nautobot 1.6.21__py3-none-any.whl → 1.6.23__py3-none-any.whl

nautobot/core/settings.py

@@ -59,6 +59,14 @@ ALLOWED_URL_SCHEMES = (
     "xmpp",
 )
 
+# Banners to display to users. Markdown and limited HTML are allowed.
+if "NAUTOBOT_BANNER_BOTTOM" in os.environ and os.environ["NAUTOBOT_BANNER_BOTTOM"] != "":
+    BANNER_BOTTOM = os.environ["NAUTOBOT_BANNER_BOTTOM"]
+if "NAUTOBOT_BANNER_LOGIN" in os.environ and os.environ["NAUTOBOT_BANNER_LOGIN"] != "":
+    BANNER_LOGIN = os.environ["NAUTOBOT_BANNER_LOGIN"]
+if "NAUTOBOT_BANNER_TOP" in os.environ and os.environ["NAUTOBOT_BANNER_TOP"] != "":
+    BANNER_TOP = os.environ["NAUTOBOT_BANNER_TOP"]
+
 # Base directory wherein all created files (jobs, git repositories, file uploads, static files) will be stored)
 NAUTOBOT_ROOT = os.getenv("NAUTOBOT_ROOT", os.path.expanduser("~/.nautobot"))
 
@@ -586,15 +594,15 @@ CONSTANCE_CONFIG = {
     ],
     "BANNER_BOTTOM": [
         "",
-        "Custom HTML to display in a banner at the bottom of all pages.",
+        "Custom Markdown or limited HTML to display in a banner at the bottom of all pages.",
     ],
     "BANNER_LOGIN": [
         "",
-        "Custom HTML to display in a banner at the top of the login page.",
+        "Custom Markdown or limited HTML to display in a banner at the top of the login page.",
     ],
     "BANNER_TOP": [
         "",
-        "Custom HTML to display in a banner at the top of all pages.",
+        "Custom Markdown or limited HTML to display in a banner at the top of all pages.",
     ],
     "CHANGELOG_RETENTION": [
         90,
@@ -869,6 +877,8 @@ BRANDING_FILEPATHS = {
     "icon_mask": os.getenv(
         "NAUTOBOT_BRANDING_FILEPATHS_ICON_MASK", None
     ),  # mono-chrome icon used for the mask-icon header
+    "css": os.getenv("NAUTOBOT_BRANDING_FILEPATHS_CSS", None),  # Custom global CSS
+    "javascript": os.getenv("NAUTOBOT_BRANDING_FILEPATHS_JAVASCRIPT", None),  # Custom global JavaScript
 }
 
 # Title to use in place of "Nautobot"

nautobot/core/templates/admin/base.html

@@ -32,6 +32,9 @@
     <link rel="stylesheet" id="base-theme"
           href="{% static 'css/base.css' %}?v{{ settings.VERSION }}"
           onerror="window.location='{% url 'media_failure' %}?filename=css/base.css'">
+    {% if settings.BRANDING_FILEPATHS.css %}
+    <link rel="stylesheet" id="custom-css" href="{% custom_branding_or_static 'css' None %}">
+    {% endif %}
     <link rel="apple-touch-icon" sizes="180x180" href="{% static 'img/nautobot_icon_180x180.png' %}">
     <link rel="icon" type="image/png" sizes="32x32" href="{% static 'img/nautobot_icon_32x32.png' %}">
     <link rel="icon" type="image/png" sizes="16x16" href="{% static 'img/nautobot_icon_16x16.png' %}">
@@ -101,7 +104,7 @@
 <div class="container-fluid wrapper" {% if is_popup %}style="padding-bottom: 0px;"{% endif %}>
     {% if "BANNER_TOP"|settings_or_config %}
         <div class="alert alert-info text-center" role="alert">
-            {{ "BANNER_TOP"|settings_or_config|safe }}
+            {{ "BANNER_TOP"|settings_or_config|render_markdown }}
         </div>
     {% endif %}
     {% if settings.MAINTENANCE_MODE %}
@@ -153,7 +156,7 @@
     <div class="push"></div>
     {% if "BANNER_BOTTOM"|settings_or_config %}
         <div class="alert alert-info text-center banner-bottom" role="alert">
-                {{ "BANNER_BOTTOM"|settings_or_config|safe }}
+                {{ "BANNER_BOTTOM"|settings_or_config|render_markdown }}
         </div>
     {% endif %}
 </div>
@@ -189,6 +192,9 @@
 {% endif %}
 {% include 'modals/modal_theme.html' with name='theme'%}
 <script src="{% static 'js/theme.js' %}"></script>
+{% if settings.BRANDING_FILEPATHS.javascript %}
+<script src="{% custom_branding_or_static 'javascript' None %}"></script>
+{% endif %}
 {% block javascript %}{% endblock %}
 </body>
 </html>

