Restricting Viewable Objects

With limited object-level permissions on certain objects, its desirable to restrict the objects shown to users. This effectively causes a Pulp system with many users to have each user see only “their” permissions.

This is feature is generally referred to as Queryset Scoping because it is applied as an additional filter on the base Queryset of a ViewSet. This causes the permission filtering to work with other filterings applied by a user.

Enabling QuerySet Scoping

The support for this is built into pulpcore.plugin.viewsets.NamedModelViewSet, which is often the base class for any model-based ViewSet if Pulp. Objects will only be shown to users have access to a specific permission either at the model-level or object-level. Enable this on your ViewSet that inherits from pulpcore.plugin.viewsets.NamedModelViewSet by setting the queryset_filtering_required_permission class attribute to the value of the permission name.

For example Tasks are restricted only to those users with the “core.task_viewtask” permission like this:

TaskViewSet(NamedModelViewSet):
    ...
    queryset_filtering_required_permission = "core.view_task"

Manually Implementing QuerySet Scoping

If your ViewSet does not inherit from pulpcore.plugin.viewsets.NamedModelViewSet or you would like more control over the QuerySet Scoping feature it can be added manually by adding a get_queryset method to your ViewSet which returns the filtered QuerySet.

To look up objects by permission easily from an existing QuerySet use the klass argument to the get_objects_for_user provided by django-guardian. Here’s an example:

from guardian.shortcuts import get_objects_for_user

class MyViewSet(rest_framework.viewsets.GenericViewSet):

    def get_queryset(self):
        qs = super().get_queryset()
        permission_name = "my.example_permission"
        return get_objects_for_user(self.request.user, permission_name, klass=qs)