netbox-community-netbox/netbox/utilities/querysets.py

import logging

from django.db.models import Q, QuerySet

from utilities.permissions import permission_is_exempt


class DummyQuerySet:
    """
    A fake QuerySet that can be used to cache relationships to objects that have been deleted.
    """
    def __init__(self, queryset):
        self._cache = [obj for obj in queryset.all()]

    def __iter__(self):
        return iter(self._cache)

    def all(self):
        return self._cache


class RestrictedQuerySet(QuerySet):

    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)

        # Initialize the allow_evaluation flag to False. This indicates that the QuerySet has not yet been restricted.
        self.allow_evaluation = False

    def _check_restriction(self):
        # Raise a warning if the QuerySet is evaluated without first calling restrict() or unrestricted().
        if not getattr(self, 'allow_evaluation', False):
            logger = logging.getLogger('netbox.RestrictedQuerySet')
            logger.warning(
                f'Evaluation of RestrictedQuerySet prior to calling restrict() or unrestricted(): {self.model}'
            )

    def _clone(self):

        # Persist the allow_evaluation flag when cloning the QuerySet.
        c = super()._clone()
        c.allow_evaluation = self.allow_evaluation

        return c

    def _fetch_all(self):
        self._check_restriction()
        return super()._fetch_all()

    def count(self):
        self._check_restriction()
        return super().count()

    def unrestricted(self):
        """
        Bypass restriction for the QuerySet. This is necessary in cases where we are not interacting with the objects
        directly (e.g. when filtering by related object).
        """
        self.allow_evaluation = True
        return self

    def restrict(self, user, action):
        """
        Filter the QuerySet to return only objects on which the specified user has been granted the specified
        permission.

        :param user: User instance
        :param action: The action which must be permitted (e.g. "view" for "dcim.view_site")
        """
        # Resolve the full name of the required permission
        app_label = self.model._meta.app_label
        model_name = self.model._meta.model_name
        permission_required = f'{app_label}.{action}_{model_name}'

        # Bypass restriction for superusers and exempt views
        if user.is_superuser or permission_is_exempt(permission_required):
            qs = self

        # User is anonymous or has not been granted the requisite permission
        elif not user.is_authenticated or permission_required not in user.get_all_permissions():
            qs = self.none()

        # Filter the queryset to include only objects with allowed attributes
        else:
            attrs = Q()
            for perm_attrs in user._object_perm_cache[permission_required]:
                if perm_attrs:
                    attrs |= Q(**perm_attrs)
            qs = self.filter(attrs)

        # Allow QuerySet evaluation
        qs.allow_evaluation = True

        return qs
Catch and log evaluation of RestrictedQuerySet without calling restrict() 2020-06-16 10:25:37 -04:00			`import logging`

Move restrict_queryset() function to RestrictedQuerySet 2020-05-29 15:09:08 -04:00			`from django.db.models import Q, QuerySet`

Refine queryset restriction logic 2020-06-01 13:09:34 -04:00			`from utilities.permissions import permission_is_exempt`

Move restrict_queryset() function to RestrictedQuerySet 2020-05-29 15:09:08 -04:00
Rewrote ObjectChangeMiddleware to remove the curried handle_deleted_object() function 2019-10-22 14:36:30 -04:00			`class DummyQuerySet:`
			`"""`
			`A fake QuerySet that can be used to cache relationships to objects that have been deleted.`
			`"""`
			`def __init__(self, queryset):`
			`self._cache = [obj for obj in queryset.all()]`

DummyQuerySet should be iterable to allow for serialization 2020-06-17 12:20:56 -04:00			`def __iter__(self):`
			`return iter(self._cache)`

Rewrote ObjectChangeMiddleware to remove the curried handle_deleted_object() function 2019-10-22 14:36:30 -04:00			`def all(self):`
			`return self._cache`
Move restrict_queryset() function to RestrictedQuerySet 2020-05-29 15:09:08 -04:00

			`class RestrictedQuerySet(QuerySet):`

Catch and log evaluation of RestrictedQuerySet without calling restrict() 2020-06-16 10:25:37 -04:00			`def __init__(self, args, *kwargs):`
			`super().__init__(args, *kwargs)`

