def check_import_product_permission(user, product, product_name, product_type,
product_type_name, auto_create_context):
if not product and product_name:
if not auto_create_context:
if product_type_name:
raise serializers.ValidationError(
"Product '%s' doesn't exist in product type '%s'" %
(product_name, product_type_name))
else:
raise serializers.ValidationError(
"Product '%s' doesn't exist" % product_name)
if not product_type_name:
raise serializers.ValidationError(
"Product '%s' doesn't exist and no product_type_name provided to create the new product in"
% product_name)
if not product_type:
if not user_has_global_permission(user,
Permissions.Product_Type_Add):
raise PermissionDenied(
'No permission to create product_type %s',
product_type_name)
# new product type can be created with current user as owner, so all objects in it can be created as well
return True
if not user_has_permission(user, product_type,
Permissions.Product_Type_Add_Product):
raise PermissionDenied(
'No permission to create products in product_type %s',
product_type)
# product can be created, so objects in it can be created as well
return True
def get_authorized_product_types(permission):
user = get_current_user()
if user is None:
return Product_Type.objects.none()
if user.is_superuser:
return Product_Type.objects.all().order_by('name')
if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE:
return Product_Type.objects.all().order_by('name')
if user_has_global_permission(user, permission):
return Product_Type.objects.all().order_by('name')
roles = get_roles_for_permission(permission)
authorized_roles = Product_Type_Member.objects.filter(
product_type=OuterRef('pk'), user=user, role__in=roles)
authorized_groups = Product_Type_Group.objects.filter(
product_type=OuterRef('pk'), group__users=user, role__in=roles)
product_types = Product_Type.objects.annotate(
member=Exists(authorized_roles),
authorized_group=Exists(authorized_groups)).order_by('name')
product_types = product_types.filter(
Q(member=True) | Q(authorized_group=True))
return product_types
def get_authorized_finding_groups(permission, queryset=None, user=None):
if user is None:
user = get_current_user()
if user is None:
return Finding_Group.objects.none()
if queryset is None:
finding_groups = Finding_Group.objects.all()
else:
finding_groups = queryset
if user.is_superuser:
return finding_groups
if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE:
return finding_groups
if user_has_global_permission(user, permission):
return finding_groups
roles = get_roles_for_permission(permission)
authorized_product_type_roles = Product_Type_Member.objects.filter(
product_type=OuterRef('test__engagement__product__prod_type_id'),
user=user,
role__in=roles)
authorized_product_roles = Product_Member.objects.filter(
product=OuterRef('test__engagement__product_id'),
user=user,
role__in=roles)
authorized_product_type_groups = Product_Type_Group.objects.filter(
product_type=OuterRef('test__engagement__product__prod_type_id'),
group__users=user,
role__in=roles)
authorized_product_groups = Product_Group.objects.filter(
product=OuterRef('test__engagement__product_id'),
group__users=user,
role__in=roles)
finding_groups = finding_groups.annotate(
test__engagement__product__prod_type__member=Exists(
authorized_product_type_roles),
test__engagement__product__member=Exists(authorized_product_roles),
test__engagement__product__prod_type__authorized_group=Exists(
authorized_product_type_groups),
test__engagement__product__authorized_group=Exists(
authorized_product_groups))
finding_groups = finding_groups.filter(
Q(test__engagement__product__prod_type__member=True)
| Q(test__engagement__product__member=True)
| Q(test__engagement__product__prod_type__authorized_group=True)
| Q(test__engagement__product__authorized_group=True))
return finding_groups
def get_authorized_tests(permission, product=None):
user = get_current_user()
if user is None:
return Test.objects.none()
tests = Test.objects.all()
if product:
tests = tests.filter(engagement__product=product)
if user.is_superuser:
return tests
if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE:
return Test.objects.all()
if user_has_global_permission(user, permission):
return Test.objects.all()
roles = get_roles_for_permission(permission)
authorized_product_type_roles = Product_Type_Member.objects.filter(
product_type=OuterRef('engagement__product__prod_type_id'),
user=user,
role__in=roles)
authorized_product_roles = Product_Member.objects.filter(
