Skip to content

It's possible to run scripts through the API without the extras.run_script permission #11497

New issue
New issue
Closed
#11498
Closed
It's possible to run scripts through the API without the extras.run_script permission#11497
#11498
Assignees
kkthxbye-code
Labels
status: acceptedThis issue has been accepted for implementationtype: bugA confirmed report of unexpected behavior in the application
@kkthxbye-code

Description

@kkthxbye-code
kkthxbye-code
opened on Jan 13, 2023

NetBox version

v3.4.2

Python version

3.10

Steps to Reproduce

  1. Create a user with no permissions
  2. Create a token for the user
  3. Create a script - script0.Script0 as an example.
  4. Execute the script via. the API:

curl -X POST -H "Authorization: Token TOKEN" -H "Content-Type: application/json" -H "Accept: application/json; indent=4" http://127.0.0.1:8000/api/extras/scripts/script0.Script0/ --data '{"data": {}, "commit": true}'

Expected Behavior

403 Forbidden

Observed Behavior

The script is run

Metadata

Metadata

Assignees

Labels

status: acceptedThis issue has been accepted for implementationtype: bugA confirmed report of unexpected behavior in the application

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions