CVE-2023-51649: Nautobot missing object-level permissions enforcement when running Job Buttons

When submitting a Job to run via a Job Button, only the model-level extras.run_job permission is checked (i.e., does the user have permission to run Jobs in general?). Object-level permissions (i.e., does the user have permission to run this specific Job?) are not enforced by the URL/view used in this case (/extras/job-button/<uuid>/run/) The effect is that a user with permissions to run even a single Job can actually run all configured JobButton Jobs.

Not all Jobs can be configured as JobButtons; only those implemented as subclasses of JobButtonReceiver can be used in this way, so this vulnerability only applies specifically to JobButtonReceiver subclasses.

Additionally, although the documentation states that both extras.run_job permission and extras.run_jobbutton permission must be granted to a user in order to run Jobs via JobButton, the extras.run_jobbutton permission is not actually enforced by the view code, only by the UI by disabling the button from being clicked normally. Furthermore, the extras.run_jobbutton permission never prevented invoking Jobs (including JobButtonReceiver subclasses) via the normal “Job Run” UI, so after some discussion, we’ve decided that the extras.run_jobbutton permission is redundant, and as it never achieved its stated/documented purpose, the fixes below will remove the UI check for extras.run_jobbutton and all other references to the extras.run_jobbutton permission, rather than adding enforcement of this previously unenforced permission.