From ab504439fbab1693cdefee897390af0e6350130b Mon Sep 17 00:00:00 2001 From: Jeremy Stretch Date: Mon, 12 Aug 2019 11:39:36 -0400 Subject: [PATCH] Implemented permissions for scripts --- netbox/extras/migrations/0024_scripts.py | 23 +++++++++++++++++++++++ netbox/extras/models.py | 15 +++++++++++++++ netbox/extras/views.py | 14 ++++++++++---- netbox/templates/extras/script.html | 8 +++++++- netbox/templates/inc/nav_menu.html | 3 +++ 5 files changed, 58 insertions(+), 5 deletions(-) create mode 100644 netbox/extras/migrations/0024_scripts.py diff --git a/netbox/extras/migrations/0024_scripts.py b/netbox/extras/migrations/0024_scripts.py new file mode 100644 index 000000000..82d0afdc9 --- /dev/null +++ b/netbox/extras/migrations/0024_scripts.py @@ -0,0 +1,23 @@ +# Generated by Django 2.2 on 2019-08-12 15:28 + +from django.db import migrations, models + + +class Migration(migrations.Migration): + + dependencies = [ + ('extras', '0023_fix_tag_sequences'), + ] + + operations = [ + migrations.CreateModel( + name='Script', + fields=[ + ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False)), + ], + options={ + 'permissions': (('run_script', 'Can run script'),), + 'managed': False, + }, + ), + ] diff --git a/netbox/extras/models.py b/netbox/extras/models.py index c5df5c2e5..0306f8a92 100644 --- a/netbox/extras/models.py +++ b/netbox/extras/models.py @@ -826,6 +826,21 @@ class ConfigContextModel(models.Model): return data +# +# Custom scripts +# + +class Script(models.Model): + """ + Dummy model used to generate permissions for custom scripts. Does not exist in the database. + """ + class Meta: + managed = False + permissions = ( + ('run_script', 'Can run script'), + ) + + # # Report results # diff --git a/netbox/extras/views.py b/netbox/extras/views.py index 21aed1471..845b01f49 100644 --- a/netbox/extras/views.py +++ b/netbox/extras/views.py @@ -1,11 +1,11 @@ from django import template from django.conf import settings from django.contrib import messages -from django.contrib.auth.mixins import LoginRequiredMixin, PermissionRequiredMixin +from django.contrib.auth.mixins import PermissionRequiredMixin from django.contrib.contenttypes.models import ContentType from django.db import transaction from django.db.models import Count, Q -from django.http import Http404 +from django.http import Http404, HttpResponseForbidden from django.shortcuts import get_object_or_404, redirect, render from django.utils.safestring import mark_safe from django.views.generic import View @@ -363,7 +363,8 @@ class ReportRunView(PermissionRequiredMixin, View): # Scripts # -class ScriptListView(LoginRequiredMixin, View): +class ScriptListView(PermissionRequiredMixin, View): + permission_required = 'extras.view_script' def get(self, request): @@ -372,7 +373,8 @@ class ScriptListView(LoginRequiredMixin, View): }) -class ScriptView(LoginRequiredMixin, View): +class ScriptView(PermissionRequiredMixin, View): + permission_required = 'extras.view_script' def _get_script(self, module, name): scripts = get_scripts() @@ -394,6 +396,10 @@ class ScriptView(LoginRequiredMixin, View): def post(self, request, module, name): + # Permissions check + if not request.user.has_perm('extras.run_script'): + return HttpResponseForbidden() + script = self._get_script(module, name) form = script.as_form(request.POST) output = None diff --git a/netbox/templates/extras/script.html b/netbox/templates/extras/script.html index 66beeb852..240e54a51 100644 --- a/netbox/templates/extras/script.html +++ b/netbox/templates/extras/script.html @@ -57,6 +57,12 @@ {% endif %}
+ {% if not perms.extras.run_script %} +
+ + You do not have permission to run scripts. +
+ {% endif %}
{% csrf_token %} {% if form %} @@ -65,7 +71,7 @@

This script does not require any input to run.

{% endif %}
- + Cancel
diff --git a/netbox/templates/inc/nav_menu.html b/netbox/templates/inc/nav_menu.html index b8e0d6dcb..3379c058c 100644 --- a/netbox/templates/inc/nav_menu.html +++ b/netbox/templates/inc/nav_menu.html @@ -66,6 +66,9 @@ Config Contexts + + Scripts + Reports