nautobot/core/templates/base.html

@@ -15,7 +15,7 @@
         {% if request.user.is_authenticated or not "HIDE_RESTRICTED_UI"|settings_or_config %}
             {% if "BANNER_TOP"|settings_or_config %}
                 <div class="alert alert-info text-center" role="alert">
-                    {{ "BANNER_TOP"|settings_or_config|safe }}
+                    {{ "BANNER_TOP"|settings_or_config|render_markdown }}
                 </div>
             {% endif %}
         {% endif %}
@@ -40,7 +40,7 @@
         {% if request.user.is_authenticated or not "HIDE_RESTRICTED_UI"|settings_or_config %}
             {% if "BANNER_BOTTOM"|settings_or_config %}
                 <div class="alert alert-info text-center banner-bottom" role="alert">
-                    {{ "BANNER_BOTTOM"|settings_or_config|safe }}
+                    {{ "BANNER_BOTTOM"|settings_or_config|render_markdown }}
                 </div>
             {% endif %}
         {% endif %}

nautobot/core/templates/graphene/graphiql.html

@@ -36,6 +36,9 @@ add "&raw" to the end of the URL within a browser.
   <link rel="stylesheet"
         href="{% static 'css/base.css' %}?v{{ settings.VERSION }}"
         onerror="window.location='{% url 'media_failure' %}?filename=css/base.css'">
+    {% if settings.BRANDING_FILEPATHS.css %}
+    <link rel="stylesheet" id="custom-css" href="{% custom_branding_or_static 'css' None %}">
+    {% endif %}
   <link rel="apple-touch-icon" sizes="180x180" href="{% custom_branding_or_static 'icon_180' 'img/nautobot_icon_180x180.png' %}">
   <link rel="icon" type="image/png" sizes="32x32" href="{% custom_branding_or_static 'icon_32' 'img/nautobot_icon_32x32.png' %}">
   <link rel="icon" type="image/png" sizes="16x16" href="{% custom_branding_or_static 'icon_16' 'img/nautobot_icon_16x16.png' %}">

nautobot/core/templates/inc/javascript.html

@@ -52,3 +52,6 @@
             dropdown.removeClass('edge');
     })
 </script>
+{% if settings.BRANDING_FILEPATHS.javascript %}
+<script src="{% custom_branding_or_static 'javascript' None %}"></script>
+{% endif %}

nautobot/core/templates/inc/media.html

@@ -26,6 +26,9 @@
     <link rel="stylesheet" id="base-theme"
           href="{% static 'css/base.css' %}?v{{ settings.VERSION }}"
           onerror="window.location='{% url 'media_failure' %}?filename=css/base.css'">
+    {% if settings.BRANDING_FILEPATHS.css %}
+    <link rel="stylesheet" id="custom-css" href="{% custom_branding_or_static 'css' None %}">
+    {% endif %}
     <link rel="apple-touch-icon" sizes="180x180" href="{% custom_branding_or_static 'icon_180' 'img/nautobot_icon_180x180.png' %}">
     <link rel="icon" type="image/png" sizes="32x32" href="{% custom_branding_or_static 'icon_32' 'img/nautobot_icon_32x32.png' %}">
     <link rel="icon" type="image/png" sizes="16x16" href="{% custom_branding_or_static 'icon_16' 'img/nautobot_icon_16x16.png' %}">