product=OuterRef('engagement__product_id'), user=user, role__in=roles)
authorized_product_type_groups = Product_Type_Group.objects.filter(
product_type=OuterRef('engagement__product__prod_type_id'),
group__users=user,
role__in=roles)
authorized_product_groups = Product_Group.objects.filter(
product=OuterRef('engagement__product_id'),
group__users=user,
role__in=roles)
tests = tests.annotate(
engagement__product__prod_type__member=Exists(
authorized_product_type_roles),
engagement__product__member=Exists(authorized_product_roles),
engagement__product__prod_type__authorized_group=Exists(
authorized_product_type_groups),
engagement__product__authorized_group=Exists(
authorized_product_groups))
tests = tests.filter(
Q(engagement__product__prod_type__member=True)
| Q(engagement__product__member=True)
| Q(engagement__product__prod_type__authorized_group=True)
| Q(engagement__product__authorized_group=True))
return tests
def get_authorized_product_members(permission):
user = get_current_user()
if user is None:
return Product_Member.objects.none()
if user.is_superuser:
return Product_Member.objects.all().select_related('role')
if user_has_global_permission(user, permission):
return Product_Member.objects.all().select_related('role')
products = get_authorized_products(permission)
return Product_Member.objects.filter(product__in=products).select_related('role')
def get_authorized_endpoint_status(permission, queryset=None, user=None):
if user is None:
user = get_current_user()
if user is None:
return Endpoint_Status.objects.none()
if queryset is None:
endpoint_status = Endpoint_Status.objects.all()
else:
endpoint_status = queryset
if user.is_superuser:
return endpoint_status
if user_has_global_permission(user, permission):
return endpoint_status
roles = get_roles_for_permission(permission)
authorized_product_type_roles = Product_Type_Member.objects.filter(
product_type=OuterRef('endpoint__product__prod_type_id'),
user=user,
role__in=roles)
authorized_product_roles = Product_Member.objects.filter(
product=OuterRef('endpoint__product_id'), user=user, role__in=roles)
authorized_product_type_groups = Product_Type_Group.objects.filter(
product_type=OuterRef('endpoint__product__prod_type_id'),
group__users=user,
role__in=roles)
authorized_product_groups = Product_Group.objects.filter(
product=OuterRef('endpoint__product_id'),
group__users=user,
role__in=roles)
endpoint_status = endpoint_status.annotate(
endpoint__product__prod_type__member=Exists(
authorized_product_type_roles),
endpoint__product__member=Exists(authorized_product_roles),
endpoint__product__prod_type__authorized_group=Exists(
authorized_product_type_groups),
endpoint__product__authorized_group=Exists(authorized_product_groups))
endpoint_status = endpoint_status.filter(
Q(endpoint__product__prod_type__member=True)
| Q(endpoint__product__member=True)
| Q(endpoint__product__prod_type__authorized_group=True)
| Q(endpoint__product__authorized_group=True))
return endpoint_status
def get_authorized_product_type_members(permission):
user = get_current_user()
if user is None:
return Product_Type_Member.objects.none()
if user.is_superuser:
return Product_Type_Member.objects.all().select_related('role')
if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE:
return Product_Type_Member.objects.all().select_related('role')
if user_has_global_permission(user, permission):
return Product_Type_Member.objects.all().select_related('role')
product_types = get_authorized_product_types(permission)
return Product_Type_Member.objects.filter(
product_type__in=product_types).select_related('role')
def get_authorized_cred_mappings(permission, queryset=None):
user = get_current_user()
if user is None:
return Cred_Mapping.objects.none()
if queryset is None:
cred_mappings = Cred_Mapping.objects.all()
else:
cred_mappings = queryset
if user.is_superuser:
return cred_mappings
if user_has_global_permission(user, permission):
return cred_mappings
roles = get_roles_for_permission(permission)
authorized_product_type_roles = Product_Type_Member.objects.filter(
product_type=OuterRef('product__prod_type_id'),
user=user,
role__in=roles)
authorized_product_roles = Product_Member.objects.filter(
product=OuterRef('product_id'),
user=user,
role__in=roles)
authorized_product_type_groups = Product_Type_Group.objects.filter(
product_type=OuterRef('product__prod_type_id'),
group__users=user,
role__in=roles)
authorized_product_groups = Product_Group.objects.filter(
product=OuterRef('product_id'),
group__users=user,
role__in=roles)
cred_mappings = cred_mappings.annotate(
