mirror/netbox-community-netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2024-05-10 07:54:54 +00:00
Code Activity

Add object permission tests for get and list API views

Browse Source
This commit is contained in:
Jeremy Stretch
2020-05-20 16:47:33 -04:00
parent 8eb4d0a36b
commit 8c40148ca7
2 changed files with 128 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
netbox/utilities/api.py
View File

@@ -329,11 +329,15 @@ class ModelViewSet(_ModelViewSet):
if not request.user.is_authenticated or request.user.is_superuser:
return
permission_required = 'dcim.view_site'
# Determine the required permission
permission_required = "{}.view_{}".format(
self.queryset.model._meta.app_label,
self.queryset.model._meta.model_name
)
# Enforce object-level permissions
if permission_required not in self.request.user._perm_cache:
attrs = ObjectPermission.objects.get_attr_constraints(self.request.user, permission_required)
if permission_required not in {*request.user._user_perm_cache, *request.user._group_perm_cache}:
attrs = ObjectPermission.objects.get_attr_constraints(request.user, permission_required)
if attrs:
# Update the view's QuerySet to filter only the permitted objects
self.queryset = self.queryset.filter(attrs)