Prevent non-superusers from querying the activity stream

author: Matthew Jones <mat@matburt.net> 2013-11-19 15:10:07 +0100
committer: Matthew Jones <mat@matburt.net> 2013-11-19 15:10:14 +0100
commit: 14ac51861e9248900ea775844d5cd7896eec2df6 (patch)
tree: f41a1619511cd3dd4299caf3553004745ef1ecd3
parent: Added AS to /inventories/hosts/N and /inventories/groups/N as well has /home/... (diff)
download: awx-14ac51861e9248900ea775844d5cd7896eec2df6.tar.xz
awx-14ac51861e9248900ea775844d5cd7896eec2df6.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/awx/api/views.py b/awx/api/views.py
index 38b74069f6..82538bb8a6 100644
--- a/awx/api/views.py
+++ b/awx/api/views.py
@@ -12,6 +12,7 @@ from django.conf import settings
 from django.contrib.auth.models import User
 from django.core.urlresolvers import reverse
 from django.db.models import Q
+
 from django.db import IntegrityError
 from django.shortcuts import get_object_or_404
 from django.utils.datastructures import SortedDict
@@ -1064,6 +1065,8 @@ class ActivityStreamList(SimpleListAPIView):
 
     def get_queryset(self):
         initial_qs = super(ActivityStreamList, self).get_queryset()
+        if not self.request.user.is_superuser:
+            return initial_qs.none()
         all_qs = Q()
         all_obj1_types = [x.object1_type for x in ActivityStream.objects.order_by('object1_type').distinct('object1_type')]
         all_obj2_types = [x.object2_type for x in ActivityStream.objects.order_by('object2_type').distinct('object2_type')]
author	Matthew Jones <mat@matburt.net>	2013-11-19 15:10:07 +0100
committer	Matthew Jones <mat@matburt.net>	2013-11-19 15:10:14 +0100
commit	14ac51861e9248900ea775844d5cd7896eec2df6 (patch)
tree	f41a1619511cd3dd4299caf3553004745ef1ecd3
parent	Added AS to /inventories/hosts/N and /inventories/groups/N as well has /home/... (diff)
download	awx-14ac51861e9248900ea775844d5cd7896eec2df6.tar.xz awx-14ac51861e9248900ea775844d5cd7896eec2df6.zip