def edit_issue(request, id, page, objid):
note = get_object_or_404(Notes, id=id)
reverse_url = None
object_id = None
if page is None or str(
request.user
) != note.author.username and not request.user.is_superuser:
raise PermissionDenied
if page == "test":
object = get_object_or_404(Test, id=objid)
object_id = object.id
reverse_url = "view_test"
elif page == "finding":
object = get_object_or_404(Finding, id=objid)
object_id = object.id
reverse_url = "view_finding"
if request.method == 'POST':
form = NoteForm(request.POST, instance=note)
if form.is_valid():
note = form.save(commit=False)
note.edited = True
note.editor = request.user
note.edit_time = timezone.now()
history = NoteHistory(data=note.entry,
time=note.edit_time,
current_editor=note.editor)
history.save()
note.history.add(history)
note.save()
object.last_reviewed = note.date
object.last_reviewed_by = request.user
object.save()
form = NoteForm()
messages.add_message(request,
messages.SUCCESS,
'Note edited.',
extra_tags='alert-success')
return HttpResponseRedirect(
reverse(reverse_url, args=(object_id, )))
else:
messages.add_message(request,
messages.SUCCESS,
'Note was not succesfully edited.',
extra_tags='alert-danger')
else:
form = NoteForm(instance=note)
return render(request, 'dojo/edit_note.html', {
'note': note,
'form': form,
'page': page,
'objid': objid,
})
def update(self, instance, validated_data):
instance.entry = validated_data['entry']
instance.edited = True
instance.editor = self.context['request'].user
instance.edit_time = timezone.now()
history = NoteHistory(data=instance.entry,
time=instance.edit_time,
current_editor=instance.editor)
history.save()
instance.history.add(history)
instance.save()
return instance
def edit_issue(request, id, page, objid):
note = get_object_or_404(Notes, id=id)
reverse_url = None
object_id = None
if page == "engagement":
object = get_object_or_404(Engagement, id=objid)
object_id = object.id
reverse_url = "view_engagement"
elif page == "test":
object = get_object_or_404(Test, id=objid)
object_id = object.id
reverse_url = "view_test"
elif page == "finding":
object = get_object_or_404(Finding, id=objid)
object_id = object.id
reverse_url = "view_finding"
if page is None:
raise PermissionDenied
if str(request.user) != note.author.username:
if settings.FEATURE_AUTHORIZATION_V2:
user_has_permission_or_403(request.user, object,
Permissions.Note_Edit)
else:
if not request.user.is_staff:
raise PermissionDenied
note_type_activation = Note_Type.objects.filter(is_active=True).count()
if note_type_activation:
available_note_types = find_available_notetypes(object, note)
if request.method == 'POST':
if note_type_activation:
form = TypedNoteForm(request.POST,
available_note_types=available_note_types,
instance=note)
else:
form = NoteForm(request.POST, instance=note)
if form.is_valid():
note = form.save(commit=False)
note.edited = True
note.editor = request.user
note.edit_time = timezone.now()
if note_type_activation:
history = NoteHistory(note_type=note.note_type,
data=note.entry,
time=note.edit_time,
current_editor=note.editor)
else:
history = NoteHistory(data=note.entry,
time=note.edit_time,
current_editor=note.editor)
history.save()
note.history.add(history)
note.save()
object.last_reviewed = note.date
object.last_reviewed_by = request.user
object.save()
form = NoteForm()
messages.add_message(request,
messages.SUCCESS,
'Note edited.',
extra_tags='alert-success')
return HttpResponseRedirect(
reverse(reverse_url, args=(object_id, )))
else:
messages.add_message(request,
messages.SUCCESS,
'Note was not succesfully edited.',
extra_tags='alert-danger')
else:
if note_type_activation:
form = TypedNoteForm(available_note_types=available_note_types,
instance=note)
else:
form = NoteForm(instance=note)
return render(request, 'dojo/edit_note.html', {
'note': note,
'form': form,
'page': page,
'objid': objid,
})
def sync_findings(request, tid, spreadsheetId):
test = Test.objects.get(id=tid)
system_settings = get_object_or_404(System_Settings, id=1)
service_account_info = json.loads(system_settings.credentials)
SCOPES = ['https://www.googleapis.com/auth/spreadsheets']
credentials = service_account.Credentials.from_service_account_info(
service_account_info, scopes=SCOPES)
sheets_service = googleapiclient.discovery.build('sheets',
'v4',
credentials=credentials,
cache_discovery=False)
res = {}
spreadsheet = sheets_service.spreadsheets().get(
spreadsheetId=spreadsheetId).execute()
sheet_names = []
for sheet in spreadsheet['sheets']:
date = (sheet['properties']['title'])
try:
date = datetime.datetime.strptime(date, "%Y-%m-%d %H:%M:%S")
sheet_names.append(date)
except:
pass
try:
sheet_title = str(max(sheet_names))
except:
raise Exception(
'Existing Google Spreadsheet has errors. Delete the speadsheet and export again.'
