Skip to content

Limit choices for related foreign key fields based on view queryset. #1906

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
erikcw opened this issue Sep 26, 2014 · 2 comments
Closed

Limit choices for related foreign key fields based on view queryset. #1906

erikcw opened this issue Sep 26, 2014 · 2 comments
Labels
Needs further review

Comments

@erikcw
Copy link
Contributor

erikcw commented Sep 26, 2014

I was just doing some experimenting with DRF and found a potential security issue (information leak).

The generated forms in the Browseable API for ForeignKey fields should limit the displayed choices to the related field's ViewSet.queryset.

Currently, If a ViewSet filters its queryset to prevent users from accessing objects they don't own like so:

MyViewSet(ViewSet):
    #...
    def get_queryset(self, queryset, *args, **kwargs):
       return queryset.filter(user=self.request.user)

the user will only be able to access those objects. However, the select list in the Browseable API form will display objects belonging to all users.

Ideally this would hook into permission_classes and filter_backends as well.
@tomchristie
Copy link
Member

We could do with some better way to limit / filter the queryset choices in relationships, agreed.

Not sure how we'd approach that yet.

@tomchristie
Copy link
Member

Superseeded by this documentation ticket #1985.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Needs further review
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@erikcw @tomchristie