Add support for object permissions on individual scripts #7003

New Issue

Closed

opened 2025-12-29 19:47:41 +01:00 by adam · 4 comments

adam commented 2025-12-29 19:47:41 +01:00

Owner

Copy Link

Originally created by @swoga on GitHub (Sep 20, 2022).

NetBox version

v3.3.4

Feature type

New functionality

Proposed functionality

Add support for object permissions of type Extras > script to match individual scripts by their id, as reported by the API.

example constraint:

{ "id": "ip_assign.IpAssign" }

should add a permission for the following script:

{
  "url": "https://netbox/api/extras/scripts/ip_assign.IpAssign/",
  "id": "ip_assign.IpAssign",
  "module": "ip_assign",
  ...
}

Was reported as a bug as I assumed this should be supported and the attempt caused an exception: #10306

Use case

Allow an Administrator to grant user rights on individual scripts.

Database changes

none

External dependencies

none

Originally created by @swoga on GitHub (Sep 20, 2022). ### NetBox version v3.3.4 ### Feature type New functionality ### Proposed functionality Add support for object permissions of type `Extras > script` to match individual scripts by their `id`, as reported by the API. example constraint: ```json { "id": "ip_assign.IpAssign" } ``` should add a permission for the following script: ```json { "url": "https://netbox/api/extras/scripts/ip_assign.IpAssign/", "id": "ip_assign.IpAssign", "module": "ip_assign", ... } ``` Was reported as a bug as I assumed this should be supported and the attempt caused an exception: #10306 ### Use case Allow an Administrator to grant user rights on individual scripts. ### Database changes none ### External dependencies none

adam added the type: featurestatus: under review labels 2025-12-29 19:47:41 +01:00

adam closed this issue 2025-12-29 19:47:41 +01:00

adam commented 2025-12-29 19:47:41 +01:00

Author

Owner

Copy Link

@kkthxbye-code commented on GitHub (Sep 20, 2022):

Please extend the proposal to be more specific. What is id? Is that the name of the script as returned from the API? If so, that's not enough to identify a script uniquely, you need a module also. Should module also be available for constraints? What would a constraint look like.

The general issue here is that scripts are not database objects, they are loaded at runtime. The current constraints are just passed as QuerySet filters, so we would have to come up with some special casing for the Script content type. Even if we did that, we probably wouldn't support the extra filter modifiers (negation, startswith etc.).

Personally I think a better solution might be to allow the functionality to be part of the script/report itself. Something like allowed_groups and allowed_users that can be defined in the Meta class, that allow you to limit which users and groups can see and execute them.

@kkthxbye-code commented on GitHub (Sep 20, 2022): Please extend the proposal to be more specific. What is `id`? Is that the name of the script as returned from the API? If so, that's not enough to identify a script uniquely, you need a module also. Should module also be available for constraints? What would a constraint look like. The general issue here is that scripts are not database objects, they are loaded at runtime. The current constraints are just passed as QuerySet filters, so we would have to come up with some special casing for the Script content type. Even if we did that, we probably wouldn't support the extra filter modifiers (negation, startswith etc.). Personally I think a better solution might be to allow the functionality to be part of the script/report itself. Something like `allowed_groups` and `allowed_users` that can be defined in the Meta class, that allow you to limit which users and groups can see and execute them.

adam commented 2025-12-29 19:47:42 +01:00

Author

Owner

Copy Link

@swoga commented on GitHub (Sep 20, 2022):

I have added an constraint and API response example.
The id as reported by the API should uniquely identify a script, since it already contains the module.

For my purposes, a check for equality would be sufficient, but it is quite possible that other Netbox users may want to use extra filter modifiers.

I understand that it would be easier to handle it via the Meta class, but I it would be nice to have a central place to manage all permissions than having to edit scripts separately.

@swoga commented on GitHub (Sep 20, 2022): I have added an constraint and API response example. The `id` as reported by the API should uniquely identify a script, since it already contains the module. For my purposes, a check for equality would be sufficient, but it is quite possible that other Netbox users may want to use extra filter modifiers. I understand that it would be easier to handle it via the Meta class, but I it would be nice to have a central place to manage all permissions than having to edit scripts separately.

adam commented 2025-12-29 19:47:42 +01:00

Author

Owner

Copy Link

@ziggekatten commented on GitHub (Sep 21, 2022):

We have solved this by a common function in all our custom scripts that check for a permission that match the class name, and if user are in that permission, execution proceeds. First time script is run, it creates the permission if not exists. By this we have a central way of manage permissions on script at a class level.