nautobot/core/templates/login.html

@@ -53,8 +53,8 @@
 <div class="row" style="margin-top: {% if 'BANNER_LOGIN'|settings_or_config %}100{% else %}150{% endif %}px;">
     <div class="col-sm-4 col-sm-offset-4">
         {% if "BANNER_LOGIN"|settings_or_config %}
-            <div style="margin-bottom: 25px">
-                {{ "BANNER_LOGIN"|settings_or_config|safe }}
+            <div class="alert alert-info text-center" role="alert">
+                {{ "BANNER_LOGIN"|settings_or_config|render_markdown }}
             </div>
         {% endif %}
         {% if form.non_field_errors %}

nautobot/core/templates/nautobot_config.py.j2

@@ -263,6 +263,8 @@ SECRET_KEY = os.getenv("NAUTOBOT_SECRET_KEY", "{{ secret_key }}")
 #     "icon_mask": os.getenv(
 #         "NAUTOBOT_BRANDING_FILEPATHS_ICON_MASK", None
 #     ),  # mono-chrome icon used for the mask-icon header
+#     "css": os.getenv("NAUTOBOT_BRANDING_FILEPATHS_CSS", None),  # Custom global CSS
+#     "javascript": os.getenv("NAUTOBOT_BRANDING_FILEPATHS_JAVASCRIPT", None),  # Custom global JavaScript
 # }
 
 # Prepended to CSV, YAML and export template filenames (i.e. `nautobot_device.yml`)

nautobot/core/tests/test_views.py

@@ -99,6 +99,39 @@ class HomeViewTestCase(TestCase):
         response_content = response.content.decode(response.charset).replace("\n", "")
         self.assertNotRegex(response_content, footer_hostname_version_pattern)
 
+    def test_banners_markdown(self):
+        url = reverse("home")
+        with override_settings(
+            BANNER_TOP="# Hello world",
+            BANNER_BOTTOM="[info](https://nautobot.com)",
+        ):
+            response = self.client.get(url)
+        self.assertInHTML("<h1>Hello world</h1>", response.content.decode(response.charset))
+        self.assertInHTML(
+            '<a href="https://nautobot.com" rel="noopener noreferrer">info</a>',
+            response.content.decode(response.charset),
+        )
+
+        with override_settings(BANNER_LOGIN="_Welcome to Nautobot!_"):
+            self.client.logout()
+            response = self.client.get(reverse("login"))
+        self.assertInHTML("<em>Welcome to Nautobot!</em>", response.content.decode(response.charset))
+
+    def test_banners_no_xss(self):
+        url = reverse("home")
+        with override_settings(
+            BANNER_TOP='<script>alert("Hello from above!");</script>',
+            BANNER_BOTTOM='<script>alert("Hello from below!");</script>',
+        ):
+            response = self.client.get(url)
+        self.assertNotIn("Hello from above", response.content.decode(response.charset))
+        self.assertNotIn("Hello from below", response.content.decode(response.charset))
+
+        with override_settings(BANNER_LOGIN='<script>alert("Welcome to Nautobot!");</script>'):
+            self.client.logout()
+            response = self.client.get(reverse("login"))
+        self.assertNotIn("Welcome to Nautobot!", response.content.decode(response.charset))
+
 
 @override_settings(BRANDING_TITLE="Nautobot")
 class SearchFieldsTestCase(TestCase):

nautobot/extras/api/views.py

@@ -330,13 +330,13 @@ class DynamicGroupViewSet(ModelViewSet, NotesViewSetMixin):
     # @extend_schema(methods=["get"], responses={200: member_response})
     @action(detail=True, methods=["get"])
     def members(self, request, pk, *args, **kwargs):
-        """List member objects of the same type as the `content_type` for this dynamic group."""
+        """List the member objects of this dynamic group."""
         instance = get_object_or_404(self.queryset, pk=pk)
 
