Implemented permissions for scripts

2024-05-10 07:54:54 +00:00 · 2019-08-12 11:39:36 -04:00
parent 463c636301
commit ab504439fb
5 changed files with 58 additions and 5 deletions
--- a/netbox/extras/migrations/0024_scripts.py
+++ b/netbox/extras/migrations/0024_scripts.py
@@ -0,0 +1,23 @@
+# Generated by Django 2.2 on 2019-08-12 15:28
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('extras', '0023_fix_tag_sequences'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='Script',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False)),
+            ],
+            options={
+                'permissions': (('run_script', 'Can run script'),),
+                'managed': False,
+            },
+        ),
+    ]
--- a/netbox/extras/models.py
+++ b/netbox/extras/models.py
@@ -826,6 +826,21 @@ class ConfigContextModel(models.Model):
        return data


+#
+# Custom scripts
+#
+
+class Script(models.Model):
+    """
+    Dummy model used to generate permissions for custom scripts. Does not exist in the database.
+    """
+    class Meta:
+        managed = False
+        permissions = (
+            ('run_script', 'Can run script'),
+        )
+
+
 #
 # Report results
 #
--- a/netbox/extras/views.py
+++ b/netbox/extras/views.py
@@ -1,11 +1,11 @@
 from django import template
 from django.conf import settings
 from django.contrib import messages
-from django.contrib.auth.mixins import LoginRequiredMixin, PermissionRequiredMixin
+from django.contrib.auth.mixins import PermissionRequiredMixin
 from django.contrib.contenttypes.models import ContentType
 from django.db import transaction
 from django.db.models import Count, Q
-from django.http import Http404
+from django.http import Http404, HttpResponseForbidden
 from django.shortcuts import get_object_or_404, redirect, render
 from django.utils.safestring import mark_safe
 from django.views.generic import View
@@ -363,7 +363,8 @@ class ReportRunView(PermissionRequiredMixin, View):
 # Scripts
 #

-class ScriptListView(LoginRequiredMixin, View):
+class ScriptListView(PermissionRequiredMixin, View):
+    permission_required = 'extras.view_script'

    def get(self, request):

@@ -372,7 +373,8 @@ class ScriptListView(LoginRequiredMixin, View):
        })


-class ScriptView(LoginRequiredMixin, View):
+class ScriptView(PermissionRequiredMixin, View):
+    permission_required = 'extras.view_script'

    def _get_script(self, module, name):
        scripts = get_scripts()
@@ -394,6 +396,10 @@ class ScriptView(LoginRequiredMixin, View):

    def post(self, request, module, name):

+        # Permissions check
+        if not request.user.has_perm('extras.run_script'):
+            return HttpResponseForbidden()
+
        script = self._get_script(module, name)
        form = script.as_form(request.POST)
        output = None
--- a/netbox/templates/extras/script.html
+++ b/netbox/templates/extras/script.html
@@ -57,6 +57,12 @@
            {% endif %}
            <div class="row">
                <div class="col-md-8 col-md-offset-2">
+                    {% if not perms.extras.run_script %}
+                        <div class="alert alert-warning">
+                            <i class="fa fa-warning"></i>
+                            You do not have permission to run scripts.
+                        </div>
+                    {% endif %}
                    <form action="" method="post">
                    {% csrf_token %}
                        {% if form %}
@@ -65,7 +71,7 @@
                            <p>This script does not require any input to run.</p>
                        {% endif %}
                        <div class="pull-right">
-                            <button type="submit" name="_run" class="btn btn-primary"><i class="fa fa-play"></i> Run Script</button>
+                            <button type="submit" name="_run" class="btn btn-primary"{% if not perms.extras.run_script %} disabled="disabled"{% endif %}><i class="fa fa-play"></i> Run Script</button>
                            <a href="{% url 'extras:script_list' %}" class="btn btn-default">Cancel</a>
                        </div>
                    </form>
--- a/netbox/templates/inc/nav_menu.html
+++ b/netbox/templates/inc/nav_menu.html
@@ -66,6 +66,9 @@
                        <li{% if not perms.extras.view_configcontext %} class="disabled"{% endif %}>
                            <a href="{% url 'extras:configcontext_list' %}">Config Contexts</a>
                        </li>
+                        <li{% if not perms.extras.view_script %} class="disabled"{% endif %}>
+                            <a href="{% url 'extras:script_list' %}">Scripts</a>
+                        </li>
                        <li{% if not perms.extras.view_reportresult %} class="disabled"{% endif %}>
                            <a href="{% url 'extras:report_list' %}">Reports</a>
                        </li>