From f89b6088cb8c41da8d9e5d2bb34f42a14e9c2e78 Mon Sep 17 00:00:00 2001 From: Oliver Walters Date: Wed, 1 Jul 2026 14:18:19 +0000 Subject: [PATCH] Restrict queryset based on user view permissions --- src/backend/InvenTree/common/api.py | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/src/backend/InvenTree/common/api.py b/src/backend/InvenTree/common/api.py index 2c71bb9b3e..418f25025a 100644 --- a/src/backend/InvenTree/common/api.py +++ b/src/backend/InvenTree/common/api.py @@ -922,6 +922,31 @@ class NoteMixin: serializer_class = common.serializers.NoteSerializer permission_classes = [IsAuthenticatedOrReadScope] + def get_queryset(self): + """Filter notes to those the requesting user has view permission for. + + Template notes (no attached model) are always visible. + Regular notes are only visible when the user has 'view' permission + for the model type the note is linked to. + """ + from InvenTree.models import InvenTreeNoteMixin + from users.permissions import check_user_permission + + qs = super().get_queryset() + user = self.request.user + + if user.is_superuser: + return qs + + allowed_ct_ids = [] + for ct in ContentType.objects.all(): + model_class = ct.model_class() + if model_class and issubclass(model_class, InvenTreeNoteMixin): + if check_user_permission(user, model_class, 'view'): + allowed_ct_ids.append(ct.pk) + + return qs.filter(Q(template=True) | Q(model_type__in=allowed_ct_ids)) + class NoteList(NoteMixin, ListCreateAPI): """List API endpoint for Note objects."""