From e91020b0cb7c6768296df760218612a2b2f6b67d Mon Sep 17 00:00:00 2001
From: Elliott Balsley <3991046+llamafilm@users.noreply.github.com>
Date: Tue, 18 Nov 2025 18:38:42 -0800
Subject: [PATCH] check object-level permission constraints

---
 netbox/extras/api/views.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/netbox/extras/api/views.py b/netbox/extras/api/views.py
index f333d5dbf41..6bc4d35f92f 100644
--- a/netbox/extras/api/views.py
+++ b/netbox/extras/api/views.py
@@ -290,10 +290,12 @@ def post(self, request, pk):
         """
         Run a Script identified by its numeric PK or module & name and return the pending Job as the result
         """
-        if not request.user.has_perm('extras.run_script'):
-            raise PermissionDenied("This user does not have permission to run scripts.")
 
         script = self._get_script(pk)
+
+        if not request.user.has_perm('extras.run_script', obj=script):
+            raise PermissionDenied("This user does not have permission to run this script.")
+
         input_serializer = serializers.ScriptInputSerializer(
             data=request.data,
             context={'script': script}