Filters defined in ModelViewSet's get_queryset method are not applied to Detail and Delete views
ikseek opened this issue · comments
Igor Kozyrenko commented
DetailModelView
and DeleteModelView
views don't have ModelViewMixin
in them so they never call self.viewset.get_queryset()
for pre-filtering in get_object()
. As a consequence, ModelViewSets
that don't define explicit permission checks do not list objects filtered out by get_queryset()
but still allow to see them and delete (but not update as UpdateModelView
has ModelViewMixin
).
This inconsistency makes me believe this is not intended behavior and looks like potential security hole.
Mikhail Podgurskiy commented
Thanks for the spot!