From 94d0ebbd7df8f45c7206edadeac02fa9fcfb9266 Mon Sep 17 00:00:00 2001
From: Jeremy Stretch <stretch@packetlife.net>
Date: Tue, 12 May 2020 16:40:04 -0400
Subject: [PATCH] Fix ObjectPermission attribute consolidation

---
 netbox/netbox/authentication.py        | 2 +-
 netbox/users/models.py                 | 4 ++--
 netbox/users/tests/test_permissions.py | 8 ++++----
 netbox/utilities/auth_backends.py      | 2 +-
 4 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/netbox/netbox/authentication.py b/netbox/netbox/authentication.py
index 0b896969b..2854d4cb9 100644
--- a/netbox/netbox/authentication.py
+++ b/netbox/netbox/authentication.py
@@ -28,7 +28,7 @@ class ObjectPermissionRequiredMixin(AccessMixin):
             attrs = ObjectPermission.objects.get_attr_constraints(self.request.user, self.permission_required)
             if attrs:
                 # Update the view's QuerySet to filter only the permitted objects
-                self.queryset = self.queryset.filter(**attrs)
+                self.queryset = self.queryset.filter(attrs)
                 return True
 
     def dispatch(self, request, *args, **kwargs):
diff --git a/netbox/users/models.py b/netbox/users/models.py
index 452e91c21..70e7254e6 100644
--- a/netbox/users/models.py
+++ b/netbox/users/models.py
@@ -213,9 +213,9 @@ class ObjectPermissionManager(models.Manager):
             **{f'can_{action}': True}
         )
 
-        attrs = {}
+        attrs = Q()
         for perm in qs:
-            attrs.update(perm.attrs)
+            attrs |= Q(**perm.attrs)
 
         return attrs
 
diff --git a/netbox/users/tests/test_permissions.py b/netbox/users/tests/test_permissions.py
index f73fd8f43..487543bd3 100644
--- a/netbox/users/tests/test_permissions.py
+++ b/netbox/users/tests/test_permissions.py
@@ -1,5 +1,5 @@
 from django.contrib.contenttypes.models import ContentType
-from django.contrib.auth.models import Permission, User
+from django.contrib.auth.models import User
 from django.test import TestCase, override_settings
 
 from dcim.models import Site
@@ -7,7 +7,7 @@ from tenancy.models import Tenant
 from users.models import ObjectPermission
 
 
-class UserConfigTest(TestCase):
+class ObjectPermissionTest(TestCase):
 
     def setUp(self):
 
@@ -41,7 +41,7 @@ class UserConfigTest(TestCase):
             can_view=True
         )
         object_perm.save()
-        self.user.object_permissions.add(object_perm)
+        object_perm.users.add(self.user)
 
         # The test user should have permission to view only the first site.
         self.assertTrue(self.user.has_perm('dcim.view_site', sites[0]))
@@ -54,7 +54,7 @@ class UserConfigTest(TestCase):
             can_view=True
         )
         object_perm.save()
-        self.user.object_permissions.add(object_perm)
+        object_perm.users.add(self.user)
 
         # The user should now able to view the first two sites, but not the third.
         self.assertTrue(self.user.has_perm('dcim.view_site', sites[0]))
diff --git a/netbox/utilities/auth_backends.py b/netbox/utilities/auth_backends.py
index 49dd8d0aa..9e56fd16c 100644
--- a/netbox/utilities/auth_backends.py
+++ b/netbox/utilities/auth_backends.py
@@ -90,7 +90,7 @@ class ObjectPermissionBackend(ModelBackend):
 
         # Attempt to retrieve the model from the database using the attributes defined in the
         # ObjectPermission. If we have a match, assert that the user has permission.
-        if model.objects.filter(pk=obj.pk, **attrs).exists():
+        if model.objects.filter(attrs, pk=obj.pk).exists():
             return True