Introduce unrestricted() method on RestrictedQuerySet 2020-06-16 12:20:21 -04:00			`# Initialize the allow_evaluation flag to False. This indicates that the QuerySet has not yet been restricted.`
			`self.allow_evaluation = False`
Catch and log evaluation of RestrictedQuerySet without calling restrict() 2020-06-16 10:25:37 -04:00
			`def _check_restriction(self):`
Introduce unrestricted() method on RestrictedQuerySet 2020-06-16 12:20:21 -04:00			`# Raise a warning if the QuerySet is evaluated without first calling restrict() or unrestricted().`
			`if not getattr(self, 'allow_evaluation', False):`
Catch and log evaluation of RestrictedQuerySet without calling restrict() 2020-06-16 10:25:37 -04:00			`logger = logging.getLogger('netbox.RestrictedQuerySet')`
Introduce unrestricted() method on RestrictedQuerySet 2020-06-16 12:20:21 -04:00			`logger.warning(`
			`f'Evaluation of RestrictedQuerySet prior to calling restrict() or unrestricted(): {self.model}'`
			`)`
Catch and log evaluation of RestrictedQuerySet without calling restrict() 2020-06-16 10:25:37 -04:00
			`def _clone(self):`

Introduce unrestricted() method on RestrictedQuerySet 2020-06-16 12:20:21 -04:00			`# Persist the allow_evaluation flag when cloning the QuerySet.`
Catch and log evaluation of RestrictedQuerySet without calling restrict() 2020-06-16 10:25:37 -04:00			`c = super()._clone()`
Introduce unrestricted() method on RestrictedQuerySet 2020-06-16 12:20:21 -04:00			`c.allow_evaluation = self.allow_evaluation`
Catch and log evaluation of RestrictedQuerySet without calling restrict() 2020-06-16 10:25:37 -04:00
			`return c`

			`def _fetch_all(self):`
			`self._check_restriction()`
			`return super()._fetch_all()`

			`def count(self):`
			`self._check_restriction()`
			`return super().count()`

Introduce unrestricted() method on RestrictedQuerySet 2020-06-16 12:20:21 -04:00			`def unrestricted(self):`
			`"""`
			`Bypass restriction for the QuerySet. This is necessary in cases where we are not interacting with the objects`
			`directly (e.g. when filtering by related object).`
			`"""`
			`self.allow_evaluation = True`
			`return self`

Tweak restrict() to accept only an action keyword 2020-06-01 10:45:49 -04:00			`def restrict(self, user, action):`
Move restrict_queryset() function to RestrictedQuerySet 2020-05-29 15:09:08 -04:00			`"""`
			`Filter the QuerySet to return only objects on which the specified user has been granted the specified`
			`permission.`

			`:param user: User instance`
Tweak restrict() to accept only an action keyword 2020-06-01 10:45:49 -04:00			`:param action: The action which must be permitted (e.g. "view" for "dcim.view_site")`
Move restrict_queryset() function to RestrictedQuerySet 2020-05-29 15:09:08 -04:00			`"""`
Tweak restrict() to accept only an action keyword 2020-06-01 10:45:49 -04:00			`# Resolve the full name of the required permission`
			`app_label = self.model._meta.app_label`
			`model_name = self.model._meta.model_name`
			`permission_required = f'{app_label}.{action}_{model_name}'`
Move restrict_queryset() function to RestrictedQuerySet 2020-05-29 15:09:08 -04:00
Refine queryset restriction logic 2020-06-01 13:09:34 -04:00			`# Bypass restriction for superusers and exempt views`
			`if user.is_superuser or permission_is_exempt(permission_required):`
Catch and log evaluation of RestrictedQuerySet without calling restrict() 2020-06-16 10:25:37 -04:00			`qs = self`
Update views to restrict all querysets 2020-06-01 11:43:49 -04:00
Refine queryset restriction logic 2020-06-01 13:09:34 -04:00			`# User is anonymous or has not been granted the requisite permission`
Catch and log evaluation of RestrictedQuerySet without calling restrict() 2020-06-16 10:25:37 -04:00			`elif not user.is_authenticated or permission_required not in user.get_all_permissions():`
			`qs = self.none()`
Move restrict_queryset() function to RestrictedQuerySet 2020-05-29 15:09:08 -04:00
			`# Filter the queryset to include only objects with allowed attributes`
Catch and log evaluation of RestrictedQuerySet without calling restrict() 2020-06-16 10:25:37 -04:00			`else:`
			`attrs = Q()`
			`for perm_attrs in user._object_perm_cache[permission_required]:`
			`if perm_attrs:`
			`attrs \|= Q(**perm_attrs)`
			`qs = self.filter(attrs)`

Introduce unrestricted() method on RestrictedQuerySet 2020-06-16 12:20:21 -04:00			`# Allow QuerySet evaluation`
			`qs.allow_evaluation = True`
Move restrict_queryset() function to RestrictedQuerySet 2020-05-29 15:09:08 -04:00
Catch and log evaluation of RestrictedQuerySet without calling restrict() 2020-06-16 10:25:37 -04:00			`return qs`