fix permissions of views based on rbac, fixes #863

changes/863.fixed

@@ -0,0 +1,2 @@
+Update the queryset altering to be after permissions restriction.
+Updated the queryset before rendering the compliance reporting to be after permissions restriction.

nautobot_golden_config/views.py

@@ -271,6 +271,8 @@ def get_extra_context(self, request, instance=None, **kwargs):
 
     def alter_queryset(self, request):
         """Build actual runtime queryset as the build time queryset of table `pivoted`."""
+        # Super because alter_queryset() calls get_queryset(), which is what calls queryset.restrict()
+        self.queryset = super().alter_queryset(request)
         return pivot(
             self.queryset,
             ["device", "device__name"],
@@ -375,7 +377,8 @@ def setup(self, request, *args, **kwargs):
         """Using request object to perform filtering based on query params."""
         super().setup(request, *args, **kwargs)
         filter_params = self.get_filter_params(request)
-        main_qs = models.ConfigCompliance.objects
+        # Add .restrict() to the queryset to restrict the view based on user permissions.
+        main_qs = models.ConfigCompliance.objects.restrict(request.user, "view")
         device_aggr, feature_aggr = get_global_aggr(main_qs, self.filterset, filter_params)
         feature_qs = self.filterset(request.GET, self.queryset).qs
         self.extra_content = {