Fixes #7814: Fix restriction of user & group objects in GraphQL API queries

docs/release-notes/version-3.0.md

@@ -22,6 +22,7 @@
 * [#7802](https://github.com/netbox-community/netbox/issues/7802) - Differentiate ID and VID columns in VLANs table
 * [#7808](https://github.com/netbox-community/netbox/issues/7808) - Fix reference values for content type under custom field import form
 * [#7809](https://github.com/netbox-community/netbox/issues/7809) - Add missing export template support for various models
+* [#7814](https://github.com/netbox-community/netbox/issues/7814) - Fix restriction of user & group objects in GraphQL API queries
 
 ---
 

netbox/users/graphql/types.py

@@ -19,7 +19,7 @@ class GroupType(DjangoObjectType):
 
     @classmethod
     def get_queryset(cls, queryset, info):
-        return RestrictedQuerySet(model=Group)
+        return RestrictedQuerySet(model=Group).restrict(info.context.user, 'view')
 
 
 class UserType(DjangoObjectType):
@@ -34,4 +34,4 @@ class UserType(DjangoObjectType):
 
     @classmethod
     def get_queryset(cls, queryset, info):
-        return RestrictedQuerySet(model=User)
+        return RestrictedQuerySet(model=User).restrict(info.context.user, 'view')