
+        # users to access only specified scripts, create permissions on the "Script" object with appropriate
+        # queryset-style constraints matching fields available on Script.
         script_modules = ScriptModule.objects.restrict(request.user).prefetch_related(
             'data_source', 'data_file', 'jobs'
         )
+        script_ct = ContentType.objects.get_for_model(Script)
+        script_permissions = qs_filter_from_constraints(
+            ObjectPermission.objects.filter(
+                users=self.request.user, object_types=script_ct
+            ).values_list("constraints", flat=True)
+        )
+        available_scripts = Script.objects.filter(script_permissions, module__in=script_modules)
+
         context = {
             'model': ScriptModule,
             'script_modules': script_modules,
+            'available_scripts': available_scripts,
         }
 
         # Use partial template for dashboard widgets

netbox/ipam/graphql/filters.py

@@ -20,7 +20,7 @@ from tenancy.graphql.filter_mixins import ContactFilterMixin, TenancyFilterMixin
 from virtualization.models import VMInterface
 
 if TYPE_CHECKING:
-    from netbox.graphql.filter_lookups import BigIntegerLookup, IntegerLookup, IntegerRangeArrayLookup
+    from netbox.graphql.filter_lookups import IntegerLookup, IntegerRangeArrayLookup
     from circuits.graphql.filters import ProviderFilter
     from core.graphql.filters import ContentTypeFilter
     from dcim.graphql.filters import SiteFilter
@@ -53,7 +53,7 @@ __all__ = (
 class ASNFilter(TenancyFilterMixin, PrimaryModelFilter):
     rir: Annotated['RIRFilter', strawberry.lazy('ipam.graphql.filters')] | None = strawberry_django.filter_field()
     rir_id: ID | None = strawberry_django.filter_field()
-    asn: Annotated['BigIntegerLookup', strawberry.lazy('netbox.graphql.filter_lookups')] | None = (
+    asn: Annotated['IntegerLookup', strawberry.lazy('netbox.graphql.filter_lookups')] | None = (
         strawberry_django.filter_field()
     )
     sites: (
@@ -70,10 +70,10 @@ class ASNRangeFilter(TenancyFilterMixin, OrganizationalModelFilter):
     slug: FilterLookup[str] | None = strawberry_django.filter_field()
     rir: Annotated['RIRFilter', strawberry.lazy('ipam.graphql.filters')] | None = strawberry_django.filter_field()
     rir_id: ID | None = strawberry_django.filter_field()
-    start: Annotated['BigIntegerLookup', strawberry.lazy('netbox.graphql.filter_lookups')] | None = (
+    start: Annotated['IntegerLookup', strawberry.lazy('netbox.graphql.filter_lookups')] | None = (
         strawberry_django.filter_field()
     )
-    end: Annotated['BigIntegerLookup', strawberry.lazy('netbox.graphql.filter_lookups')] | None = (
+    end: Annotated['IntegerLookup', strawberry.lazy('netbox.graphql.filter_lookups')] | None = (
         strawberry_django.filter_field()
     )
 

netbox/netbox/graphql/filter_lookups.py

@@ -19,11 +19,8 @@ from strawberry_django import (
     process_filters,
 )
 
-from netbox.graphql.scalars import BigInt
-
 __all__ = (
     'ArrayLookup',
-    'BigIntegerLookup',
     'FloatArrayLookup',
     'FloatLookup',
     'IntegerArrayLookup',
@@ -81,29 +78,6 @@ class IntegerLookup:
         return process_filters(filters=filters, queryset=queryset, info=info, prefix=prefix)
 
 
-@strawberry.input(one_of=True, description='Lookup for BigInteger fields. Only one of the lookup fields can be set.')
-class BigIntegerLookup:
-    filter_lookup: FilterLookup[BigInt] | None = strawberry_django.filter_field()
-    range_lookup: RangeLookup[BigInt] | None = strawberry_django.filter_field()
-    comparison_lookup: ComparisonFilterLookup[BigInt] | None = strawberry_django.filter_field()
-
-    def get_filter(self):
-        for field in self.__strawberry_definition__.fields:
-            value = getattr(self, field.name, None)
-            if value is not strawberry.UNSET:
-                return value
-        return None
-
-    @strawberry_django.filter_field
-    def filter(self, info: Info, queryset: QuerySet, prefix: DirectiveValue[str] = '') -> Tuple[QuerySet, Q]:
-        filters = self.get_filter()
-
-        if not filters:
-            return queryset, Q()
-
-        return process_filters(filters=filters, queryset=queryset, info=info, prefix=prefix)
-
-
 @strawberry.input(one_of=True, description='Lookup for Float fields. Only one of the lookup fields can be set.')
 class FloatLookup:
     filter_lookup: FilterLookup[float] | None = strawberry_django.filter_field()

