2022-10-21 13:16:16 -04:00
|
|
|
from django.db.models import Prefetch, QuerySet
|
2020-05-29 15:09:08 -04:00
|
|
|
|
2022-07-01 13:34:10 -04:00
|
|
|
from users.constants import CONSTRAINT_TOKEN_USER
|
2022-07-01 11:38:39 -04:00
|
|
|
from utilities.permissions import permission_is_exempt, qs_filter_from_constraints
|
2020-06-01 13:09:34 -04:00
|
|
|
|
2020-05-29 15:09:08 -04:00
|
|
|
|
2022-10-21 13:16:16 -04:00
|
|
|
class RestrictedPrefetch(Prefetch):
|
|
|
|
|
"""
|
|
|
|
|
Extend Django's Prefetch to accept a user and action to be passed to the
|
|
|
|
|
`restrict()` method of the related object's queryset.
|
|
|
|
|
"""
|
|
|
|
|
def __init__(self, lookup, user, action='view', queryset=None, to_attr=None):
|
|
|
|
|
self.restrict_user = user
|
|
|
|
|
self.restrict_action = action
|
|
|
|
|
|
|
|
|
|
super().__init__(lookup, queryset=queryset, to_attr=to_attr)
|
|
|
|
|
|
|
|
|
|
def get_current_queryset(self, level):
|
|
|
|
|
params = {
|
|
|
|
|
'user': self.restrict_user,
|
|
|
|
|
'action': self.restrict_action,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if qs := super().get_current_queryset(level):
|
|
|
|
|
return qs.restrict(**params)
|
|
|
|
|
|
|
|
|
|
# Bit of a hack. If no queryset is defined, pass through the dict of restrict()
|
|
|
|
|
# kwargs to be handled by the field. This is necessary e.g. for GenericForeignKey
|
|
|
|
|
# fields, which do not permit setting a queryset on a Prefetch object.
|
|
|
|
|
return params
|
|
|
|
|
|
|
|
|
|
|
2020-05-29 15:09:08 -04:00
|
|
|
class RestrictedQuerySet(QuerySet):
|
|
|
|
|
|
2020-06-26 11:57:07 -04:00
|
|
|
def restrict(self, user, action='view'):
|
2020-05-29 15:09:08 -04:00
|
|
|
"""
|
|
|
|
|
Filter the QuerySet to return only objects on which the specified user has been granted the specified
|
|
|
|
|
permission.
|
|
|
|
|
|
|
|
|
|
:param user: User instance
|
2020-06-26 11:57:07 -04:00
|
|
|
:param action: The action which must be permitted (e.g. "view" for "dcim.view_site"); default is 'view'
|
2020-05-29 15:09:08 -04:00
|
|
|
"""
|
2020-06-01 10:45:49 -04:00
|
|
|
# Resolve the full name of the required permission
|
|
|
|
|
app_label = self.model._meta.app_label
|
|
|
|
|
model_name = self.model._meta.model_name
|
|
|
|
|
permission_required = f'{app_label}.{action}_{model_name}'
|
2020-05-29 15:09:08 -04:00
|
|
|
|
2020-06-01 13:09:34 -04:00
|
|
|
# Bypass restriction for superusers and exempt views
|
|
|
|
|
if user.is_superuser or permission_is_exempt(permission_required):
|
2020-06-16 10:25:37 -04:00
|
|
|
qs = self
|
2020-06-01 11:43:49 -04:00
|
|
|
|
2020-06-01 13:09:34 -04:00
|
|
|
# User is anonymous or has not been granted the requisite permission
|
2020-06-16 10:25:37 -04:00
|
|
|
elif not user.is_authenticated or permission_required not in user.get_all_permissions():
|
|
|
|
|
qs = self.none()
|
2020-05-29 15:09:08 -04:00
|
|
|
|
|
|
|
|
# Filter the queryset to include only objects with allowed attributes
|
2020-06-16 10:25:37 -04:00
|
|
|
else:
|
2022-07-01 13:34:10 -04:00
|
|
|
tokens = {
|
|
|
|
|
CONSTRAINT_TOKEN_USER: user,
|
|
|
|
|
}
|
|
|
|
|
attrs = qs_filter_from_constraints(user._object_perm_cache[permission_required], tokens)
|
2022-07-01 11:38:39 -04:00
|
|
|
# #8715: Avoid duplicates when JOIN on many-to-many fields without using DISTINCT.
|
|
|
|
|
# DISTINCT acts globally on the entire request, which may not be desirable.
|
|
|
|
|
allowed_objects = self.model.objects.filter(attrs)
|
|
|
|
|
qs = self.filter(pk__in=allowed_objects)
|
2020-06-16 10:25:37 -04:00
|
|
|
|
|
|
|
|
return qs
|
