Fix ObjectPermission attribute consolidation

netbox/netbox/authentication.py

@@ -28,7 +28,7 @@ class ObjectPermissionRequiredMixin(AccessMixin):
             attrs = ObjectPermission.objects.get_attr_constraints(self.request.user, self.permission_required)
             if attrs:
                 # Update the view's QuerySet to filter only the permitted objects
-                self.queryset = self.queryset.filter(**attrs)
+                self.queryset = self.queryset.filter(attrs)
                 return True
 
     def dispatch(self, request, *args, **kwargs):

netbox/users/models.py

@@ -213,9 +213,9 @@ class ObjectPermissionManager(models.Manager):
             **{f'can_{action}': True}
         )
 
-        attrs = {}
+        attrs = Q()
         for perm in qs:
-            attrs.update(perm.attrs)
+            attrs |= Q(**perm.attrs)
 
         return attrs
 

netbox/users/tests/test_permissions.py

@@ -1,5 +1,5 @@
 from django.contrib.contenttypes.models import ContentType
-from django.contrib.auth.models import Permission, User
+from django.contrib.auth.models import User
 from django.test import TestCase, override_settings
 
 from dcim.models import Site
@@ -7,7 +7,7 @@ from tenancy.models import Tenant
 from users.models import ObjectPermission
 
 
-class UserConfigTest(TestCase):
+class ObjectPermissionTest(TestCase):
 
     def setUp(self):
 
@@ -41,7 +41,7 @@ class UserConfigTest(TestCase):
             can_view=True
         )
         object_perm.save()
-        self.user.object_permissions.add(object_perm)
+        object_perm.users.add(self.user)
 
         # The test user should have permission to view only the first site.
         self.assertTrue(self.user.has_perm('dcim.view_site', sites[0]))
@@ -54,7 +54,7 @@ class UserConfigTest(TestCase):
             can_view=True
         )
         object_perm.save()
-        self.user.object_permissions.add(object_perm)
+        object_perm.users.add(self.user)
 
         # The user should now able to view the first two sites, but not the third.
         self.assertTrue(self.user.has_perm('dcim.view_site', sites[0]))

netbox/utilities/auth_backends.py

@@ -90,7 +90,7 @@ class ObjectPermissionBackend(ModelBackend):
 
         # Attempt to retrieve the model from the database using the attributes defined in the
         # ObjectPermission. If we have a match, assert that the user has permission.
-        if model.objects.filter(pk=obj.pk, **attrs).exists():
+        if model.objects.filter(attrs, pk=obj.pk).exists():
             return True