Limit choices for related foreign key fields based on view queryset.

I was just doing some experimenting with DRF and found a potential security issue (information leak).

The generated forms in the Browseable API for ForeignKey fields should limit the displayed choices to the related field's `ViewSet.queryset`.

Currently, If a ViewSet filters its queryset to prevent users from accessing objects they don't own like so:

``` py
MyViewSet(ViewSet):
    #...
    def get_queryset(self, queryset, *args, **kwargs):
       return queryset.filter(user=self.request.user)
```

the user will only be able to access those objects.  However, the `select` list in the Browseable API form will display objects belonging to all users.

Ideally this would hook into `permission_classes` and `filter_backends` as well.


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Limit choices for related foreign key fields based on view queryset. #1906

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

Limit choices for related foreign key fields based on view queryset. #1906

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions