From daf6c8e327ff3128449a3add684a76bd7fef4268 Mon Sep 17 00:00:00 2001
From: jeremystretch <jstretch@ns1.com>
Date: Fri, 12 Nov 2021 08:23:58 -0500
Subject: [PATCH] Fixes #7814: Fix restriction of user & group objects in
 GraphQL API queries

---
 docs/release-notes/version-3.0.md | 1 +
 netbox/users/graphql/types.py     | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/docs/release-notes/version-3.0.md b/docs/release-notes/version-3.0.md
index 03a4d3a59..324cda952 100644
--- a/docs/release-notes/version-3.0.md
+++ b/docs/release-notes/version-3.0.md
@@ -22,6 +22,7 @@
 * [#7802](https://github.com/netbox-community/netbox/issues/7802) - Differentiate ID and VID columns in VLANs table
 * [#7808](https://github.com/netbox-community/netbox/issues/7808) - Fix reference values for content type under custom field import form
 * [#7809](https://github.com/netbox-community/netbox/issues/7809) - Add missing export template support for various models
+* [#7814](https://github.com/netbox-community/netbox/issues/7814) - Fix restriction of user & group objects in GraphQL API queries
 
 ---
 
diff --git a/netbox/users/graphql/types.py b/netbox/users/graphql/types.py
index 3315744b9..d948686c6 100644
--- a/netbox/users/graphql/types.py
+++ b/netbox/users/graphql/types.py
@@ -19,7 +19,7 @@ class GroupType(DjangoObjectType):
 
     @classmethod
     def get_queryset(cls, queryset, info):
-        return RestrictedQuerySet(model=Group)
+        return RestrictedQuerySet(model=Group).restrict(info.context.user, 'view')
 
 
 class UserType(DjangoObjectType):
@@ -34,4 +34,4 @@ class UserType(DjangoObjectType):
 
     @classmethod
     def get_queryset(cls, queryset, info):
-        return RestrictedQuerySet(model=User)
+        return RestrictedQuerySet(model=User).restrict(info.context.user, 'view')