get_queryset does not affect querying in django rest framework ModelViewSet

Question

My ViewSet looks like this:

class ClientViewSet(viewsets.ModelViewSet):
    queryset = models.Client.objects.all()
    serializer_class = serializers.ClientSerializer

    def filter_queryset(self, queryset):
        return models.Client.objects.filter(**self.request.data)

    def get_queryset(self):
        return models.Client.objects.filter(owner=self.request.user)

The model looks like this:

class Client(models.Model):
    owner = models.ForeignKey(User, on_delete=models.CASCADE, null=True)
    name = models.CharField(max_length=100, blank=True, null=True)

    def __str__(self):
        return str(self.id)

So, I'm trying to filter clients so that only the current user's clients are presented to them. However, GET api/clients still returns all the clients of all users. What have I done wrong?

That is because you do not further process the queryset in the filter_queryset. — willeM_ Van Onsem
– willeM_ Van Onsem, Commented Aug 31, 2020 at 22:46

willeM_ Van Onsem · Accepted Answer · 2020-08-31 22:48:31Z

That is because you do not further process the queryset in the filter_queryset. The filter_queryset is one of the next steps in the chain. You should thus further filter the queryset with:

class ClientViewSet(viewsets.ModelViewSet):
    queryset = models.Client.objects.all()
    serializer_class = serializers.ClientSerializer

    def filter_queryset(self, queryset):
        return queryset.filter(**self.request.data)

    def get_queryset(self):
        return models.Client.objects.filter(owner=self.request.user)

You however might want to take a look at the filter_backends [drf-doc]. This allows one to implement filters in a more elegant way. By using **self.request.data, you include potentially a security vulnerability, since the users can query not only on the model, but also on related model objects, and thus for example use binary search to determine fields that are sensitive.

Collectives™ on Stack Overflow

get_queryset does not affect querying in django rest framework ModelViewSet

1 Answer 1

Comments

Your Answer

Hot Network Questions

Collectives™ on Stack Overflow

1 Answer 1

Comments

Your Answer

Sign up or log in

Post as a guest

Related