product__prod_type__member=Exists(authorized_product_type_roles),
product__member=Exists(authorized_product_roles),
product__prod_type__authorized_group=Exists(authorized_product_type_groups),
product__authorized_group=Exists(authorized_product_groups))
cred_mappings = cred_mappings.filter(
Q(product__prod_type__member=True) | Q(product__member=True) |
Q(product__prod_type__authorized_group=True) | Q(product__authorized_group=True))
return cred_mappings
def get_authorized_stub_findings(permission):
user = get_current_user()
if user is None:
return Stub_Finding.objects.none()
if user.is_superuser:
return Stub_Finding.objects.all()
if user_has_global_permission(user, permission):
return Stub_Finding.objects.all()
roles = get_roles_for_permission(permission)
authorized_product_type_roles = Product_Type_Member.objects.filter(
product_type=OuterRef('test__engagement__product__prod_type_id'),
user=user,
role__in=roles)
authorized_product_roles = Product_Member.objects.filter(
product=OuterRef('test__engagement__product_id'),
user=user,
role__in=roles)
authorized_product_type_groups = Product_Type_Group.objects.filter(
product_type=OuterRef('test__engagement__product__prod_type_id'),
group__users=user,
role__in=roles)
authorized_product_groups = Product_Group.objects.filter(
product=OuterRef('test__engagement__product_id'),
group__users=user,
role__in=roles)
findings = Stub_Finding.objects.annotate(
test__engagement__product__prod_type__member=Exists(
authorized_product_type_roles),
test__engagement__product__member=Exists(authorized_product_roles),
test__engagement__product__prod_type__authorized_group=Exists(
authorized_product_type_groups),
test__engagement__product__authorized_group=Exists(
authorized_product_groups))
findings = findings.filter(
Q(test__engagement__product__prod_type__member=True)
| Q(test__engagement__product__member=True)
| Q(test__engagement__product__prod_type__authorized_group=True)
| Q(test__engagement__product__authorized_group=True))
return findings
def get_authorized_engagement_presets(permission):
user = get_current_user()
if user is None:
return Engagement_Presets.objects.none()
if user.is_superuser:
return Engagement_Presets.objects.all().order_by('title')
if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE:
return Engagement_Presets.objects.all().order_by('title')
if user_has_global_permission(user, permission):
return Engagement_Presets.objects.all().order_by('title')
roles = get_roles_for_permission(permission)
authorized_product_type_roles = Product_Type_Member.objects.filter(
product_type=OuterRef('product__prod_type_id'),
user=user,
role__in=roles)
authorized_product_roles = Product_Member.objects.filter(
product=OuterRef('product_id'), user=user, role__in=roles)
authorized_product_type_groups = Product_Type_Group.objects.filter(
product_type=OuterRef('product__prod_type_id'),
group__users=user,
role__in=roles)
authorized_product_groups = Product_Group.objects.filter(
product=OuterRef('product_id'), group__users=user, role__in=roles)
engagement_presets = Engagement_Presets.objects.annotate(
product__prod_type__member=Exists(authorized_product_type_roles),
product__member=Exists(authorized_product_roles),
product__prod_type__authorized_group=Exists(
authorized_product_type_groups),
product__authorized_group=Exists(authorized_product_groups)).order_by(
'title')
engagement_presets = engagement_presets.filter(
Q(product__prod_type__member=True) | Q(product__member=True)
| Q(product__prod_type__authorized_group=True)
| Q(product__authorized_group=True))
return engagement_presets
def get_authorized_products(permission, user=None):
if user is None:
user = get_current_user()
if user is None:
return Product.objects.none()
if user.is_superuser:
return Product.objects.all().order_by('name')
if user_has_global_permission(user, permission):
return Product.objects.all().order_by('name')
roles = get_roles_for_permission(permission)
authorized_product_type_roles = Product_Type_Member.objects.filter(
product_type=OuterRef('prod_type_id'),
user=user,
role__in=roles)
authorized_product_roles = Product_Member.objects.filter(
product=OuterRef('pk'),
user=user,
role__in=roles)
authorized_product_type_groups = Product_Type_Group.objects.filter(
product_type=OuterRef('prod_type_id'),
group__users=user,
role__in=roles)
authorized_product_groups = Product_Group.objects.filter(
product=OuterRef('pk'),
group__users=user,
role__in=roles)
products = Product.objects.annotate(
prod_type__member=Exists(authorized_product_type_roles),