         # Retrieve the serializer for the content_type and paginate the results
         member_model_class = instance.content_type.model_class()
         member_serializer_class = get_serializer_for_model(member_model_class)
-        members = self.paginate_queryset(instance.members)
+        members = self.paginate_queryset(instance.members.restrict(request.user, "view"))
         member_serializer = member_serializer_class(members, many=True, context={"request": request})
         return self.get_paginated_response(member_serializer.data)
 

nautobot/extras/tests/test_api.py

@@ -69,6 +69,7 @@ from nautobot.ipam.factory import VLANFactory
 from nautobot.ipam.models import VLAN, VLANGroup
 from nautobot.users.models import ObjectPermission
 from nautobot.utilities.choices import ColorChoices
+from nautobot.utilities.permissions import get_permission_for_model
 from nautobot.utilities.testing import APITestCase, APIViewTestCases
 from nautobot.utilities.testing.utils import disable_warnings
 from nautobot.utilities.utils import get_route_for_model, slugify_dashes_to_underscores
@@ -752,13 +753,34 @@ class DynamicGroupTest(DynamicGroupTestMixin, APIViewTestCases.APIViewTestCase):
     def test_get_members(self):
         """Test that the `/members/` API endpoint returns what is expected."""
         self.add_permissions("extras.view_dynamicgroup")
-        instance = DynamicGroup.objects.first()
+        instance = self.groups[0]
+        self.add_permissions(get_permission_for_model(instance.content_type.model_class(), "view"))
         member_count = instance.members.count()
         url = reverse("extras-api:dynamicgroup-members", kwargs={"pk": instance.pk})
         response = self.client.get(url, **self.header)
         self.assertHttpStatus(response, status.HTTP_200_OK)
         self.assertEqual(member_count, len(response.json()["results"]))
 
+    def test_get_members_with_constrained_permission(self):
+        """Test that the `/members/` API endpoint enforces permissions on the member model."""
+        self.add_permissions("extras.view_dynamicgroup")
+        instance = self.groups[0]
+        obj1 = instance.members.first()
+        obj_perm = ObjectPermission(
+            name="Test permission",
+            constraints={"pk__in": [obj1.pk]},
+            actions=["view"],
+        )
+        obj_perm.save()
+        obj_perm.users.add(self.user)
+        obj_perm.object_types.add(instance.content_type)
+
+        url = reverse("extras-api:dynamicgroup-members", kwargs={"pk": instance.pk})
+        response = self.client.get(url, **self.header)
+        self.assertHttpStatus(response, status.HTTP_200_OK)
+        self.assertEqual(len(response.json()["results"]), 1)
+        self.assertEqual(response.json()["results"][0]["id"], str(obj1.pk))
+
 
 class DynamicGroupMembershipTest(DynamicGroupTestMixin, APIViewTestCases.APIViewTestCase):
     model = DynamicGroupMembership

nautobot/extras/tests/test_datasources.py

@@ -27,6 +27,7 @@ from nautobot.extras.models import (
     ConfigContextSchema,
     ExportTemplate,
     GitRepository,
+    Job,
     JobLogEntry,
     JobResult,
     Secret,
@@ -119,13 +120,13 @@ class GitTest(TransactionTestCase):
 
     def populate_repo(self, path, url, *args, **kwargs):
         os.makedirs(path)
-        # TODO(Glenn): populate Jobs as well?
         os.makedirs(os.path.join(path, "config_contexts"))
         os.makedirs(os.path.join(path, "config_contexts", "devices"))
         os.makedirs(os.path.join(path, "config_contexts", "locations"))
         os.makedirs(os.path.join(path, "config_context_schemas"))
         os.makedirs(os.path.join(path, "export_templates", "dcim", "device"))
         os.makedirs(os.path.join(path, "export_templates", "ipam", "vlan"))
+        os.makedirs(os.path.join(path, "jobs"))
 
