inventree/InvenTree
2
0
Fork 0
mirror of https://github.com/inventree/InvenTree.git synced 2026-04-03 18:11:10 +00:00
Code Activity

Restrict queryset for DataImportSession (#11602)

Browse Source 
* Restrict queryset for DataImportSession

- Only allow non-staff users to see their own sessions

* Add unit test

* raise PermissionDenied if no user info available
This commit is contained in:
Oliver
2026-03-24 23:28:58 +11:00
committed by GitHub
parent 4865a2b2a0
commit b98fc9c7a0
3 changed files with 47 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/backend/InvenTree/common/api.py
View File

@@ -1185,7 +1185,7 @@ class DataOutputEndpointMixin:
try: try:
user = self.request.user user = self.request.user
except AttributeError: except AttributeError:
return common.models.DataOutput.objects.none() raise PermissionDenied('User information is not available')
# Allow staff users access to all DataOutput objects # Allow staff users access to all DataOutput objects
if user.is_staff: if user.is_staff:

16
src/backend/InvenTree/importer/api.py
View File

@@ -73,6 +73,22 @@ class DataImportSessionMixin:
serializer_class = importer.serializers.DataImportSessionSerializer serializer_class = importer.serializers.DataImportSessionSerializer
permission_classes = [InvenTree.permissions.DataImporterPermission] permission_classes = [InvenTree.permissions.DataImporterPermission]
def get_queryset(self):
"""Return the set of DataImportSession objects that the user has permission to view."""
queryset = super().get_queryset()
try:
user = self.request.user
except AttributeError:
raise PermissionDenied('User information is not available')
# Allow staff users access to all DataImportSession objects
if user.is_staff:
return queryset
# For non-staff users, only allow access to sessions that they have created
return queryset.filter(user=user)
class DataImportSessionList(BulkDeleteMixin, DataImportSessionMixin, ListCreateAPI): class DataImportSessionList(BulkDeleteMixin, DataImportSessionMixin, ListCreateAPI):
"""API endpoint for accessing a list of DataImportSession objects.""" """API endpoint for accessing a list of DataImportSession objects."""

30
src/backend/InvenTree/importer/tests.py
View File

@@ -174,6 +174,36 @@ class ImportAPITest(ImporterMixin, InvenTreeAPITestCase):
# Check that there are new database records # Check that there are new database records
self.assertEqual(PartCategory.objects.count(), N + 4) self.assertEqual(PartCategory.objects.count(), N + 4)
def test_session_list(self):
"""Test API endpoint which details the list of import sessions."""
url = reverse('api-importer-session-list')
# Construct a dummy file
f = self.helper_file('companies.csv')
for ii in range(5):
DataImportSession.objects.create(
data_file=f,
model_type='company',
user=self.user if ii % 2 == 0 else None,
)
# Staff user should see all sessions
self.user.is_staff = True
self.user.save()
response = self.get(url)
self.assertEqual(len(response.data), 5)
# Non-staff user should only see sessions which they own
self.user.is_staff = False
self.user.save()
response = self.get(url)
self.assertEqual(len(response.data), 3)
for session in response.data:
self.assertEqual(session['user'], self.user.pk)
class AdminTest(ImporterMixin, AdminTestCase): class AdminTest(ImporterMixin, AdminTestCase):
"""Tests for the admin interface integration.""" """Tests for the admin interface integration."""