Tweak restrict() to accept only an action keyword

2024-05-10 07:54:54 +00:00 · 2020-06-01 10:45:49 -04:00
parent e23b2c4c4f
commit 5574aaa8cb
3 changed files with 20 additions and 11 deletions
--- a/netbox/utilities/api.py
+++ b/netbox/utilities/api.py
@@ -330,16 +330,20 @@ class ModelViewSet(_ModelViewSet):
        if not request.user.is_authenticated or request.user.is_superuser:
            return

-        # TODO: Move this to a cleaner function
-        # Determine the required permission based on the request method
-        kwargs = {
-            'app_label': self.queryset.model._meta.app_label,
-            'model_name': self.queryset.model._meta.model_name
-        }
-        permission_required = TokenPermissions.perms_map[request.method][0] % kwargs
+        # TODO: Reconcile this with TokenPermissions.perms_map
+        action = {
+            'GET': 'view',
+            'OPTIONS': None,
+            'HEAD': 'view',
+            'POST': 'add',
+            'PUT': 'change',
+            'PATCH': 'change',
+            'DELETE': 'delete',
+        }[request.method]

        # Restrict the view's QuerySet to allow only the permitted objects
-        self.queryset = self.queryset.restrict(request.user, permission_required)
+        if action:
+            self.queryset = self.queryset.restrict(request.user, action)

    def dispatch(self, request, *args, **kwargs):
        logger = logging.getLogger('netbox.api.views.ModelViewSet')