         with open(os.path.join(path, "config_contexts", "context.yaml"), "w") as fd:
             yaml.dump(
@@ -167,6 +168,19 @@ class GitTest(TransactionTestCase):
         with open(os.path.join(path, "export_templates", "ipam", "vlan", "template.j2"), "w") as fd:
             fd.write("{% for vlan in queryset %}\n{{ vlan.name }}\n{% endfor %}")
 
+        with open(os.path.join(path, "jobs", "__init__.py"), "w") as fd:
+            pass
+
+        with open(os.path.join(path, "jobs", "job.py"), "w") as fd:
+            fd.write(
+                """\
+from nautobot.extras.jobs import Job
+
+class MyJob(Job):
+    def run(self, data, commit):
+        pass"""
+            )
+
         return mock.DEFAULT
 
     def empty_repo(self, path, url, *args, **kwargs):
@@ -177,6 +191,8 @@ class GitTest(TransactionTestCase):
         os.remove(os.path.join(path, "export_templates", "dcim", "device", "template.j2"))
         os.remove(os.path.join(path, "export_templates", "dcim", "device", "template2.html"))
         os.remove(os.path.join(path, "export_templates", "ipam", "vlan", "template.j2"))
+        os.remove(os.path.join(path, "jobs", "__init__.py"))
+        os.remove(os.path.join(path, "jobs", "job.py"))
         return mock.DEFAULT
 
     def assert_config_context_schema_record_exists(self, name):
@@ -263,6 +279,11 @@ class GitTest(TransactionTestCase):
         )
         self.assertIsNotNone(export_template_vlan)
 
+    def assert_job_exists(self, installed=True):
+        """Helper function to assert Job exists."""
+        job = Job.objects.get(git_repository=self.repo, job_class_name="MyJob")
+        self.assertEqual(job.installed, installed)
+
     def test_pull_git_repository_and_refresh_data_with_no_data(self, MockGitRepo):
         """
         The pull_git_repository_and_refresh_data job should succeed if the given repo is empty.
@@ -482,6 +503,8 @@ class GitTest(TransactionTestCase):
                 # Case when ContentType.model != ContentType.name, template was added and deleted during sync (#570)
                 self.assert_export_template_vlan_exists("template.j2")
 
+                self.assert_job_exists()
+
                 # Now "resync" the repository, but now those files no longer exist in the repository
                 MockGitRepo.side_effect = self.empty_repo
                 # For verisimilitude, don't re-use the old request and job_result
@@ -525,6 +548,9 @@ class GitTest(TransactionTestCase):
                 self.assertIsNone(device.local_context_data)
                 self.assertIsNone(device.local_context_data_owner)
 
+                # Job should still be present in the database but no longer installed
+                self.assert_job_exists(installed=False)
+
     def test_pull_git_repository_and_refresh_data_with_bad_data(self, MockGitRepo):
         """
         The test_pull_git_repository_and_refresh_data job should gracefully handle bad data in the Git repository
@@ -654,11 +680,11 @@ class GitTest(TransactionTestCase):
 
                 def populate_repo(path, url):
                     os.makedirs(path)
-                    # Just make config_contexts and export_templates directories as we don't load jobs
                     os.makedirs(os.path.join(path, "config_contexts"))
                     os.makedirs(os.path.join(path, "config_contexts", "devices"))
                     os.makedirs(os.path.join(path, "config_context_schemas"))
                     os.makedirs(os.path.join(path, "export_templates", "dcim", "device"))
+                    os.makedirs(os.path.join(path, "jobs"))
                     with open(os.path.join(path, "config_contexts", "context.yaml"), "w") as fd:
                         yaml.dump(
                             {
@@ -685,6 +711,18 @@ class GitTest(TransactionTestCase):
                         "w",
                     ) as fd:
                         fd.write("{% for device in queryset %}\n{{ device.name }}\n{% endfor %}")
+                    with open(os.path.join(path, "jobs", "__init__.py"), "w") as fd:
+                        pass
+                    with open(os.path.join(path, "jobs", "job.py"), "w") as fd:
+                        fd.write(
+                            """\
+from nautobot.extras.jobs import Job
+
+class MyJob(Job):
+    def run(self, data, commit):
+        pass"""
+                        )
+
                     return mock.DEFAULT
 
