Protect views from viewing if the user has no right to view an object

2020-03-19 02:26:06 +01:00 · 2020-03-19 02:26:06 +01:00 · 730d37c620
commit 730d37c620
parent e461d70b14
9 changed files with 116 additions and 35 deletions
--- a/apps/api/viewsets.py
+++ b/apps/api/viewsets.py
@ -13,7 +13,7 @@ class ReadProtectedModelViewSet(viewsets.ModelViewSet):

    def get_queryset(self):
        model = ContentType.objects.get_for_model(self.serializer_class.Meta.model)
-        return super().get_queryset().filter(PermissionBackend().filter_queryset(self.request.user, model, "view"))
+        return super().get_queryset().filter(PermissionBackend.filter_queryset(self.request.user, model, "view"))


 class ReadOnlyProtectedModelViewSet(viewsets.ReadOnlyModelViewSet):
@ -23,4 +23,4 @@ class ReadOnlyProtectedModelViewSet(viewsets.ReadOnlyModelViewSet):

    def get_queryset(self):
        model = ContentType.objects.get_for_model(self.serializer_class.Meta.model)
-        return super().get_queryset().filter(PermissionBackend().filter_queryset(self.request.user, model, "view"))
+        return super().get_queryset().filter(PermissionBackend.filter_queryset(self.request.user, model, "view"))