Implemented permissions for scripts

netbox/extras/migrations/0024_scripts.py

@@ -0,0 +1,23 @@
+# Generated by Django 2.2 on 2019-08-12 15:28
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('extras', '0023_fix_tag_sequences'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='Script',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False)),
+            ],
+            options={
+                'permissions': (('run_script', 'Can run script'),),
+                'managed': False,
+            },
+        ),
+    ]

netbox/extras/models.py

@@ -826,6 +826,21 @@ class ConfigContextModel(models.Model):
         return data
 
 
+#
+# Custom scripts
+#
+
+class Script(models.Model):
+    """
+    Dummy model used to generate permissions for custom scripts. Does not exist in the database.
+    """
+    class Meta:
+        managed = False
+        permissions = (
+            ('run_script', 'Can run script'),
+        )
+
+
 #
 # Report results
 #

netbox/extras/views.py

@@ -1,11 +1,11 @@
 from django import template
 from django.conf import settings
 from django.contrib import messages
-from django.contrib.auth.mixins import LoginRequiredMixin, PermissionRequiredMixin
+from django.contrib.auth.mixins import PermissionRequiredMixin
 from django.contrib.contenttypes.models import ContentType
 from django.db import transaction
 from django.db.models import Count, Q
-from django.http import Http404
+from django.http import Http404, HttpResponseForbidden
 from django.shortcuts import get_object_or_404, redirect, render
 from django.utils.safestring import mark_safe
 from django.views.generic import View
@@ -363,7 +363,8 @@ class ReportRunView(PermissionRequiredMixin, View):
 # Scripts
 #
 
-class ScriptListView(LoginRequiredMixin, View):
+class ScriptListView(PermissionRequiredMixin, View):
+    permission_required = 'extras.view_script'
 
     def get(self, request):
 
@@ -372,7 +373,8 @@ class ScriptListView(LoginRequiredMixin, View):
         })
 
 
-class ScriptView(LoginRequiredMixin, View):
+class ScriptView(PermissionRequiredMixin, View):
+    permission_required = 'extras.view_script'
 
     def _get_script(self, module, name):
         scripts = get_scripts()
@@ -394,6 +396,10 @@ class ScriptView(LoginRequiredMixin, View):
 
     def post(self, request, module, name):
 
+        # Permissions check
+        if not request.user.has_perm('extras.run_script'):
+            return HttpResponseForbidden()
+
         script = self._get_script(module, name)
         form = script.as_form(request.POST)
         output = None

netbox/templates/extras/script.html

@@ -57,6 +57,12 @@
             {% endif %}
             <div class="row">
                 <div class="col-md-8 col-md-offset-2">
+                    {% if not perms.extras.run_script %}
+                        <div class="alert alert-warning">
+                            <i class="fa fa-warning"></i>
+                            You do not have permission to run scripts.
+                        </div>
+                    {% endif %}
                     <form action="" method="post">
                     {% csrf_token %}
                         {% if form %}
@@ -65,7 +71,7 @@
                             <p>This script does not require any input to run.</p>
                         {% endif %}
                         <div class="pull-right">
-                            <button type="submit" name="_run" class="btn btn-primary"><i class="fa fa-play"></i> Run Script</button>
+                            <button type="submit" name="_run" class="btn btn-primary"{% if not perms.extras.run_script %} disabled="disabled"{% endif %}><i class="fa fa-play"></i> Run Script</button>
                             <a href="{% url 'extras:script_list' %}" class="btn btn-default">Cancel</a>
                         </div>
                     </form>

netbox/templates/inc/nav_menu.html

@@ -66,6 +66,9 @@
                         <li{% if not perms.extras.view_configcontext %} class="disabled"{% endif %}>
                             <a href="{% url 'extras:configcontext_list' %}">Config Contexts</a>
                         </li>
+                        <li{% if not perms.extras.view_script %} class="disabled"{% endif %}>
+                            <a href="{% url 'extras:script_list' %}">Scripts</a>
+                        </li>
                         <li{% if not perms.extras.view_reportresult %} class="disabled"{% endif %}>
                             <a href="{% url 'extras:report_list' %}">Reports</a>
                         </li>