                 MockGitRepo.side_effect = populate_repo
@@ -744,6 +782,8 @@ class GitTest(TransactionTestCase):
                 )
                 self.assertIsNotNone(export_template)
 
+                self.assert_job_exists()
+
                 # Now delete the GitRepository
                 self.repo.delete()
 
@@ -768,6 +808,36 @@ class GitTest(TransactionTestCase):
                 device = Device.objects.get(name=self.device.name)
                 self.assertIsNone(device.local_context_data)
                 self.assertIsNone(device.local_context_data_owner)
+                self.assert_job_exists(installed=False)
+
+                # Now recreate the repository (https://github.com/nautobot/nautobot/issues/2974)
+                self.repo = GitRepository(
+                    name="Test Git Repository",
+                    slug="test_git_repo",
+                    remote_url="http://localhost/git.git",
+                    # Provide everything we know we can provide
+                    provided_contents=[
+                        entry.content_identifier for entry in get_datasource_contents("extras.gitrepository")
+                    ],
+                )
+                self.repo.save(trigger_resync=False)
+
+                self.job_result = JobResult.objects.create(
+                    name=self.repo.name,
+                    obj_type=ContentType.objects.get_for_model(GitRepository),
+                    job_id=uuid.uuid4(),
+                )
+
+                pull_git_repository_and_refresh_data(self.repo.pk, self.mock_request, self.job_result.pk)
+                self.job_result.refresh_from_db()
+
+                self.assertEqual(
+                    self.job_result.status,
+                    JobResultStatusChoices.STATUS_COMPLETED,
+                    self.job_result.data,
+                )
+
+                self.assert_job_exists(installed=True)
 
     def test_git_dry_run(self, MockGitRepo):
         with tempfile.TemporaryDirectory() as tempdir:

nautobot/extras/tests/test_dynamicgroups.py

@@ -1002,7 +1002,7 @@ class DynamicGroupModelTest(DynamicGroupTestBase):
             group.members_cached
             self.assertEqual(mock_get_queryset.call_count, 1)
 
-            time.sleep(2)  # Let the cache expire
+            time.sleep(3)  # Let the cache expire
 
             group.members_cached
             self.assertEqual(mock_get_queryset.call_count, 2)

nautobot/extras/tests/test_views.py

@@ -66,6 +66,7 @@ from nautobot.extras.utils import get_job_content_type, TaggableClassesQuery
 from nautobot.ipam.factory import VLANFactory
 from nautobot.ipam.models import VLAN, VLANGroup
 from nautobot.users.models import ObjectPermission
+from nautobot.utilities.permissions import get_permission_for_model
 from nautobot.utilities.testing import ViewTestCases, TestCase, extract_page_body, extract_form_failures
 from nautobot.utilities.testing.utils import disable_warnings, post_data
 from nautobot.utilities.utils import slugify_dashes_to_underscores
@@ -614,9 +615,11 @@ class DynamicGroupTestCase(
         content_type = ContentType.objects.get_for_model(Device)
 
