Merge branch 'master' into fix_api_nullables

Author: matmair

.github/workflows/qc_checks.yaml

@@ -392,7 +392,7 @@ jobs:
 
   performance:
     name: Tests - Performance
-    runs-on: codspeed-macro
+    runs-on: ubuntu-24.04 # codspeed-macro
 
     needs: ["pre-commit", "paths-filter"]
     if: needs.paths-filter.outputs.server == 'true' || needs.paths-filter.outputs.force == 'true'

.pre-commit-config.yaml

@@ -18,7 +18,7 @@ repos:
         exclude: mkdocs.yml
     -   id: mixed-line-ending
 -   repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.14.8
+    rev: v0.14.10
     hooks:
     - id: ruff-format
       args: [--preview]
@@ -29,7 +29,7 @@ repos:
         --preview
       ]
 -   repo: https://github.com/astral-sh/uv-pre-commit
-    rev: 0.9.16
+    rev: 0.9.22
     hooks:
       - id: pip-compile
         name: pip-compile requirements-dev.in
@@ -71,7 +71,7 @@ repos:
           src/frontend/vite.config.ts |
       )$
 -   repo: https://github.com/biomejs/pre-commit
-    rev: v2.3.8
+    rev: v2.3.10
     hooks:
     -   id: biome-check
         additional_dependencies: ["@biomejs/biome@1.9.4"]

src/backend/InvenTree/InvenTree/api.py

@@ -17,6 +17,7 @@
 from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema
 from rest_framework import serializers
 from rest_framework.generics import GenericAPIView
+from rest_framework.request import clone_request
 from rest_framework.response import Response
 from rest_framework.serializers import ValidationError
 from rest_framework.views import APIView
@@ -31,7 +32,7 @@
 from InvenTree.sso import sso_registration_enabled
 from plugin.serializers import MetadataSerializer
 from users.models import ApiToken
-from users.permissions import check_user_permission
+from users.permissions import check_user_permission, prefetch_rule_sets
 
 from .helpers import plugins_info
 from .helpers_email import is_email_configured
@@ -767,6 +768,13 @@ def post(self, request, *args, **kwargs):
 
         search_filters = self.get_result_filters()
 
+        # Create a clone of the request object to modify
+        # Use GET method for the individual list views
+        cloned_request = clone_request(request, 'GET')
+
+        # Fetch and cache all groups associated with the current user
+        groups = prefetch_rule_sets(request.user)
+
         for key, cls in self.get_result_types().items():
             # Only return results which are specifically requested
             if key in data:
@@ -790,22 +798,23 @@ def post(self, request, *args, **kwargs):
                 view = cls()
 
                 # Override regular query params with specific ones for this search request
-                request._request.GET = params
-                view.request = request
+                cloned_request._request.GET = params
+                view.request = cloned_request
                 view.format_kwarg = 'format'
 
                 # Check permissions and update results dict with particular query
                 model = view.serializer_class.Meta.model
 
+                if not check_user_permission(
+                    request.user, model, 'view', groups=groups
+                ):
+                    results[key] = {
+                        'error': _('User does not have permission to view this model')
+                    }
+                    continue
+
                 try:
-                    if check_user_permission(request.user, model, 'view'):
-                        results[key] = view.list(request, *args, **kwargs).data
-                    else:
-                        results[key] = {
-                            'error': _(
-                                'User does not have permission to view this model'
-                            )
-                        }
+                    results[key] = view.list(request, *args, **kwargs).data
                 except Exception as exc:
                     results[key] = {'error': str(exc)}
 

src/backend/InvenTree/InvenTree/helpers_email.py

@@ -122,7 +122,8 @@ def get_email_for_user(user) -> Optional[str]:
     # Otherwise, find first matching email
     # Priority is given to primary or verified email addresses
     if (
-        email := EmailAddress.objects.filter(user=user)
+        email := EmailAddress.objects
+        .filter(user=user)
         .order_by('-primary', '-verified')
         .first()
     ):

src/backend/InvenTree/InvenTree/management/commands/schema.py

@@ -71,7 +71,8 @@ def handle(self, *args, **kwargs):
         for p_name, p_spec in spec['paths'].items():
             # strip path name
             p_name = (
-                p_name.removeprefix(dja_path_prefix)
+                p_name
+                .removeprefix(dja_path_prefix)
                 .removeprefix('/_allauth/browser/v1/')
                 .removeprefix('/_allauth/app/v1/')
             )

