Permissions constraints are ignored when running script by API

[llamafilm]

NetBox Edition

NetBox Community

NetBox Version

v4.4.1

Python Version

3.12

Steps to Reproduce

This is a follow-up to #15587.
When permission constraints are used to restrict users ability to run specific scripts, it works as intended in the GUI, but API requests allow running all scripts, ignoring the constraint.

1. Create two custom scripts, called "safe" and "dangerous"
2. Create three permissions:

• readonly can view all objects
• read safe scripts can view Core | managed file with constraints {"data_path": "scripts/safe_script.py"}
• run safe scripts can view and run Extras > Script with constraints {"name": "SafeScript"}

3. Create a user called Alice with those permissions
4. Create an API token for Alice
5. Run the dangerous script by API. curl -H "Content-Type: application/json" http://localhost:8000/api/extras/scripts/2/ --data '{"data": {}, "commit": true}' -H "Authorization: Token $ALICE_TOKEN"

Expected Behavior

When Alice makes an API request to run the "dangerous script" it should fail.

Observed Behavior

Alice can run both scripts by API.
In the GUI, she can run the safe script, but when she tries to run the dangerous script, the run button is disabled.

[llamafilm]

Can you assign this to me please?