         # DynamicGroup objects to test.
-        DynamicGroup.objects.create(name="DG 1", slug="dg-1", content_type=content_type)
-        DynamicGroup.objects.create(name="DG 2", slug="dg-2", content_type=content_type)
-        DynamicGroup.objects.create(name="DG 3", slug="dg-3", content_type=content_type)
+        cls.dynamic_groups = [
+            DynamicGroup.objects.create(name="DG 1", slug="dg-1", content_type=content_type),
+            DynamicGroup.objects.create(name="DG 2", slug="dg-2", content_type=content_type),
+            DynamicGroup.objects.create(name="DG 3", slug="dg-3", content_type=content_type),
+        ]
 
         manufacturer = Manufacturer.objects.create(name="Manufacturer 1", slug="manufacturer-1")
         devicetype = DeviceType.objects.create(manufacturer=manufacturer, model="Device Type 1", slug="device-type-1")
@@ -637,6 +640,38 @@ class DynamicGroupTestCase(
             "dynamic_group_memberships-MAX_NUM_FORMS": "1000",
         }
 
+    def test_get_object_with_permission(self):
+        instance = self._get_queryset().first()
+        # Add view permissions for the group's members:
+        self.add_permissions(get_permission_for_model(instance.content_type.model_class(), "view"))
+
+        response = super().test_get_object_with_permission()
+
+        response_body = extract_page_body(response.content.decode(response.charset))
+        # Check that the "members" table in the detail view includes all appropriate member objects
+        for member in instance.members:
+            self.assertIn(str(member.pk), response_body)
+
+    def test_get_object_with_constrained_permission(self):
+        instance = self._get_queryset().first()
+        # Add view permission for one of the group's members but not the others:
+        member1, member2 = instance.members[:2]
+        obj_perm = ObjectPermission(
+            name="Members permission",
+            constraints={"pk": member1.pk},
+            actions=["view"],
+        )
+        obj_perm.save()
+        obj_perm.users.add(self.user)
+        obj_perm.object_types.add(instance.content_type)
+
+        response = super().test_get_object_with_constrained_permission()
+
+        response_body = extract_page_body(response.content.decode(response.charset))
+        # Check that the "members" table in the detail view includes all permitted member objects
+        self.assertIn(str(member1.pk), response_body)
+        self.assertNotIn(str(member2.pk), response_body)
+
     def test_get_object_dynamic_groups_anonymous(self):
         url = reverse("dcim:device_dynamicgroups", kwargs={"pk": Device.objects.first().pk})
         self.client.logout()
@@ -660,7 +695,6 @@ class DynamicGroupTestCase(
         self.assertIn("DG 3", response_body, msg=response_body)
 
     def test_get_object_dynamic_groups_with_constrained_permission(self):
-        self.add_permissions("extras.view_dynamicgroup")
         obj_perm = ObjectPermission(
             name="View a device",
             constraints={"pk": Device.objects.first().pk},
@@ -669,12 +703,22 @@ class DynamicGroupTestCase(
         obj_perm.save()
         obj_perm.users.add(self.user)
         obj_perm.object_types.add(ContentType.objects.get_for_model(Device))
+        obj_perm_2 = ObjectPermission(
+            name="View a Dynamic Group",
+            constraints={"pk": self.dynamic_groups[0].pk},
+            actions=["view"],
+        )
+        obj_perm_2.save()
+        obj_perm_2.users.add(self.user)
+        obj_perm_2.object_types.add(ContentType.objects.get_for_model(DynamicGroup))
 
         url = reverse("dcim:device_dynamicgroups", kwargs={"pk": Device.objects.first().pk})
         response = self.client.get(url)
         self.assertHttpStatus(response, 200)
         response_body = response.content.decode(response.charset)
         self.assertIn("DG 1", response_body, msg=response_body)
+        self.assertNotIn("DG 2", response_body, msg=response_body)
+        self.assertNotIn("DG 3", response_body, msg=response_body)
 
         url = reverse("dcim:device_dynamicgroups", kwargs={"pk": Device.objects.last().pk})
         response = self.client.get(url)

nautobot/extras/utils.py

@@ -9,6 +9,7 @@ import sys
 from django.apps import apps
 from django.conf import settings
 from django.contrib.contenttypes.models import ContentType
+from django.db import IntegrityError
 from django.db.models import Q
 from django.template.loader import get_template, TemplateDoesNotExist
 from django.utils.deconstruct import deconstructible
@@ -365,21 +366,37 @@ def refresh_job_model_from_job_class(job_model_class, job_source, job_class, *,
             JOB_MAX_NAME_LENGTH,
         )
 
