Introduce restrict_form_fields() to automatically restrict field querysets based on user

2024-05-10 07:54:54 +00:00 · 2020-06-26 13:59:53 -04:00
parent 8412f9481c
commit edc65a6a34
2 changed files with 14 additions and 1 deletions
--- a/netbox/utilities/forms.py
+++ b/netbox/utilities/forms.py
@ -15,6 +15,7 @@ from django.forms import BoundField
 from django.forms.models import fields_for_model
 from django.urls import reverse

+from utilities.querysets import RestrictedQuerySet
 from .choices import ColorChoices, unpack_grouped_choices
 from .validators import EnhancedURLValidator

@ -138,6 +139,16 @@ def form_from_model(model, fields):
    return type('FormFromModel', (forms.Form,), form_fields)


+def restrict_form_fields(form, user, action='view'):
+    """
+    Restrict all form fields which reference a RestrictedQuerySet. This ensures that users see only permitted objects
+    as available choices.
+    """
+    for field in form.fields.values():
+        if hasattr(field, 'queryset') and issubclass(field.queryset.__class__, RestrictedQuerySet):
+            field.queryset = field.queryset.restrict(user, action)
+
+
 #
 # Widgets
 #
--- a/netbox/utilities/views.py
+++ b/netbox/utilities/views.py
@ -28,7 +28,7 @@ from django_tables2 import RequestConfig
 from extras.models import CustomField, CustomFieldValue, ExportTemplate
 from extras.querysets import CustomFieldQueryset
 from utilities.exceptions import AbortTransaction
-from utilities.forms import BootstrapMixin, BulkRenameForm, CSVDataField, TableConfigForm
+from utilities.forms import BootstrapMixin, BulkRenameForm, CSVDataField, TableConfigForm, restrict_form_fields
 from utilities.permissions import get_permission_for_model, resolve_permission
 from utilities.utils import csv_format, prepare_cloned_fields
 from .error_handlers import handle_protectederror
@ -352,6 +352,7 @@ class ObjectEditView(GetReturnURLMixin, ObjectPermissionRequiredMixin, View):
        # Parse initial data manually to avoid setting field values as lists
        initial_data = {k: request.GET[k] for k in request.GET}
        form = self.model_form(instance=obj, initial=initial_data)
+        restrict_form_fields(form, request.user)

        return render(request, self.template_name, {
            'obj': obj,
@ -368,6 +369,7 @@ class ObjectEditView(GetReturnURLMixin, ObjectPermissionRequiredMixin, View):
            files=request.FILES,
            instance=obj
        )
+        restrict_form_fields(form, request.user)

        if form.is_valid():
            logger.debug("Form validation was successful")