NeoAnd/netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2025-07-21 03:27:21 -06:00
Code Issues Actions 8 Packages Projects Releases Wiki Activity

Introduce restrict_form_fields() to automatically restrict field querysets based on user

Browse Source
This commit is contained in:
Jeremy Stretch 2020-06-26 13:59:53 -04:00
parent 8412f9481c
commit edc65a6a34
2 changed files with 14 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
netbox/utilities/forms.py
View File

@ -15,6 +15,7 @@ from django.forms import BoundField
from django.forms.models import fields_for_model from django.forms.models import fields_for_model
from django.urls import reverse from django.urls import reverse
from utilities.querysets import RestrictedQuerySet
from .choices import ColorChoices, unpack_grouped_choices from .choices import ColorChoices, unpack_grouped_choices
from .validators import EnhancedURLValidator from .validators import EnhancedURLValidator
@ -138,6 +139,16 @@ def form_from_model(model, fields):
return type('FormFromModel', (forms.Form,), form_fields) return type('FormFromModel', (forms.Form,), form_fields)
def restrict_form_fields(form, user, action='view'):
"""
Restrict all form fields which reference a RestrictedQuerySet. This ensures that users see only permitted objects
as available choices.
"""
for field in form.fields.values():
if hasattr(field, 'queryset') and issubclass(field.queryset.__class__, RestrictedQuerySet):
field.queryset = field.queryset.restrict(user, action)
# #
# Widgets # Widgets
# #

4
netbox/utilities/views.py
View File

@ -28,7 +28,7 @@ from django_tables2 import RequestConfig
from extras.models import CustomField, CustomFieldValue, ExportTemplate from extras.models import CustomField, CustomFieldValue, ExportTemplate
from extras.querysets import CustomFieldQueryset from extras.querysets import CustomFieldQueryset
from utilities.exceptions import AbortTransaction from utilities.exceptions import AbortTransaction
from utilities.forms import BootstrapMixin, BulkRenameForm, CSVDataField, TableConfigForm from utilities.forms import BootstrapMixin, BulkRenameForm, CSVDataField, TableConfigForm, restrict_form_fields
from utilities.permissions import get_permission_for_model, resolve_permission from utilities.permissions import get_permission_for_model, resolve_permission
from utilities.utils import csv_format, prepare_cloned_fields from utilities.utils import csv_format, prepare_cloned_fields
from .error_handlers import handle_protectederror from .error_handlers import handle_protectederror
@ -352,6 +352,7 @@ class ObjectEditView(GetReturnURLMixin, ObjectPermissionRequiredMixin, View):
# Parse initial data manually to avoid setting field values as lists # Parse initial data manually to avoid setting field values as lists
initial_data = {k: request.GET[k] for k in request.GET} initial_data = {k: request.GET[k] for k in request.GET}
form = self.model_form(instance=obj, initial=initial_data) form = self.model_form(instance=obj, initial=initial_data)
restrict_form_fields(form, request.user)
return render(request, self.template_name, { return render(request, self.template_name, {
'obj': obj, 'obj': obj,
@ -368,6 +369,7 @@ class ObjectEditView(GetReturnURLMixin, ObjectPermissionRequiredMixin, View):
files=request.FILES, files=request.FILES,
instance=obj instance=obj
) )
restrict_form_fields(form, request.user)
if form.is_valid(): if form.is_valid():
logger.debug("Form validation was successful") logger.debug("Form validation was successful")