-    job_model, created = job_model_class.objects.get_or_create(
-        source=job_source[:JOB_MAX_SOURCE_LENGTH],
-        git_repository=git_repository,
-        module_name=job_class.__module__[:JOB_MAX_NAME_LENGTH],
-        job_class_name=job_class.__name__[:JOB_MAX_NAME_LENGTH],
-        defaults={
-            "slug": default_slug[:JOB_MAX_SLUG_LENGTH],
-            "grouping": job_class.grouping[:JOB_MAX_GROUPING_LENGTH],
-            "name": job_class.name[:JOB_MAX_NAME_LENGTH],
-            "is_job_hook_receiver": issubclass(job_class, JobHookReceiver),
-            "is_job_button_receiver": issubclass(job_class, JobButtonReceiver),
-            "installed": True,
-            "enabled": False,
-        },
-    )
+    try:
+        job_model, created = job_model_class.objects.get_or_create(
+            source=job_source[:JOB_MAX_SOURCE_LENGTH],
+            git_repository=git_repository,
+            module_name=job_class.__module__[:JOB_MAX_NAME_LENGTH],
+            job_class_name=job_class.__name__[:JOB_MAX_NAME_LENGTH],
+            defaults={
+                "slug": default_slug[:JOB_MAX_SLUG_LENGTH],
+                "grouping": job_class.grouping[:JOB_MAX_GROUPING_LENGTH],
+                "name": job_class.name[:JOB_MAX_NAME_LENGTH],
+                "is_job_hook_receiver": issubclass(job_class, JobHookReceiver),
+                "is_job_button_receiver": issubclass(job_class, JobButtonReceiver),
+                "installed": True,
+                "enabled": False,
+            },
+        )
+    except IntegrityError:
+        # can occur in the case where we've deleted a GitRepository, resulting in a Job record with
+        # source="git" but git_repository=None, and are now creating a new GitRepository to "re-claim" the Job.
+        if git_repository is not None:
+            created = False
+            job_model = job_model_class.objects.get(
+                source=job_source[:JOB_MAX_SOURCE_LENGTH],
+                git_repository=None,
+                module_name=job_class.__module__[:JOB_MAX_NAME_LENGTH],
+                job_class_name=job_class.__name__[:JOB_MAX_NAME_LENGTH],
+            )
+            job_model.git_repository = git_repository
+            job_model.save()
+        else:
+            raise
 
     for field_name in JOB_OVERRIDABLE_FIELDS:
         # Was this field directly inherited from the job before, or was it overridden in the database?

nautobot/extras/views.py

@@ -550,7 +550,7 @@ class DynamicGroupView(generic.ObjectView):
 
         if table_class is not None:
             # Members table (for display on Members nav tab)
-            members_table = table_class(instance.members, orderable=False)
+            members_table = table_class(instance.members.restrict(request.user, "view"), orderable=False)
             paginate = {
                 "paginator_class": EnhancedPaginator,
                 "per_page": get_paginate_count(request),
@@ -722,7 +722,9 @@ class ObjectDynamicGroupsView(generic.GenericView):
             obj = get_object_or_404(model, **kwargs)
 
         # Gather all dynamic groups for this object (and its related objects)
-        dynamicsgroups_table = tables.DynamicGroupTable(data=obj.dynamic_groups_cached, orderable=False)
+        dynamicsgroups_table = tables.DynamicGroupTable(
+            data=obj.dynamic_groups_cached.restrict(request.user, "view"), orderable=False
+        )
 
         # Apply the request context
         paginate = {