netbox-community-netbox/netbox/utilities/querysets.py

from django.db.models import Q, QuerySet

from utilities.permissions import permission_is_exempt


class DummyQuerySet:
    """
    A fake QuerySet that can be used to cache relationships to objects that have been deleted.
    """
    def __init__(self, queryset):
        self._cache = [obj for obj in queryset.all()]

    def all(self):
        return self._cache


class RestrictedQuerySet(QuerySet):

    def restrict(self, user, action):
        """
        Filter the QuerySet to return only objects on which the specified user has been granted the specified
        permission.

        :param user: User instance
        :param action: The action which must be permitted (e.g. "view" for "dcim.view_site")
        """
        # Resolve the full name of the required permission
        app_label = self.model._meta.app_label
        model_name = self.model._meta.model_name
        permission_required = f'{app_label}.{action}_{model_name}'

        # Bypass restriction for superusers and exempt views
        if user.is_superuser or permission_is_exempt(permission_required):
            return self

        # User is anonymous or has not been granted the requisite permission
        if not user.is_authenticated or permission_required not in user.get_all_permissions():
            return self.none()

        # Filter the queryset to include only objects with allowed attributes
        attrs = Q()
        for perm_attrs in user._object_perm_cache[permission_required]:
            if perm_attrs:
                attrs |= Q(**perm_attrs)

        return self.filter(attrs)
Move restrict_queryset() function to RestrictedQuerySet 2020-05-29 15:09:08 -04:00			`from django.db.models import Q, QuerySet`

Refine queryset restriction logic 2020-06-01 13:09:34 -04:00			`from utilities.permissions import permission_is_exempt`

Move restrict_queryset() function to RestrictedQuerySet 2020-05-29 15:09:08 -04:00
Rewrote ObjectChangeMiddleware to remove the curried handle_deleted_object() function 2019-10-22 14:36:30 -04:00			`class DummyQuerySet:`
			`"""`
			`A fake QuerySet that can be used to cache relationships to objects that have been deleted.`
			`"""`
			`def __init__(self, queryset):`
			`self._cache = [obj for obj in queryset.all()]`

			`def all(self):`
			`return self._cache`
Move restrict_queryset() function to RestrictedQuerySet 2020-05-29 15:09:08 -04:00

			`class RestrictedQuerySet(QuerySet):`

Tweak restrict() to accept only an action keyword 2020-06-01 10:45:49 -04:00			`def restrict(self, user, action):`
Move restrict_queryset() function to RestrictedQuerySet 2020-05-29 15:09:08 -04:00			`"""`
			`Filter the QuerySet to return only objects on which the specified user has been granted the specified`
			`permission.`

			`:param user: User instance`
Tweak restrict() to accept only an action keyword 2020-06-01 10:45:49 -04:00			`:param action: The action which must be permitted (e.g. "view" for "dcim.view_site")`
Move restrict_queryset() function to RestrictedQuerySet 2020-05-29 15:09:08 -04:00			`"""`
Tweak restrict() to accept only an action keyword 2020-06-01 10:45:49 -04:00			`# Resolve the full name of the required permission`
			`app_label = self.model._meta.app_label`
			`model_name = self.model._meta.model_name`
			`permission_required = f'{app_label}.{action}_{model_name}'`
Move restrict_queryset() function to RestrictedQuerySet 2020-05-29 15:09:08 -04:00
Refine queryset restriction logic 2020-06-01 13:09:34 -04:00			`# Bypass restriction for superusers and exempt views`
			`if user.is_superuser or permission_is_exempt(permission_required):`
Update views to restrict all querysets 2020-06-01 11:43:49 -04:00			`return self`

Refine queryset restriction logic 2020-06-01 13:09:34 -04:00			`# User is anonymous or has not been granted the requisite permission`
			`if not user.is_authenticated or permission_required not in user.get_all_permissions():`
Update views to restrict all querysets 2020-06-01 11:43:49 -04:00			`return self.none()`
Move restrict_queryset() function to RestrictedQuerySet 2020-05-29 15:09:08 -04:00
			`# Filter the queryset to include only objects with allowed attributes`
			`attrs = Q()`
Update views to restrict all querysets 2020-06-01 11:43:49 -04:00			`for perm_attrs in user._object_perm_cache[permission_required]:`
Move restrict_queryset() function to RestrictedQuerySet 2020-05-29 15:09:08 -04:00			`if perm_attrs:`
			`attrs \|= Q(**perm_attrs)`

			`return self.filter(attrs)`