member=Exists(authorized_product_roles),
prod_type__authorized_group=Exists(authorized_product_type_groups),
authorized_group=Exists(authorized_product_groups)).order_by('name')
products = products.filter(
Q(prod_type__member=True) | Q(member=True) |
Q(prod_type__authorized_group=True) | Q(authorized_group=True))
return products
def get_authorized_product_api_scan_configurations(permission):
user = get_current_user()
if user is None:
return Product_API_Scan_Configuration.objects.none()
if user.is_superuser:
return Product_API_Scan_Configuration.objects.all()
if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE:
return Product_API_Scan_Configuration.objects.all()
if user_has_global_permission(user, permission):
return Product_API_Scan_Configuration.objects.all()
roles = get_roles_for_permission(permission)
authorized_product_type_roles = Product_Type_Member.objects.filter(
product_type=OuterRef('product__prod_type_id'),
user=user,
role__in=roles)
authorized_product_roles = Product_Member.objects.filter(
product=OuterRef('product_id'), user=user, role__in=roles)
authorized_product_type_groups = Product_Type_Group.objects.filter(
product_type=OuterRef('product__prod_type_id'),
group__users=user,
role__in=roles)
authorized_product_groups = Product_Group.objects.filter(
product=OuterRef('product_id'), group__users=user, role__in=roles)
product_api_scan_configurations = Product_API_Scan_Configuration.objects.annotate(
product__prod_type__member=Exists(authorized_product_type_roles),
product__member=Exists(authorized_product_roles),
product__prod_type__authorized_group=Exists(
authorized_product_type_groups),
product__authorized_group=Exists(authorized_product_groups))
product_api_scan_configurations = product_api_scan_configurations.filter(
Q(product__prod_type__member=True) | Q(product__member=True)
| Q(product__prod_type__authorized_group=True)
| Q(product__authorized_group=True))
return product_api_scan_configurations
def get_authorized_tool_product_settings(permission):
user = get_current_user()
if user is None:
return Tool_Product_Settings.objects.none()
if user.is_superuser:
return Tool_Product_Settings.objects.all()
if user_has_global_permission(user, permission):
return Tool_Product_Settings.objects.all()
roles = get_roles_for_permission(permission)
authorized_product_type_roles = Product_Type_Member.objects.filter(
product_type=OuterRef('product__prod_type_id'),
user=user,
role__in=roles)
authorized_product_roles = Product_Member.objects.filter(
product=OuterRef('product_id'), user=user, role__in=roles)
authorized_product_type_groups = Product_Type_Group.objects.filter(
product_type=OuterRef('product__prod_type_id'),
group__users=user,
role__in=roles)
authorized_product_groups = Product_Group.objects.filter(
product=OuterRef('product_id'), group__users=user, role__in=roles)
tool_product_settings = Tool_Product_Settings.objects.annotate(
product__prod_type__member=Exists(authorized_product_type_roles),
product__member=Exists(authorized_product_roles),
product__prod_type__authorized_group=Exists(
authorized_product_type_groups),
product__authorized_group=Exists(authorized_product_groups))
tool_product_settings = tool_product_settings.filter(
Q(product__prod_type__member=True) | Q(product__member=True)
| Q(product__prod_type__authorized_group=True)
| Q(product__authorized_group=True))
return tool_product_settings
def get_authorized_jira_projects(permission, user=None):
if user is None:
user = get_current_user()
if user is None:
return JIRA_Project.objects.none()
jira_projects = JIRA_Project.objects.all()
if user.is_superuser:
return jira_projects
if user_has_global_permission(user, permission):
return jira_projects
roles = get_roles_for_permission(permission)
engagement_authorized_product_type_roles = Product_Type_Member.objects.filter(
product_type=OuterRef('engagement__product__prod_type_id'),
user=user,
role__in=roles)
engagement_authorized_product_roles = Product_Member.objects.filter(
product=OuterRef('engagement__product_id'), user=user, role__in=roles)
engagement_authorized_product_type_groups = Product_Type_Group.objects.filter(
product_type=OuterRef('engagement__product__prod_type_id'),
group__users=user,
role__in=roles)
engagement_authorized_product_groups = Product_Group.objects.filter(
product=OuterRef('engagement__product_id'),
group__users=user,
role__in=roles)
product_authorized_product_type_roles = Product_Type_Member.objects.filter(
product_type=OuterRef('product__prod_type_id'),
user=user,
role__in=roles)
