API Endpoint /api/extras/scripts/ Exposes Script Metadata to Users Without Permissions #20649
Description
NetBox Edition
NetBox Community
NetBox Version
v4.4.4
Python Version
3.12
Steps to Reproduce
- Create a standard user account without any extras or scripts permissions.
- Generate an API token for this user.
- Attempt to view the list of scripts via the UI at /extras/scripts/ → The user correctly sees no scripts.
- Use the same API token to perform a GET request to /api/extras/scripts/ (or a specific script at /api/extras/scripts/{id}/).
- Observe that the script details (name, module, variable definitions, and job results) are returned successfully via the API.
- Attempt to execute the script (POST request) via the API — this correctly returns a permission error (“This user does not have permission to run scripts.”).
Expected Behavior
When a user does not have permission to view or execute scripts, both the UI and API should hide scripts entirely.
The API /api/extras/scripts/ endpoint should return a permission error for such users, just like the ScriptListView does in the UI.
Observed Behavior
- The user cannot see any scripts in the UI, which is correct.
- However, the same user can access script metadata and historical execution results through the API by calling /api/extras/scripts/.
- The API response includes full script details (name, module, variable schema, and completed job logs), even though the user has no extras or scripts permissions.
- Execution attempts are correctly denied.
