Adjust DataOutput API endpoint (#11580)

* DataOutput API fix - Prevent non-staff users from accessing unrelated DataOutput instances * Add unit tests
2026-04-02 01:21:17 +00:00 · 2026-03-21 15:14:59 +11:00
parent 5f9972e75e
commit c5bf915d10
2 changed files with 54 additions and 0 deletions
--- a/src/backend/InvenTree/common/api.py
+++ b/src/backend/InvenTree/common/api.py
@@ -1178,6 +1178,22 @@ class DataOutputEndpointMixin:
    serializer_class = common.serializers.DataOutputSerializer
    permission_classes = [IsAuthenticatedOrReadScope]
    def get_queryset(self):
        """Return the set of DataOutput objects which the user has permission to view."""
        queryset = super().get_queryset()
        try:
            user = self.request.user
        except AttributeError:
            return common.models.DataOutput.objects.none()
        # Allow staff users access to all DataOutput objects
        if user.is_staff:
            return queryset
        # All other users are limited to viewing their own DataOutput objects
        return queryset.filter(user=user)
 class DataOutputList(DataOutputEndpointMixin, BulkDeleteMixin, ListAPI):
    """List view for DataOutput objects."""
--- a/src/backend/InvenTree/common/test_api.py
+++ b/src/backend/InvenTree/common/test_api.py
@@ -6,6 +6,44 @@ import common.models
 from InvenTree.unit_test import InvenTreeAPITestCase
 class DataOutputAPITests(InvenTreeAPITestCase):
    """API tests for the DataOutput endpoint."""
    roles = 'all'
    def setUp(self):
        """Set up some test data for DataOutput API testing."""
        from report.models import DataOutput
        super().setUp()
        for ii in range(5):
            DataOutput.objects.create(
                output_type='test_output',
                user=self.user if ii % 2 == 0 else None,
                complete=ii % 2 == 1,
            )
    def test_data_output_list(self):
        """Test the DataOutput API list endpoint."""
        url = reverse('api-data-output-list')
        #  Non-staff user should only see outputs which are either enabled for all users, or created by themselves
        self.user.is_staff = False
        self.user.save()
        response = self.get(url)
        self.assertEqual(len(response.data), 3)
        for output in response.data:
            self.assertEqual(output['user'], self.user.pk)
        # Set staff access = True, so we should see all outputs
        self.user.is_staff = True
        self.user.save()
        response = self.get(url)
        self.assertEqual(len(response.data), 5)
 class ParameterAPITests(InvenTreeAPITestCase):
    """Tests for the Parameter API."""