NeoAnd/netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2025-07-22 20:12:00 -06:00
Code Issues Actions 8 Packages Projects Releases Wiki Activity

Fix up permissions evaluation

Browse Source
This commit is contained in:
Jeremy Stretch 2020-05-27 11:31:07 -04:00
parent a6a88a0d2e
commit fb7446487e
2 changed files with 6 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
netbox/utilities/api.py
View File

@ -340,12 +340,11 @@ class ModelViewSet(_ModelViewSet):
permission_required = TokenPermissions.perms_map[request.method][0] % kwargs permission_required = TokenPermissions.perms_map[request.method][0] % kwargs
# Enforce object-level permissions # Enforce object-level permissions
if permission_required not in {*request.user._user_perm_cache, *request.user._group_perm_cache}: attrs = ObjectPermission.objects.get_attr_constraints(request.user, permission_required)
attrs = ObjectPermission.objects.get_attr_constraints(request.user, permission_required) if attrs:
if attrs: # Update the view's QuerySet to filter only the permitted objects
# Update the view's QuerySet to filter only the permitted objects self.queryset = self.queryset.filter(attrs)
self.queryset = self.queryset.filter(attrs) return True
return True
def dispatch(self, request, *args, **kwargs): def dispatch(self, request, *args, **kwargs):
logger = logging.getLogger('netbox.api.views.ModelViewSet') logger = logging.getLogger('netbox.api.views.ModelViewSet')

14
netbox/utilities/auth_backends.py
View File

@ -38,18 +38,6 @@ class ObjectPermissionBackend(ModelBackend):
return user_obj._object_perm_cache return user_obj._object_perm_cache
# def get_all_permissions(self, user_obj, obj=None):
#
# # Handle inactive/anonymous users
# if not user_obj.is_active or user_obj.is_anonymous:
# return set()
#
# # Cache object permissions on the User instance
# if not hasattr(user_obj, '_perm_cache'):
# user_obj._perm_cache = self.get_object_permissions(user_obj)
#
# return user_obj._perm_cache
def has_perm(self, user_obj, perm, obj=None): def has_perm(self, user_obj, perm, obj=None):
# print(f'has_perm({perm})') # print(f'has_perm({perm})')
app_label, codename = perm.split('.') app_label, codename = perm.split('.')
@ -92,7 +80,7 @@ class ObjectPermissionBackend(ModelBackend):
obj_perm_attrs = self.get_object_permissions(user_obj)[perm] obj_perm_attrs = self.get_object_permissions(user_obj)[perm]
attrs = Q() attrs = Q()
for perm_attrs in obj_perm_attrs: for perm_attrs in obj_perm_attrs:
attrs |= Q(**perm_attrs.attrs) attrs |= Q(**perm_attrs)
# Permission to perform the requested action on the object depends on whether the specified object matches # Permission to perform the requested action on the object depends on whether the specified object matches
# the specified attributes. Note that this check is made against the *database* record representing the object, # the specified attributes. Note that this check is made against the *database* record representing the object,