NetBox version
v4.6.2
Feature type
Change to existing functionality
Proposed functionality
Require the calling API token to have write ability enabled (write_enabled=True) in order to run a script via the REST API (POST /api/extras/scripts/{id}/).
ScriptViewSet overrides permission_classes with [IsAuthenticatedOrLoginNotRequired], which removes TokenPermissions from the permission chain. Because TokenPermissions is the only permission class that consults the token's write_enabled flag, the override means script execution is permitted by read-only tokens, provided the user holds the run_script permission.
The endpoint should enforce token write ability for script execution. Note that this endpoint also supports session authentication (via IsAuthenticatedOrLoginNotRequired), so the enforcement must apply only to token-authenticated requests and must not block session-authenticated users.
Use case
API tokens can be created with write ability disabled so that they may be used for read-only automation and monitoring. Operators reasonably expect such tokens to be unable to make changes or trigger state-changing operations. Today a read-only token can still execute scripts, which contradicts that expectation and the principle of least privilege.
Database changes
N/A
External dependencies
N/A
NetBox version
v4.6.2
Feature type
Change to existing functionality
Proposed functionality
Require the calling API token to have write ability enabled (write_enabled=True) in order to run a script via the REST API (POST /api/extras/scripts/{id}/).
ScriptViewSet overrides permission_classes with [IsAuthenticatedOrLoginNotRequired], which removes TokenPermissions from the permission chain. Because TokenPermissions is the only permission class that consults the token's write_enabled flag, the override means script execution is permitted by read-only tokens, provided the user holds the run_script permission.
The endpoint should enforce token write ability for script execution. Note that this endpoint also supports session authentication (via IsAuthenticatedOrLoginNotRequired), so the enforcement must apply only to token-authenticated requests and must not block session-authenticated users.
Use case
API tokens can be created with write ability disabled so that they may be used for read-only automation and monitoring. Operators reasonably expect such tokens to be unable to make changes or trigger state-changing operations. Today a read-only token can still execute scripts, which contradicts that expectation and the principle of least privilege.
Database changes
N/A
External dependencies
N/A