@ziggekatten commented on GitHub (Sep 21, 2022): We have solved this by a common function in all our custom scripts that check for a permission that match the class name, and if user are in that permission, execution proceeds. First time script is run, it creates the permission if not exists. By this we have a central way of manage permissions on script at a class level.

adam commented 2025-12-29 19:47:47 +01:00

Author

Owner

Copy Link

@jeremystretch commented on GitHub (Oct 3, 2022):

Add support for object permissions of type Extras > script to match individual scripts by their id, as reported by the API.

I'm afraid this isn't possible, because object permissions employ database filtering to evaluate permissions, and scripts/reports don't exist as database objects. As @ziggekatten suggests, the preferred way to solve this would be to perform an explicit permissions check in the script/report itself.

@jeremystretch commented on GitHub (Oct 3, 2022): > Add support for object permissions of type Extras > script to match individual scripts by their id, as reported by the API. I'm afraid this isn't possible, because object permissions employ database filtering to evaluate permissions, and scripts/reports don't exist as database objects. As @ziggekatten suggests, the preferred way to solve this would be to perform an explicit permissions check in the script/report itself.

adam referenced this issue 2025-12-29 22:26:39 +01:00

[PR #7978] [CLOSED] Fixes #7003: Order image attachments by newest uploaded #13304

