blacklist certain sensitive fields and relations as search arguments

see: #5465 see: #5478
2026-04-07 16:41:48 -05:00 · 2017-02-21 12:18:40 -05:00
parent 0a5b43acae
commit d24fb32358
13 changed files with 99 additions and 32 deletions
--- a/awx/api/generics.py
+++ b/awx/api/generics.py
@@ -26,6 +26,7 @@ from rest_framework import status
 from rest_framework import views

 # AWX
+from awx.api.filters import FieldLookupBackend
 from awx.main.models import *  # noqa
 from awx.main.utils import * # noqa
 from awx.api.serializers import ResourceAccessListElementSerializer
@@ -297,7 +298,16 @@ class ListAPIView(generics.ListAPIView, GenericAPIView):
            if relationship.related_model._meta.app_label != 'main':
                continue
            fields.append('{}__search'.format(relationship.name))
-        return fields
+
+        allowed_fields = []
+        for field in fields:
+            try:
+                FieldLookupBackend().get_field_from_lookup(self.model, field)
+            except PermissionDenied:
+                pass
+            else:
+                allowed_fields.append(field)
+        return allowed_fields


 class ListCreateAPIView(ListAPIView, generics.ListCreateAPIView):