blacklist certain sensitive fields and relations as search arguments

see: #5465 see: #5478
2026-04-12 19:11:49 -05:00 · 2017-02-21 12:18:40 -05:00
parent 0a5b43acae
commit d24fb32358
13 changed files with 99 additions and 32 deletions
--- a/awx/api/filters.py
+++ b/awx/api/filters.py
@@ -89,7 +89,8 @@ class FieldLookupBackend(BaseFilterBackend):
        # those lookups combined with request.user.get_queryset(Model) to make
        # sure user cannot query using objects he could not view.
        new_parts = []
-        for n, name in enumerate(parts[:-1]):
+
+        for name in parts[:-1]:
            # HACK: Make project and inventory source filtering by old field names work for backwards compatibility.
            if model._meta.object_name in ('Project', 'InventorySource'):
                name = {
@@ -111,6 +112,10 @@ class FieldLookupBackend(BaseFilterBackend):
                field = model._meta.pk
            else:
                field = model._meta.get_field_by_name(name)[0]
+                if isinstance(field, ForeignObjectRel) and getattr(field.field, '__prevent_search__', False):
+                    raise PermissionDenied('Filtering on %s is not allowed.' % name)
+                elif getattr(field, '__prevent_search__', False):
+                    raise PermissionDenied('Filtering on %s is not allowed.' % name)
            model = getattr(field, 'related_model', None) or field.model

        if parts: