NeoAnd/netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2025-12-19 20:02:22 -06:00
Code Issues Actions 10 Packages Projects Releases Wiki Activity

Update views to restrict all querysets

Browse Source
This commit is contained in:
Jeremy Stretch
2020-06-01 11:43:49 -04:00
parent 92ffe54214
commit 9a1d62db2b
9 changed files with 108 additions and 78 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
netbox/utilities/querysets.py
View File

@@ -28,15 +28,22 @@ class RestrictedQuerySet(QuerySet):
model_name = self.model._meta.model_name
permission_required = f'{app_label}.{action}_{model_name}'
# TODO: Handle anonymous users
if not user.is_authenticated:
return self
# Determine what constraints (if any) have been placed on this user for this action and model
# TODO: Find a better way to ensure permissions are cached
if not hasattr(user, '_object_perm_cache'):
user.get_all_permissions()
obj_perm_attrs = user._object_perm_cache[permission_required]
# User has not been granted any permission
if permission_required not in user._object_perm_cache:
return self.none()
# Filter the queryset to include only objects with allowed attributes
attrs = Q()
for perm_attrs in obj_perm_attrs:
for perm_attrs in user._object_perm_cache[permission_required]:
if perm_attrs:
attrs |= Q(**perm_attrs)