)
res['sheet_title'] = sheet_title
result = sheets_service.spreadsheets().values().get(
spreadsheetId=spreadsheetId, range=sheet_title).execute()
rows = result.get('values', [])
header_raw = rows[0]
findings_sheet = rows[1:]
findings_db = Finding.objects.filter(
test=test).order_by('numerical_severity')
column_details = json.loads(system_settings.column_widths.replace(
"'", '"'))
active_note_types = Note_Type.objects.filter(is_active=True)
note_type_activation = len(active_note_types)
errors = []
index_of_active = header_raw.index('active')
index_of_verified = header_raw.index('verified')
index_of_duplicate = header_raw.index('duplicate')
index_of_false_p = header_raw.index('false_p')
index_of_id = header_raw.index('id')
for finding_sheet in findings_sheet:
finding_id = finding_sheet[index_of_id]
active = finding_sheet[index_of_active]
verified = finding_sheet[index_of_verified]
duplicate = finding_sheet[index_of_duplicate]
false_p = finding_sheet[index_of_false_p]
if (active == 'TRUE' or verified == 'TRUE'
) and duplicate == 'TRUE': # Check update finding conditions
error = 'Duplicate findings cannot be verified or active'
errors.append({
'finding_id': finding_id,
'column_names': 'active, verified, duplicate',
'error': error
})
elif false_p == 'TRUE' and verified == 'TRUE':
error = 'False positive findings cannot be verified.'
errors.append({
'finding_id': finding_id,
'column_names': 'false_p, verified',
'error': error
})
else:
try:
finding_db = findings_db.get(
id=finding_id) # Update finding attributes
except:
if finding_id is None:
finding_id = 'Null'
error = 'Finding does not belong to the Test'
errors.append({
'finding_id': finding_id,
'column_names': 'id',
'error': error
})
else:
finding_notes = finding_db.notes.all()
for column_name in header_raw:
if column_name in column_details:
if int(column_details[column_name][1]) == 0:
index_of_column = header_raw.index(column_name)
if finding_sheet[index_of_column] == 'TRUE':
setattr(finding_db, column_name, True)
elif finding_sheet[index_of_column] == 'FALSE':
setattr(finding_db, column_name, False)
else:
if finding_sheet[index_of_column] == '':
setattr(finding_db, column_name, None)
else:
setattr(finding_db, column_name,
finding_sheet[index_of_column])
elif column_name[:6] == '[note]' and column_name[
-3:] == '_id': # Updating notes
note_column_name = column_name[:-3]
try:
index_of_note_column = header_raw.index(
note_column_name)
except ValueError:
pass
else:
index_of_id_column = header_raw.index(column_name)
note_id = finding_sheet[index_of_id_column]
note_entry = finding_sheet[
index_of_note_column].rstrip()
if note_entry != '':
if note_id != '': # If the note is an existing one
note_db = finding_notes.get(id=note_id)
if note_entry != note_db.entry.rstrip():
note_db.entry = note_entry
note_db.edited = True
note_db.editor = request.user
note_db.edit_time = timezone.now()
history = NoteHistory(
data=note_db.entry,
time=note_db.edit_time,
current_editor=note_db.editor)
history.save()
note_db.history.add(history)
note_db.save()
else: # If the note is a newly added one
if note_type_activation:
if note_column_name[7:12] == 'Note_':
error = 'Can not add new notes without a note-type. Add your note under the correct note-type column'
errors.append({
'finding_id': finding_id,
'column_names':
note_column_name,
'error': error
})
else:
note_type_name = note_column_name[
7:][:-2]
try:
note_type = active_note_types.get(
name=note_type_name)
except:
try:
note_type = Note_Type.objects.get(
name=note_type_name)
except:
pass
else:
error = '"' + note_type_name + '" Note-type is disabled. Cannot add new notes of "' + note_type_name + '" type'
errors.append({
'finding_id':
finding_id,
'column_names':
note_column_name,
'error':
error
})
else:
new_note = Notes(
note_type=note_type,
entry=note_entry,
date=timezone.now(),
author=request.user)
new_note.save()
history = NoteHistory(
data=new_note.entry,
time=new_note.date,
current_editor=new_note.
author,
note_type=new_note.
note_type)
history.save()
new_note.history.add(history)
finding_db.notes.add(new_note)
else:
if note_column_name[7:12] == 'Note_':
new_note = Notes(
entry=note_entry,
date=timezone.now(),
author=request.user)
new_note.save()
history = NoteHistory(
data=new_note.entry,
time=new_note.date,
current_editor=new_note.author)
history.save()
new_note.history.add(history)
finding_db.notes.add(new_note)
else:
error_location = finding_id + ' ' + note_column_name
error = 'Note-types are not enabled. Notes cannot have a note-type.'
errors.append({
'finding_id': finding_id,
'column_names':
note_column_name,
'error': error
})
finding_db.save()
res['errors'] = errors
populate_sheet(tid, spreadsheetId)
return res