src/backend/InvenTree/InvenTree/models.py

@@ -610,7 +610,8 @@ def get_parameter(self, name: str):
     def get_parameters(self) -> QuerySet:
         """Return all Parameter instances for this model."""
         return (
-            self.parameters_list.all()
+            self.parameters_list
+            .all()
             .prefetch_related('template', 'model_type')
             .order_by('template__name')
         )
@@ -752,7 +753,8 @@ def delete(self, *args, **kwargs):
             for child in self.get_children():
                 # Store a flattened list of node IDs for each of the lower trees
                 nodes = list(
-                    child.get_descendants(include_self=True)
+                    child
+                    .get_descendants(include_self=True)
                     .values_list('pk', flat=True)
                     .distinct()
                 )

src/backend/InvenTree/InvenTree/serializers.py

@@ -21,6 +21,7 @@
 from rest_framework.exceptions import ValidationError
 from rest_framework.fields import empty
 from rest_framework.mixins import ListModelMixin
+from rest_framework.permissions import SAFE_METHODS
 from rest_framework.serializers import DecimalField
 from rest_framework.utils import model_meta
 from taggit.serializers import TaggitSerializer, TagListSerializerField
@@ -229,7 +230,7 @@ def do_filtering(self) -> None:
         # Skip filtering for a write requests - all fields should be present for data creation
         if request := self.context.get('request', None):
             if method := getattr(request, 'method', None):
-                if str(method).lower() in ['post', 'put', 'patch'] and not is_exporting:
+                if method not in SAFE_METHODS and not is_exporting:
                     return
 
         # Throw out fields which are not requested (either by default or explicitly)

src/backend/InvenTree/common/notifications.py

@@ -177,9 +177,9 @@ def trigger_notification(obj: Model, category: str = '', obj_ref: str = 'pk', **
     # Filter out any users who are inactive, or do not have the required model permissions
     valid_users = list(
         filter(
-            lambda u: u
-            and u.is_active
-            and (not obj or check_user_permission(u, obj, 'view')),
+            lambda u: (
+                u and u.is_active and (not obj or check_user_permission(u, obj, 'view'))
+            ),
             list(target_users),
         )
     )

src/backend/InvenTree/company/serializers.py

@@ -268,11 +268,7 @@ class Meta:
             source='part', many=False, read_only=True, allow_null=True
         ),
         True,
-        prefetch_fields=[
-            Prefetch(
-                'part', queryset=part.models.Part.objects.select_related('pricing_data')
-            )
-        ],
+        prefetch_fields=['part', 'part__pricing_data', 'part__category'],
     )
 
     pretty_name = enable_filter(
@@ -438,7 +434,7 @@ def __init__(self, *args, **kwargs):
             label=_('Part'), source='part', many=False, read_only=True, allow_null=True
         ),
         False,
-        prefetch_fields=['part'],
+        prefetch_fields=['part', 'part__pricing_data'],
     )
 
     supplier_detail = enable_filter(

src/backend/InvenTree/company/test_api.py

@@ -2,7 +2,14 @@
 
 from django.urls import reverse
 
-from company.models import Address, Company, Contact, SupplierPart, SupplierPriceBreak
+from company.models import (
+    Address,
+    Company,
+    Contact,
+    ManufacturerPart,
+    SupplierPart,
+    SupplierPriceBreak,
+)
 from InvenTree.unit_test import InvenTreeAPITestCase
 from part.models import Part
 from users.permissions import check_user_permission
@@ -498,7 +505,9 @@ def test_manufacturer_part_list(self):
 
     def test_manufacturer_part_detail(self):
         """Tests for the ManufacturerPart detail endpoint."""
-        url = reverse('api-manufacturer-part-detail', kwargs={'pk': 1})
+        mp = ManufacturerPart.objects.first()
+
+        url = reverse('api-manufacturer-part-detail', kwargs={'pk': mp.pk})
 
         response = self.get(url)
         self.assertEqual(response.data['MPN'], 'MPN123')