Check for the extras.run_script permission when running scripts via. the API

kkthxbye-code · jeremystretch · commit fb3d1ef399ea · 2023-01-17T10:13:18.000-05:00
diff --git a/netbox/extras/api/views.py b/netbox/extras/api/views.py
@@ -318,6 +318,10 @@ def post(self, request, pk):
         """
         Run a Script identified as "<module>.<script>" and return the pending JobResult as the result
         """
+
+        if not request.user.has_perm('extras.run_script'):
+            raise PermissionDenied("This user does not have permission to run scripts.")
+
         script = self._get_script(pk)()
         input_serializer = serializers.ScriptInputSerializer(data=request.data)
 
diff --git a/netbox/extras/tests/test_api.py b/netbox/extras/tests/test_api.py
@@ -590,6 +590,7 @@ def test_get_script(self):
 
     @skipIf(not rq_worker_running, "RQ worker not running")
     def test_run_script(self):
+        self.add_permissions('extras.run_script')
 
         script_data = {
             'var1': 'FooBar',
