Limit choices for related foreign key fields based on view queryset.

[erikcw]

I was just doing some experimenting with DRF and found a potential security issue (information leak).

The generated forms in the Browseable API for ForeignKey fields should limit the displayed choices to the related field's ViewSet.queryset.

Currently, If a ViewSet filters its queryset to prevent users from accessing objects they don't own like so:

MyViewSet(ViewSet):
    #...
    def get_queryset(self, queryset, *args, **kwargs):
       return queryset.filter(user=self.request.user)

the user will only be able to access those objects. However, the select list in the Browseable API form will display objects belonging to all users.

Ideally this would hook into permission_classes and filter_backends as well.

[lovelydinosaur]

We could do with some better way to limit / filter the queryset choices in relationships, agreed.

Not sure how we'd approach that yet.

[lovelydinosaur]

Superseeded by this documentation ticket #1985.