Restrict queryset based on user view permissions

This commit is contained in:
Oliver Walters 2026-07-01 14:18:19 +00:00
parent 6f7c3ff75d
commit f89b6088cb
1 changed files with 25 additions and 0 deletions

View File

@ -922,6 +922,31 @@ class NoteMixin:
serializer_class = common.serializers.NoteSerializer
permission_classes = [IsAuthenticatedOrReadScope]
def get_queryset(self):
"""Filter notes to those the requesting user has view permission for.
Template notes (no attached model) are always visible.
Regular notes are only visible when the user has 'view' permission
for the model type the note is linked to.
"""
from InvenTree.models import InvenTreeNoteMixin
from users.permissions import check_user_permission
qs = super().get_queryset()
user = self.request.user
if user.is_superuser:
return qs
allowed_ct_ids = []
for ct in ContentType.objects.all():
model_class = ct.model_class()
if model_class and issubclass(model_class, InvenTreeNoteMixin):
if check_user_permission(user, model_class, 'view'):
allowed_ct_ids.append(ct.pk)
return qs.filter(Q(template=True) | Q(model_type__in=allowed_ct_ids))
class NoteList(NoteMixin, ListCreateAPI):
"""List API endpoint for Note objects."""