blacklist certain sensitive fields and relations as search arguments

see: #5465 see: #5478
2026-03-02 01:08:48 -03:30 · 2017-02-21 12:18:40 -05:00
parent 0a5b43acae
commit d24fb32358
13 changed files with 99 additions and 32 deletions
--- a/awx/main/models/init.py
+++ b/awx/main/models/init.py
@@ -42,7 +42,7 @@ _PythonSerializer.handle_m2m_field = _new_handle_m2m_field


 # Add custom methods to User model for permissions checks.
-from django.contrib.auth.models import User # noqa
+from django.contrib.auth.models import User  # noqa
 from awx.main.access import * # noqa


@@ -128,3 +128,6 @@ activity_stream_registrar.connect(User)
 activity_stream_registrar.connect(WorkflowJobTemplate)
 activity_stream_registrar.connect(WorkflowJobTemplateNode)
 activity_stream_registrar.connect(WorkflowJob)
+
+# prevent API filtering on certain Django-supplied sensitive fields
+prevent_search(User._meta.get_field('password'))