Project

Profile

Help

Task #9575

closed

Move queryset filtering for Tasks to Task.objects

Added by bmbouter over 2 years ago. Updated over 2 years ago.

Status:
CLOSED - WONTFIX
Priority:
Normal
Assignee:
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Sprint 111
Quarter:

Description

Right now the Task queryset scoping is implemented only in DRF. Recently the new task purge endpoint deletes task records in a task. To do that in a way that aligns with the queryset scoping and RBAC the Tasks endpoint already supports we have to have the queryset manager provide the queryset scoping.

Actions #1

Updated by pulpbot over 2 years ago

  • Status changed from ASSIGNED to POST
Actions #2

Updated by bmbouter over 2 years ago

Here's a diff from the more-awesome version that I couldn't get working:

[bmbouter@fedora pulpcore]$ git diff
diff --git a/pulpcore/app/models/task.py b/pulpcore/app/models/task.py
index e99f3a33b..b3abba7f7 100644
--- a/pulpcore/app/models/task.py
+++ b/pulpcore/app/models/task.py
@@ -152,6 +152,7 @@ class TaskManager(models.Manager):
     def get_queryset(self):
         qs = super().get_queryset()
         current_user = get_current_authenticated_user()
+        return get_objects_for_user(current_user, "core.view_task", klass=qs)
         if current_user:
             return get_objects_for_user(current_user, "core.view_task", klass=qs)
         return qs
@@ -206,6 +207,7 @@ class Task(BaseModel, AutoDeleteObjPermsMixin, AutoAddObjPermsMixin):
     ACCESS_POLICY_VIEWSET_NAME = "tasks"
 
     objects = TaskManager()
+    objects_no_qs_scoping = models.Manager()
 
     def __str__(self):
         return "Task: {name} [{state}]".format(name=self.name, state=self.state)
diff --git a/pulpcore/app/serializers/exporter.py b/pulpcore/app/serializers/exporter.py
index 6e55c3441..5048e68a2 100644
--- a/pulpcore/app/serializers/exporter.py
+++ b/pulpcore/app/serializers/exporter.py
@@ -80,7 +80,7 @@ class ExportSerializer(ModelSerializer):
 
     task = RelatedField(
         help_text=_("A URI of the task that ran the Export."),
-        queryset=models.Task.objects.all(),
+        queryset=models.Task.objects_no_qs_scoping.all(),
         view_name="tasks-detail",
         required=False,
         allow_null=True,
diff --git a/pulpcore/app/serializers/importer.py b/pulpcore/app/serializers/importer.py
index fac39f919..75b54a180 100644
--- a/pulpcore/app/serializers/importer.py
+++ b/pulpcore/app/serializers/importer.py
@@ -35,7 +35,7 @@ class ImportSerializer(ModelSerializer):
 
     task = RelatedField(
         help_text=_("A URI of the Task that ran the Import."),
-        queryset=models.Task.objects.all(),
+        queryset=models.Task.objects_no_qs_scoping.all(),
         view_name="tasks-detail",
     )
 

Actions #3

Updated by bmbouter over 2 years ago

  • Sprint set to Sprint 110
Actions #4

Updated by rchan over 2 years ago

  • Sprint changed from Sprint 110 to Sprint 111
Actions #5

Updated by bmbouter over 2 years ago

  • Status changed from POST to CLOSED - WONTFIX

We concluded that we cannot know the purpose a queryset is being formed, so we can't know which permission to check. As such, everyone will need to add permission-based filtering on every queryset.

Also available in: Atom PDF