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

update-changelog-comments-docs

feature-removal-issue-type

20911-dropdown

20239-plugin-menu-classes-mutable-state

21097-graphql-id-lookups

feature

fix_module_substitution

20923-dcim-templates

20044-elevation-stuck-lightmode

feature-ip-prefix-link

v4.5-beta1-release

20068-import-moduletype-attrs

20766-fix-german-translation-code-literals

20378-del-script

7604-filter-modifiers-v3

circuit-swap

12318-case-insensitive-uniqueness

20637-improve-device-q-filter

20660-script-load

19724-graphql

20614-update-ruff

14884-script

02496-max-page

19720-macaddress-interface-generic-relation

19408-circuit-terminations-export-templates

20203-openapi-check

fix-19669-api-image-download

7604-filter-modifiers

19275-fixes-interface-bulk-edit

fix-17794-get_field_value_return_list

11507-show-aggregate-and-rir-on-api

9583-add_column_specific_search_field_to_tables

v4.5.0

v4.4.10

v4.4.9

v4.5.0-beta1

v4.4.8

v4.4.7

v4.4.6

v4.4.5

v4.4.4

v4.4.3

v4.4.2

v4.4.1

v4.4.0

v4.3.7

v4.4.0-beta1

v4.3.6

v4.3.5

v4.3.4

v4.3.3

v4.3.2

v4.3.1

v4.3.0

v4.2.9

v4.3.0-beta2

v4.2.8

v4.3.0-beta1

v4.2.7

v4.2.6

v4.2.5

v4.2.4

v4.2.3

v4.2.2

v4.2.1

v4.2.0

v4.1.11

v4.1.10

v4.1.9

v4.1.8

v4.2-beta1

v4.1.7

v4.1.6

v4.1.5

v4.1.4

v4.1.3

v4.1.2

v4.1.1

v4.1.0

v4.0.11

v4.0.10

v4.0.9

v4.1-beta1

v4.0.8

v4.0.7

v4.0.6

v4.0.5

v4.0.3

v4.0.2

v4.0.1

v4.0.0

v3.7.8

v3.7.7

v4.0-beta2

v3.7.6

v3.7.5

v4.0-beta1

v3.7.4

v3.7.3

v3.7.2

v3.7.1

v3.7.0

v3.6.9

v3.6.8

v3.6.7

v3.7-beta1

v3.6.6

v3.6.5

v3.6.4

v3.6.3

v3.6.2

v3.6.1

v3.6.0

v3.5.9

v3.6-beta2

v3.5.8

v3.6-beta1

v3.5.7

v3.5.6

v3.5.5

v3.5.4

v3.5.3

v3.5.2

v3.5.1

v3.5.0

v3.4.10

v3.4.9

v3.5-beta2

v3.4.8

v3.5-beta1

v3.4.7

v3.4.6

v3.4.5

v3.4.4

v3.4.3

v3.4.2

v3.4.1

v3.4.0

v3.3.10

v3.3.9

v3.4-beta1

v3.3.8

v3.3.7

v3.3.6

v3.3.5

v3.3.4

v3.3.3

v3.3.2

v3.3.1

v3.3.0

v3.2.9

v3.2.8

v3.3-beta2

v3.2.7

v3.3-beta1

v3.2.6

v3.2.5

v3.2.4

v3.2.3

v3.2.2

v3.2.1

v3.2.0

v3.1.11

v3.1.10

v3.2-beta2

v3.1.9

v3.2-beta1

v3.1.8

v3.1.7

v3.1.6

v3.1.5

v3.1.4

v3.1.3

v3.1.2

v3.1.1

v3.1.0

v3.0.12

v3.0.11

v3.0.10

v3.1-beta1

v3.0.9

v3.0.8

v3.0.7

v3.0.6

v3.0.5

v3.0.4

v3.0.3

v3.0.2

v3.0.1

v3.0.0

v2.11.12

v3.0-beta2

v2.11.11

v2.11.10

v3.0-beta1

v2.11.9

v2.11.8

v2.11.7

v2.11.6

v2.11.5

v2.11.4

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.10

v2.10.9

v2.11-beta1

v2.10.8

v2.10.7

v2.10.6

v2.10.5

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.11

v2.10-beta2

v2.9.10

v2.10-beta1

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.9-beta2

v2.8.9

v2.9-beta1

v2.8.8

v2.8.7

v2.8.6

v2.8.5

v2.8.4

v2.8.3

v2.8.2

v2.8.1

v2.8.0

v2.7.12

v2.7.11

v2.7.10

v2.7.9

v2.7.8

v2.7.7

v2.7.6

v2.7.5

v2.7.4

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.12

v2.6.11

v2.6.10

v2.6.9

v2.7-beta1

Solcon-2020-01-06

v2.6.8

v2.6.7

v2.6.6

v2.6.5

v2.6.4

v2.6.3

v2.6.2

v2.6.1

v2.6.0

v2.5.13

v2.5.12

v2.6-beta1

v2.5.11

v2.5.10

v2.5.9

v2.5.8

v2.5.7

v2.5.6

v2.5.5

v2.5.4

v2.5.3

v2.5.2

v2.5.1

v2.5.0

v2.4.9

v2.5-beta2

v2.4.8

v2.5-beta1

v2.4.7

v2.4.6

v2.4.5

v2.4.4

v2.4.3

v2.4.2

v2.4.1

v2.4.0

v2.3.7

v2.4-beta1

v2.3.6

v2.3.5

v2.3.4

v2.3.3

v2.3.2

v2.3.1

v2.3.0

v2.2.10

v2.3-beta2

v2.2.9

v2.3-beta1

v2.2.8

v2.2.7

v2.2.6

v2.2.5

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.6

v2.2-beta2

v2.1.5

v2.2-beta1

v2.1.4

v2.1.3

v2.1.2

v2.1.1

v2.1.0

v2.0.10

v2.1-beta1

v2.0.9

v2.0.8

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v2.0-beta3

v1.9.6

v1.9.5

v2.0-beta2

v1.9.4-r1

v1.9.3

v2.0-beta1

v1.9.2

v1.9.1

v1.9.0-r1

v1.8.4

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.7.3

v1.7.2-r1

v1.7.1

v1.7.0

v1.6.3

v1.6.2-r1

v1.6.1-r1

1.6.1

v1.6.0

v1.5.2

v1.5.1

v1.5.0

v1.4.2

v1.4.1

v1.4.0

v1.3.2

v1.3.1

v1.3.0

v1.2.2

v1.2.1

v1.2.0

v1.1.0

v1.0.7-r1

v1.0.7

v1.0.6

v1.0.5

v1.0.4

v1.0.3-r1

v1.0.3

1.0.0

Labels

Clear labels

beta

breaking change

complexity: high

complexity: low

complexity: medium

needs milestone

netbox

pending closure

plugin candidate

pull-request

Mirrored from GitHub Pull Request

severity: high

severity: low

severity: medium

status: accepted

status: backlog

status: blocked

status: duplicate

status: needs owner

status: needs triage

status: revisions needed

status: under review

topic: GraphQL

topic: Internationalization

topic: OpenAPI

topic: UI/UX

topic: cabling

topic: event rules

topic: htmx navigation

topic: industrialization

topic: migrations

topic: plugins

topic: scripts

topic: templating

topic: testing

type: bug

type: deprecation

type: documentation

type: feature

type: housekeeping

type: translation

No Label status: under review type: feature

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/netbox#7003