Update ObjectPermission evaluation to support null attrs

2025-07-22 20:12:00 -06:00 · 2020-05-28 09:39:27 -04:00 · 2020-05-28 09:39:27 -04:00 · 814aff78b5
commit 814aff78b5
parent a261d10bfd
2 changed files with 14 additions and 8 deletions
--- a/netbox/utilities/api.py
+++ b/netbox/utilities/api.py
@ -6,7 +6,7 @@ from django.conf import settings
 from django.contrib.contenttypes.models import ContentType
 from django.core.exceptions import FieldError, MultipleObjectsReturned, ObjectDoesNotExist, PermissionDenied
 from django.db import transaction
-from django.db.models import ManyToManyField, ProtectedError
+from django.db.models import ManyToManyField, ProtectedError, Q
 from django.urls import reverse
 from rest_framework.exceptions import APIException
 from rest_framework.permissions import BasePermission
@ -339,12 +339,13 @@ class ModelViewSet(_ModelViewSet):
        }
        permission_required = TokenPermissions.perms_map[request.method][0] % kwargs

-        # Enforce object-level permissions
-        attrs = ObjectPermission.objects.get_attr_constraints(request.user, permission_required)
-        if attrs:
-            # Update the view's QuerySet to filter only the permitted objects
-            self.queryset = self.queryset.filter(attrs)
-            return True
+        # Update the view's QuerySet to filter only the permitted objects
+        obj_perm_attrs = request.user._object_perm_cache[permission_required]
+        attrs = Q()
+        for perm_attrs in obj_perm_attrs:
+            if perm_attrs:
+                attrs |= Q(**perm_attrs)
+        self.queryset = self.queryset.filter(attrs)

    def dispatch(self, request, *args, **kwargs):
        logger = logging.getLogger('netbox.api.views.ModelViewSet')
--- a/netbox/utilities/auth_backends.py
+++ b/netbox/utilities/auth_backends.py
@ -80,7 +80,12 @@ class ObjectPermissionBackend(ModelBackend):
        obj_perm_attrs = self.get_object_permissions(user_obj)[perm]
        attrs = Q()
        for perm_attrs in obj_perm_attrs:
-            attrs |= Q(**perm_attrs)
+            if perm_attrs:
+                attrs |= Q(**perm_attrs)
+            else:
+                # Found ObjectPermission with null attrs; allow model-level access
+                attrs = Q()
+                break

        # Permission to perform the requested action on the object depends on whether the specified object matches
        # the specified attributes. Note that this check is made against the *database* record representing the object,