Fixes #7814: Fix restriction of user & group objects in GraphQL API queries

jeremystretch · jeremystretch · commit daf6c8e327ff · 2021-11-12T08:23:58.000-05:00
diff --git a/docs/release-notes/version-3.0.md b/docs/release-notes/version-3.0.md
@@ -22,6 +22,7 @@
 * [#7802](https://github.com/netbox-community/netbox/issues/7802) - Differentiate ID and VID columns in VLANs table
 * [#7808](https://github.com/netbox-community/netbox/issues/7808) - Fix reference values for content type under custom field import form
 * [#7809](https://github.com/netbox-community/netbox/issues/7809) - Add missing export template support for various models
+* [#7814](https://github.com/netbox-community/netbox/issues/7814) - Fix restriction of user & group objects in GraphQL API queries
 
 ---
 
diff --git a/netbox/users/graphql/types.py b/netbox/users/graphql/types.py
@@ -19,7 +19,7 @@ class Meta:
 
     @classmethod
     def get_queryset(cls, queryset, info):
-        return RestrictedQuerySet(model=Group)
+        return RestrictedQuerySet(model=Group).restrict(info.context.user, 'view')
 
 
 class UserType(DjangoObjectType):
@@ -34,4 +34,4 @@ class Meta:
 
     @classmethod
     def get_queryset(cls, queryset, info):
-        return RestrictedQuerySet(model=User)
+        return RestrictedQuerySet(model=User).restrict(info.context.user, 'view')
