Introduce qs_filter_from_constraints() for constructing object permission QS filters

2024-05-10 07:54:54 +00:00 · 2022-07-01 11:38:39 -04:00
parent ad5fd01ea4
commit c6dfdf10e5
3 changed files with 40 additions and 33 deletions
--- a/netbox/utilities/querysets.py
+++ b/netbox/utilities/querysets.py
@ -1,6 +1,6 @@
-from django.db.models import Q, QuerySet
+from django.db.models import QuerySet

-from utilities.permissions import permission_is_exempt
+from utilities.permissions import permission_is_exempt, qs_filter_from_constraints


 class RestrictedQuerySet(QuerySet):
@ -28,23 +28,10 @@ class RestrictedQuerySet(QuerySet):

        # Filter the queryset to include only objects with allowed attributes
        else:
-            attrs = Q()
-            for perm_attrs in user._object_perm_cache[permission_required]:
-                if type(perm_attrs) is list:
-                    for p in perm_attrs:
-                        attrs |= Q(**p)
-                elif perm_attrs:
-                    attrs |= Q(**perm_attrs)
-                else:
-                    # Any permission with null constraints grants access to _all_ instances
-                    attrs = Q()
-                    break
-            else:
-                # for else, when no break
-                # avoid duplicates when JOIN on many-to-many fields without using DISTINCT.
-                # DISTINCT acts globally on the entire request, which may not be desirable.
-                allowed_objects = self.model.objects.filter(attrs)
-                attrs = Q(pk__in=allowed_objects)
-            qs = self.filter(attrs)
+            attrs = qs_filter_from_constraints(user._object_perm_cache[permission_required])
+            # #8715: Avoid duplicates when JOIN on many-to-many fields without using DISTINCT.
+            # DISTINCT acts globally on the entire request, which may not be desirable.
+            allowed_objects = self.model.objects.filter(attrs)
+            qs = self.filter(pk__in=allowed_objects)

        return qs