starred/netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2026-01-14 06:13:32 +01:00
Code Issues 273 Packages Projects Releases 10 Wiki Activity

Permissions constraints are ignored when running script by API #11806

New Issue
Closed
opened 2025-12-29 21:50:08 +01:00 by adam · 1 comment
adam commented 2025-12-29 21:50:08 +01:00
Owner
Copy Link

Originally created by @llamafilm on GitHub (Nov 4, 2025).

Originally assigned to: @llamafilm on GitHub.

NetBox Edition

NetBox Community

NetBox Version

v4.4.1

Python Version

3.12

Steps to Reproduce

This is a follow-up to #15587.
When permission constraints are used to restrict users ability to run specific scripts, it works as intended in the GUI, but API requests allow running all scripts, ignoring the constraint.

  1. Create two custom scripts, called "safe" and "dangerous"
  2. Create three permissions:
  • readonly can view all objects
  • read safe scripts can view Core | managed file with constraints {"data_path": "scripts/safe_script.py"}
  • run safe scripts can view and run Extras > Script with constraints {"name": "SafeScript"}
  1. Create a user called Alice with those permissions
  2. Create an API token for Alice
  3. Run the dangerous script by API. curl -H "Content-Type: application/json" http://localhost:8000/api/extras/scripts/2/ --data '{"data": {}, "commit": true}' -H "Authorization: Token $ALICE_TOKEN"

Expected Behavior

When Alice makes an API request to run the "dangerous script" it should fail.

Observed Behavior

Alice can run both scripts by API.
In the GUI, she can run the safe script, but when she tries to run the dangerous script, the run button is disabled.

Originally created by @llamafilm on GitHub (Nov 4, 2025). Originally assigned to: @llamafilm on GitHub. ### NetBox Edition NetBox Community ### NetBox Version v4.4.1 ### Python Version 3.12 ### Steps to Reproduce This is a follow-up to #15587. When permission constraints are used to restrict users ability to run specific scripts, it works as intended in the GUI, but API requests allow running all scripts, ignoring the constraint. 1. Create two custom scripts, called "safe" and "dangerous" 2. Create three permissions: - `readonly` can **view** all objects - `read safe scripts` can **view** `Core | managed file` with constraints `{"data_path": "scripts/safe_script.py"}` - `run safe scripts` can **view** and **run** `Extras > Script` with constraints `{"name": "SafeScript"}` 3. Create a user called Alice with those permissions 4. Create an API token for Alice 5. Run the dangerous script by API. `curl -H "Content-Type: application/json" http://localhost:8000/api/extras/scripts/2/ --data '{"data": {}, "commit": true}' -H "Authorization: Token $ALICE_TOKEN"` ### Expected Behavior When Alice makes an API request to run the "dangerous script" it should fail. ### Observed Behavior Alice can run both scripts by API. In the GUI, she can run the safe script, but when she tries to run the dangerous script, the run button is disabled.
adam added the type: bugstatus: acceptednetboxseverity: low labels 2025-12-29 21:50:08 +01:00
adam closed this issue 2025-12-29 21:50:08 +01:00
adam commented 2025-12-29 21:50:08 +01:00
Author
Owner
Copy Link

@llamafilm commented on GitHub (Nov 19, 2025):

Can you assign this to me please?

@llamafilm commented on GitHub (Nov 19, 2025): Can you assign this to me please?
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
beta
breaking change
complexity: high
complexity: low
complexity: medium
needs milestone
netbox
pending closure
plugin candidate
pull-request
Mirrored from GitHub Pull Request
 severity: high
severity: low
severity: medium
status: accepted
status: backlog
status: blocked
status: duplicate
status: needs owner
status: needs triage
status: revisions needed
status: under review
topic: GraphQL
topic: Internationalization
topic: OpenAPI
topic: UI/UX
topic: cabling
topic: event rules
topic: htmx navigation
topic: industrialization
topic: migrations
topic: plugins
topic: scripts
topic: templating
topic: testing
type: bug
type: deprecation
type: documentation
type: feature
type: housekeeping
type: translation
No Label netbox severity: low status: accepted type: bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/netbox#11806
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?