Fix up permissions evaluation

2025-07-22 12:06:53 -06:00 · 2020-05-27 11:31:07 -04:00 · 2020-05-27 11:31:07 -04:00 · fb7446487e
commit fb7446487e
parent a6a88a0d2e
2 changed files with 6 additions and 19 deletions
--- a/netbox/utilities/api.py
+++ b/netbox/utilities/api.py
@ -340,12 +340,11 @@ class ModelViewSet(_ModelViewSet):
        permission_required = TokenPermissions.perms_map[request.method][0] % kwargs

        # Enforce object-level permissions
-        if permission_required not in {*request.user._user_perm_cache, *request.user._group_perm_cache}:
-            attrs = ObjectPermission.objects.get_attr_constraints(request.user, permission_required)
-            if attrs:
-                # Update the view's QuerySet to filter only the permitted objects
-                self.queryset = self.queryset.filter(attrs)
-                return True
+        attrs = ObjectPermission.objects.get_attr_constraints(request.user, permission_required)
+        if attrs:
+            # Update the view's QuerySet to filter only the permitted objects
+            self.queryset = self.queryset.filter(attrs)
+            return True

    def dispatch(self, request, *args, **kwargs):
        logger = logging.getLogger('netbox.api.views.ModelViewSet')
--- a/netbox/utilities/auth_backends.py
+++ b/netbox/utilities/auth_backends.py
@ -38,18 +38,6 @@ class ObjectPermissionBackend(ModelBackend):

        return user_obj._object_perm_cache

-    # def get_all_permissions(self, user_obj, obj=None):
-    #
-    #     # Handle inactive/anonymous users
-    #     if not user_obj.is_active or user_obj.is_anonymous:
-    #         return set()
-    #
-    #     # Cache object permissions on the User instance
-    #     if not hasattr(user_obj, '_perm_cache'):
-    #         user_obj._perm_cache = self.get_object_permissions(user_obj)
-    #
-    #     return user_obj._perm_cache
-
    def has_perm(self, user_obj, perm, obj=None):
        # print(f'has_perm({perm})')
        app_label, codename = perm.split('.')
@ -92,7 +80,7 @@ class ObjectPermissionBackend(ModelBackend):
        obj_perm_attrs = self.get_object_permissions(user_obj)[perm]
        attrs = Q()
        for perm_attrs in obj_perm_attrs:
-            attrs |= Q(**perm_attrs.attrs)
+            attrs |= Q(**perm_attrs)

        # Permission to perform the requested action on the object depends on whether the specified object matches
        # the specified attributes. Note that this check is made against the *database* record representing the object,