netbox/templates/extras/inc/script_list_content.html

@@ -38,6 +38,7 @@
           </thead>
           <tbody>
             {% for script in scripts %}
+              {% if script in available_scripts %}
                 {% with last_job=script.get_latest_jobs|first %}
                   <tr>
                     <td>
@@ -113,6 +114,7 @@
                     {% endfor %}
                   {% endif %}
                 {% endwith %}
+              {% endif %}
             {% endfor %}
           </tbody>
         </table>

netbox/users/constants.py

@@ -3,10 +3,9 @@ import string
 from django.db.models import Q
 
 
-OBJECTPERMISSION_OBJECT_TYPES = (
-    (Q(public=True) & ~Q(app_label='core', model='objecttype'))
-    | Q(app_label='core', model__in=['managedfile'])
-    | Q(app_label='extras', model__in=['scriptmodule', 'taggeditem'])
+OBJECTPERMISSION_OBJECT_TYPES = Q(
+    ~Q(app_label__in=['account', 'admin', 'auth', 'contenttypes', 'sessions', 'taggit', 'users']) |
+    Q(app_label='users', model__in=['objectpermission', 'token', 'group', 'user', 'owner'])
 )
 
 CONSTRAINT_TOKEN_USER = '$user'

netbox/utilities/views.py

@@ -5,11 +5,9 @@ from django.conf import settings
 from django.contrib.auth.mixins import AccessMixin
 from django.core.exceptions import ImproperlyConfigured
 from django.db.models import QuerySet
-from django.http import HttpResponseForbidden
 from django.urls import reverse
 from django.urls.exceptions import NoReverseMatch
 from django.utils.translation import gettext_lazy as _
-from rest_framework.exceptions import AuthenticationFailed
 
 from netbox.api.authentication import TokenAuthentication
 from netbox.plugins import PluginConfig
@@ -52,12 +50,10 @@ class TokenConditionalLoginRequiredMixin(ConditionalLoginRequiredMixin):
         # Attempt to authenticate the user using a DRF token, if provided
         if settings.LOGIN_REQUIRED and not request.user.is_authenticated:
             authenticator = TokenAuthentication()
-            try:
-                if auth_info := authenticator.authenticate(request) is not None:
+            auth_info = authenticator.authenticate(request)
+            if auth_info is not None:
                 request.user = auth_info[0]  # User object
                 request.auth = auth_info[1]
-            except AuthenticationFailed:
-                return HttpResponseForbidden("Invalid token")
 
         return super().dispatch(request, *args, **kwargs)
 

netbox/vpn/graphql/filters.py

@@ -15,7 +15,7 @@ from vpn import models
 if TYPE_CHECKING:
     from core.graphql.filters import ContentTypeFilter
     from ipam.graphql.filters import IPAddressFilter, RouteTargetFilter
-    from netbox.graphql.filter_lookups import BigIntegerLookup, IntegerLookup
+    from netbox.graphql.filter_lookups import IntegerLookup
     from .enums import *
 
 __all__ = (
@@ -75,7 +75,7 @@ class TunnelFilter(TenancyFilterMixin, PrimaryModelFilter):
     ipsec_profile: Annotated['IPSecProfileFilter', strawberry.lazy('vpn.graphql.filters')] | None = (
         strawberry_django.filter_field()
     )
-    tunnel_id: Annotated['BigIntegerLookup', strawberry.lazy('netbox.graphql.filter_lookups')] | None = (
+    tunnel_id: Annotated['IntegerLookup', strawberry.lazy('netbox.graphql.filter_lookups')] | None = (
         strawberry_django.filter_field()
     )
     terminations: Annotated['TunnelTerminationFilter', strawberry.lazy('vpn.graphql.filters')] | None = (
@@ -187,7 +187,7 @@ class L2VPNFilter(ContactFilterMixin, TenancyFilterMixin, PrimaryModelFilter):
     type: BaseFilterLookup[Annotated['L2VPNTypeEnum', strawberry.lazy('vpn.graphql.enums')]] | None = (
         strawberry_django.filter_field()
     )
-    identifier: Annotated['BigIntegerLookup', strawberry.lazy('netbox.graphql.filter_lookups')] | None = (
+    identifier: Annotated['IntegerLookup', strawberry.lazy('netbox.graphql.filter_lookups')] | None = (
         strawberry_django.filter_field()
     )
     import_targets: Annotated['RouteTargetFilter', strawberry.lazy('ipam.graphql.filters')] | None = (