Merge branch 'master' into add-tenant-id-constraints

rbac/management/permission/view.py

@@ -60,7 +60,7 @@ def allowed_only_filter(self, queryset, field, value):
         """Filter to return only permissions from roles in the ROLE_CREATE_ALLOW_LIST."""
         query_field = validate_and_get_key(self.request.query_params, field, VALID_BOOLEAN_PARAM_VALS, "false")
         if query_field == "true":
-            queryset = Permission.objects.filter(application__in=settings.ROLE_CREATE_ALLOW_LIST)
+            queryset = queryset.filter(application__in=settings.ROLE_CREATE_ALLOW_LIST)
         return queryset
 
     application = filters.CharFilter(field_name="application", method="multiple_values_in")

tests/management/permission/test_view.py

@@ -423,6 +423,12 @@ def test_allowed_only_filters_any_roles_not_in_allow_list_out_when_true(self):
         self.assertEqual(len(response.data.get("data")), 1)
         self.assertCountEqual(expected, response_permissions)
 
+    def test_allowed_only_filters_any_roles_not_in_allow_list_out_when_true_in_chain(self):
+        """Test that we filter out any permissions not in the allow list when allowed_only=true, chained with other filters."""
+        response = CLIENT.get(f"{LIST_URL}?allowed_only=true&exclude_globals=true", **self.headers)
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(len(response.data.get("data")), 0)
+
     def test_allowed_only_filters_no_permissions_out_when_false(self):
         """Test that we do not filter out any permissions not in the allow list when allowed_only=false."""
         with tenant_context(self.tenant):