Fix ObjectPermission attribute consolidation

2024-05-10 07:54:54 +00:00 · 2020-05-12 16:40:04 -04:00
parent a275a30dca
commit 94d0ebbd7d
4 changed files with 8 additions and 8 deletions
--- a/netbox/netbox/authentication.py
+++ b/netbox/netbox/authentication.py
@ -28,7 +28,7 @@ class ObjectPermissionRequiredMixin(AccessMixin):
            attrs = ObjectPermission.objects.get_attr_constraints(self.request.user, self.permission_required)
            if attrs:
                # Update the view's QuerySet to filter only the permitted objects
-                self.queryset = self.queryset.filter(**attrs)
+                self.queryset = self.queryset.filter(attrs)
                return True

    def dispatch(self, request, *args, **kwargs):
--- a/netbox/users/models.py
+++ b/netbox/users/models.py
@ -213,9 +213,9 @@ class ObjectPermissionManager(models.Manager):
            **{f'can_{action}': True}
        )

-        attrs = {}
+        attrs = Q()
        for perm in qs:
-            attrs.update(perm.attrs)
+            attrs |= Q(**perm.attrs)

        return attrs

--- a/netbox/users/tests/test_permissions.py
+++ b/netbox/users/tests/test_permissions.py
@ -1,5 +1,5 @@
 from django.contrib.contenttypes.models import ContentType
-from django.contrib.auth.models import Permission, User
+from django.contrib.auth.models import User
 from django.test import TestCase, override_settings

 from dcim.models import Site
@ -7,7 +7,7 @@ from tenancy.models import Tenant
 from users.models import ObjectPermission


-class UserConfigTest(TestCase):
+class ObjectPermissionTest(TestCase):

    def setUp(self):

@ -41,7 +41,7 @@ class UserConfigTest(TestCase):
            can_view=True
        )
        object_perm.save()
-        self.user.object_permissions.add(object_perm)
+        object_perm.users.add(self.user)

        # The test user should have permission to view only the first site.
        self.assertTrue(self.user.has_perm('dcim.view_site', sites[0]))
@ -54,7 +54,7 @@ class UserConfigTest(TestCase):
            can_view=True
        )
        object_perm.save()
-        self.user.object_permissions.add(object_perm)
+        object_perm.users.add(self.user)

        # The user should now able to view the first two sites, but not the third.
        self.assertTrue(self.user.has_perm('dcim.view_site', sites[0]))
--- a/netbox/utilities/auth_backends.py
+++ b/netbox/utilities/auth_backends.py
@ -90,7 +90,7 @@ class ObjectPermissionBackend(ModelBackend):

        # Attempt to retrieve the model from the database using the attributes defined in the
        # ObjectPermission. If we have a match, assert that the user has permission.
-        if model.objects.filter(pk=obj.pk, **attrs).exists():
+        if model.objects.filter(attrs, pk=obj.pk).exists():
            return True