Inicio Explorar Axuda
Iniciar sesión
LBP
/
netbox
réplica de https://github.com/netbox-community/netbox.git
2
0
Fork 0
Ficheiros Incidencias 0 Wiki
Explorar o código

Fix up permissions evaluation

Jeremy Stretch %!s(int64=5) %!d(string=hai) anos
pai
a6a88a0d2e
achega
fb7446487e
Modificáronse 2 ficheiros con 6 adicións e 19 borrados
Dividir vista Mostrar estatísticas de Diff
  1. 5 6
      netbox/utilities/api.py
  2. 1 13
      netbox/utilities/auth_backends.py

+ 5 - 6
netbox/utilities/api.py
Ver ficheiro 

@@ -340,12 +340,11 @@ class ModelViewSet(_ModelViewSet):
 
         permission_required = TokenPermissions.perms_map[request.method][0] % kwargs
 
 
         # Enforce object-level permissions
 
-        if permission_required not in {*request.user._user_perm_cache, *request.user._group_perm_cache}:
 
-            attrs = ObjectPermission.objects.get_attr_constraints(request.user, permission_required)
 
-            if attrs:
 
-                # Update the view's QuerySet to filter only the permitted objects
 
-                self.queryset = self.queryset.filter(attrs)
 
-                return True
 
+        attrs = ObjectPermission.objects.get_attr_constraints(request.user, permission_required)
 
+        if attrs:
 
+            # Update the view's QuerySet to filter only the permitted objects
 
+            self.queryset = self.queryset.filter(attrs)
 
+            return True
 
 
     def dispatch(self, request, *args, **kwargs):
 
         logger = logging.getLogger('netbox.api.views.ModelViewSet')

+ 1 - 13
netbox/utilities/auth_backends.py
Ver ficheiro 

@@ -38,18 +38,6 @@ class ObjectPermissionBackend(ModelBackend):
 
 
         return user_obj._object_perm_cache
 
 
-    # def get_all_permissions(self, user_obj, obj=None):
 
-    #
 
-    #     # Handle inactive/anonymous users
 
-    #     if not user_obj.is_active or user_obj.is_anonymous:
 
-    #         return set()
 
-    #
 
-    #     # Cache object permissions on the User instance
 
-    #     if not hasattr(user_obj, '_perm_cache'):
 
-    #         user_obj._perm_cache = self.get_object_permissions(user_obj)
 
-    #
 
-    #     return user_obj._perm_cache
 
-
 
     def has_perm(self, user_obj, perm, obj=None):
 
         # print(f'has_perm({perm})')
 
         app_label, codename = perm.split('.')
 
@@ -92,7 +80,7 @@ class ObjectPermissionBackend(ModelBackend):
 
         obj_perm_attrs = self.get_object_permissions(user_obj)[perm]
 
         attrs = Q()
 
         for perm_attrs in obj_perm_attrs:
 
-            attrs |= Q(**perm_attrs.attrs)
 
+            attrs |= Q(**perm_attrs)
 
 
         # Permission to perform the requested action on the object depends on whether the specified object matches
 
         # the specified attributes. Note that this check is made against the *database* record representing the object,