All foreign keys to ContentType should use robust filtering for limit_choices_to #3147

New Issue

adam · 2025-12-29T18:26:07+01:00

adam commented

2025-12-29 18:26:07 +01:00

Originally created by @jeremystretch on GitHub (Jan 10, 2020).

Originally assigned to: @jeremystretch on GitHub.

Proposed Changes

Ensure that all model fields equating to ForeignKey(to=ContentType) where limit_choices_to is in use employ robust filtering by both app and model name.

Justification

There are several models in NetBox which have one or more ForeignKey fields to ContentType and utilize limit_choices_to to constrain the available choices. In all instances where the set of ContentTypes is constrained, a concise list of (app, model) pairings should be used. For example, the Cable model currently has:

CABLE_TERMINATION_TYPES = [
    'consoleport',
    'consoleserverport',
    'interface',
    ...
]

class Cable(...):
    termination_a_type = models.ForeignKey(
        to=ContentType,
        limit_choices_to={'model__in': CABLE_TERMINATION_TYPES},
        on_delete=models.PROTECT,
        related_name='+'
    )

This is problematic, because it allows for a potential name collision across apps within NetBox. Although not currently an issue, we would do well to address this before it presents a problem.

The above instance should be changed to use the model_names_to_filter_dict() and an explicit list of (app, model) pairings to filter the field's associated queryset:

CABLE_TERMINATION_MODELS = (
    'dcim.consoleport',
    'dcim.consoleserverport',
    'dcim.interface',
    ...
)

def get_cable_termination_models():
    return model_names_to_filter_dict(CABLE_TERMINATION_MODELS)

class Cable(...):
    termination_a_type = models.ForeignKey(
        to=ContentType,
        limit_choices_to=get_cable_termination_models(),
        on_delete=models.PROTECT,
        related_name='+'
    )

This change also entails extending the model_names_to_filter_dict() function to match on both app_label and model; it currently matches only on model. A set of Q objects can be used to achieve this.

Originally created by @jeremystretch on GitHub (Jan 10, 2020). Originally assigned to: @jeremystretch on GitHub. ### Proposed Changes Ensure that all model fields equating to `ForeignKey(to=ContentType)` where `limit_choices_to` is in use employ robust filtering by both app *and* model name. ### Justification There are several models in NetBox which have one or more ForeignKey fields to ContentType and utilize `limit_choices_to` to constrain the available choices. In all instances where the set of ContentTypes is constrained, a concise list of (app, model) pairings should be used. For example, the Cable model currently has: ```python CABLE_TERMINATION_TYPES = [ 'consoleport', 'consoleserverport', 'interface', ... ] class Cable(...): termination_a_type = models.ForeignKey( to=ContentType, limit_choices_to={'model__in': CABLE_TERMINATION_TYPES}, on_delete=models.PROTECT, related_name='+' ) ``` This is problematic, because it allows for a potential name collision across apps within NetBox. Although not currently an issue, we would do well to address this before it presents a problem. The above instance should be changed to use the `model_names_to_filter_dict()` and an explicit list of (app, model) pairings to filter the field's associated queryset: ```python CABLE_TERMINATION_MODELS = ( 'dcim.consoleport', 'dcim.consoleserverport', 'dcim.interface', ... ) def get_cable_termination_models(): return model_names_to_filter_dict(CABLE_TERMINATION_MODELS) class Cable(...): termination_a_type = models.ForeignKey( to=ContentType, limit_choices_to=get_cable_termination_models(), on_delete=models.PROTECT, related_name='+' ) ``` This change also entails extending the `model_names_to_filter_dict()` function to match on both `app_label` and `model`; it currently matches only on `model`. A set of `Q` objects can be used to achieve this.

adam added the status: accepted type: housekeeping labels 2025-12-29 18:26:07 +01:00

adam closed this issue

2025-12-29 18:26:07 +01:00

adam commented

2025-12-29 18:26:07 +01:00

@jeremystretch commented on GitHub (Jan 15, 2020):

I ended up ditching the <app>.<model> format altogether, since these constants ultimately are used to filter ContentType querysets anyway. I have replaced each list of strings with a static Q() object defining the specific query filter to be used.

@jeremystretch commented on GitHub (Jan 15, 2020): I ended up ditching the `<app>.<model>` format altogether, since these constants ultimately are used to filter ContentType querysets anyway. I have replaced each list of strings with a static `Q()` object defining the specific query filter to be used.

adam referenced this issue

2025-12-29 19:22:47 +01:00

Allow related object in bulk cable csv import #4974

adam referenced this issue

2025-12-29 22:24:07 +01:00

[PR #4564] [MERGED] Closes #3147: Allow dynamic access to related objects during CSV import #12874

Sign in to join this conversation.

Branches Tags

main

21102-fix-graphiql-explorer

update-changelog-comments-docs

20911-dropdown

20239-plugin-menu-classes-mutable-state

21097-graphql-id-lookups

feature

fix_module_substitution

20923-dcim-templates

20044-elevation-stuck-lightmode

feature-ip-prefix-link

v4.5-beta1-release

20068-import-moduletype-attrs

20766-fix-german-translation-code-literals

20378-del-script

7604-filter-modifiers-v3

circuit-swap

12318-case-insensitive-uniqueness

20637-improve-device-q-filter

20660-script-load

19724-graphql

20614-update-ruff

14884-script

02496-max-page

19720-macaddress-interface-generic-relation

19408-circuit-terminations-export-templates

20203-openapi-check

fix-19669-api-image-download

7604-filter-modifiers

19275-fixes-interface-bulk-edit

fix-17794-get_field_value_return_list

11507-show-aggregate-and-rir-on-api

9583-add_column_specific_search_field_to_tables

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/netbox#3147