From 69a9d87e6feb95fbd0606ae1ccab6ec7a65e46e5 Mon Sep 17 00:00:00 2001 From: Sawyer Bergeron Date: Wed, 10 Apr 2019 13:15:34 -0400 Subject: Fix private images being visible to anyone Change-Id: I1df1a11dd1b9e51d026157f9c7fd8b4a008371d8 Signed-off-by: Sawyer Bergeron --- dashboard/src/booking/forms.py | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) (limited to 'dashboard/src') diff --git a/dashboard/src/booking/forms.py b/dashboard/src/booking/forms.py index 7ba5af0..9349ac1 100644 --- a/dashboard/src/booking/forms.py +++ b/dashboard/src/booking/forms.py @@ -8,7 +8,6 @@ ############################################################################## import django.forms as forms from django.forms.widgets import NumberInput -from django.db.models import Q from workflow.forms import ( SearchableSelectMultipleWidget, @@ -22,7 +21,6 @@ from resource_inventory.models import Image, Installer, Scenario class QuickBookingForm(forms.Form): purpose = forms.CharField(max_length=1000) project = forms.CharField(max_length=400) - image = forms.ModelChoiceField(queryset=Image.objects.all()) hostname = forms.CharField(max_length=400) installer = forms.ModelChoiceField(queryset=Installer.objects.all(), required=False) @@ -40,14 +38,14 @@ class QuickBookingForm(forms.Form): elif data and "users" in data: chosen_users = data.getlist("users") - if user: - self.image = forms.ModelChoiceField(queryset=Image.objects.filter( - Q(public=True) | Q(owner=user)), required=False) - else: - self.image = forms.ModelChoiceField(queryset=Image.objects.all(), required=False) - super(QuickBookingForm, self).__init__(data=data, **kwargs) + self.fields["image"] = forms.ModelChoiceField( + queryset=Image.objects.difference( + Image.objects.filter(public=False).difference(Image.objects.filter(owner=user)) + ) + ) + self.fields['users'] = forms.CharField( widget=SearchableSelectMultipleWidget( attrs=self.build_search_widget_attrs(chosen_users, default_user=default_user) -- cgit 1.2.3-korg