Actions
Task #9575
closedMove queryset filtering for Tasks to Task.objects
Start date:
Due date:
% Done:
0%
Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Sprint 111
Quarter:
Description
Right now the Task queryset scoping is implemented only in DRF. Recently the new task purge endpoint deletes task records in a task. To do that in a way that aligns with the queryset scoping and RBAC the Tasks endpoint already supports we have to have the queryset manager provide the queryset scoping.
Updated by pulpbot over 2 years ago
- Status changed from ASSIGNED to POST
Updated by bmbouter over 2 years ago
Here's a diff from the more-awesome version that I couldn't get working:
[bmbouter@fedora pulpcore]$ git diff
diff --git a/pulpcore/app/models/task.py b/pulpcore/app/models/task.py
index e99f3a33b..b3abba7f7 100644
--- a/pulpcore/app/models/task.py
+++ b/pulpcore/app/models/task.py
@@ -152,6 +152,7 @@ class TaskManager(models.Manager):
def get_queryset(self):
qs = super().get_queryset()
current_user = get_current_authenticated_user()
+ return get_objects_for_user(current_user, "core.view_task", klass=qs)
if current_user:
return get_objects_for_user(current_user, "core.view_task", klass=qs)
return qs
@@ -206,6 +207,7 @@ class Task(BaseModel, AutoDeleteObjPermsMixin, AutoAddObjPermsMixin):
ACCESS_POLICY_VIEWSET_NAME = "tasks"
objects = TaskManager()
+ objects_no_qs_scoping = models.Manager()
def __str__(self):
return "Task: {name} [{state}]".format(name=self.name, state=self.state)
diff --git a/pulpcore/app/serializers/exporter.py b/pulpcore/app/serializers/exporter.py
index 6e55c3441..5048e68a2 100644
--- a/pulpcore/app/serializers/exporter.py
+++ b/pulpcore/app/serializers/exporter.py
@@ -80,7 +80,7 @@ class ExportSerializer(ModelSerializer):
task = RelatedField(
help_text=_("A URI of the task that ran the Export."),
- queryset=models.Task.objects.all(),
+ queryset=models.Task.objects_no_qs_scoping.all(),
view_name="tasks-detail",
required=False,
allow_null=True,
diff --git a/pulpcore/app/serializers/importer.py b/pulpcore/app/serializers/importer.py
index fac39f919..75b54a180 100644
--- a/pulpcore/app/serializers/importer.py
+++ b/pulpcore/app/serializers/importer.py
@@ -35,7 +35,7 @@ class ImportSerializer(ModelSerializer):
task = RelatedField(
help_text=_("A URI of the Task that ran the Import."),
- queryset=models.Task.objects.all(),
+ queryset=models.Task.objects_no_qs_scoping.all(),
view_name="tasks-detail",
)
Updated by bmbouter over 2 years ago
- Status changed from POST to CLOSED - WONTFIX
We concluded that we cannot know the purpose a queryset is being formed, so we can't know which permission to check. As such, everyone will need to add permission-based filtering on every queryset.
Actions