product_authorized_product_roles = Product_Member.objects.filter(
product=OuterRef('product_id'), user=user, role__in=roles)
product_authorized_product_type_groups = Product_Type_Group.objects.filter(
product_type=OuterRef('product__prod_type_id'),
group__users=user,
role__in=roles)
product_authorized_product_groups = Product_Group.objects.filter(
product=OuterRef('product_id'), group__users=user, role__in=roles)
jira_projects = jira_projects.annotate(
engagement__product__prod_type__member=Exists(
engagement_authorized_product_type_roles),
engagement__product__member=Exists(
engagement_authorized_product_roles),
engagement__product__prod_type__authorized_group=Exists(
engagement_authorized_product_type_groups),
engagement__product__authorized_group=Exists(
engagement_authorized_product_groups),
product__prod_type__member=Exists(
product_authorized_product_type_roles),
product__member=Exists(product_authorized_product_roles),
product__prod_type__authorized_group=Exists(
product_authorized_product_type_groups),
product__authorized_group=Exists(product_authorized_product_groups))
jira_projects = jira_projects.filter(
Q(engagement__product__prod_type__member=True)
| Q(engagement__product__member=True)
| Q(engagement__product__prod_type__authorized_group=True)
| Q(engagement__product__authorized_group=True)
| Q(product__prod_type__member=True) | Q(product__member=True)
| Q(product__prod_type__authorized_group=True)
| Q(product__authorized_group=True))
return jira_projects
def has_global_permission(permission):
return user_has_global_permission(crum.get_current_user(),
Permissions[permission])
def test_user_has_global_role_global_permission_success(self):
result = user_has_global_permission(self.user5, Permissions.Product_Type_Add)
self.assertTrue(result)
def test_user_has_global_role_global_permission_no_permission(self):
result = user_has_global_permission(self.user2, Permissions.Product_Type_Add)
self.assertFalse(result)
def get_authorized_dojo_meta(permission):
user = get_current_user()
if user is None:
return DojoMeta.objects.none()
if user.is_superuser:
return DojoMeta.objects.all().order_by('name')
if user_has_global_permission(user, permission):
return DojoMeta.objects.all().order_by('name')
roles = get_roles_for_permission(permission)
product_authorized_product_type_roles = Product_Type_Member.objects.filter(
product_type=OuterRef('product__prod_type_id'),
user=user,
role__in=roles)
product_authorized_product_roles = Product_Member.objects.filter(
product=OuterRef('product_id'),
user=user,
role__in=roles)
product_authorized_product_type_groups = Product_Type_Group.objects.filter(
product_type=OuterRef('product__prod_type_id'),
group__users=user,
role__in=roles)
product_authorized_product_groups = Product_Group.objects.filter(
product=OuterRef('product_id'),
group__users=user,
role__in=roles)
endpoint_authorized_product_type_roles = Product_Type_Member.objects.filter(
product_type=OuterRef('endpoint__product__prod_type_id'),
user=user,
role__in=roles)
endpoint_authorized_product_roles = Product_Member.objects.filter(
product=OuterRef('endpoint__product_id'),
user=user,
role__in=roles)
endpoint_authorized_product_type_groups = Product_Type_Group.objects.filter(
product_type=OuterRef('endpoint__product__prod_type_id'),
group__users=user,
role__in=roles)
endpoint_authorized_product_groups = Product_Group.objects.filter(
product=OuterRef('endpoint__product_id'),
group__users=user,
role__in=roles)
finding_authorized_product_type_roles = Product_Type_Member.objects.filter(
product_type=OuterRef('finding__test__engagement__product__prod_type_id'),
user=user,
role__in=roles)
finding_authorized_product_roles = Product_Member.objects.filter(
product=OuterRef('finding__test__engagement__product_id'),
user=user,
role__in=roles)
finding_authorized_product_type_groups = Product_Type_Group.objects.filter(
product_type=OuterRef('finding__test__engagement__product__prod_type_id'),
group__users=user,
role__in=roles)
finding_authorized_product_groups = Product_Group.objects.filter(
product=OuterRef('finding__test__engagement__product_id'),
group__users=user,
role__in=roles)
dojo_meta = DojoMeta.objects.annotate(
product__prod_type__member=Exists(product_authorized_product_type_roles),
product__member=Exists(product_authorized_product_roles),
product__prod_type__authorized_group=Exists(product_authorized_product_type_groups),
product__authorized_group=Exists(product_authorized_product_groups),
endpoint__product__prod_type__member=Exists(endpoint_authorized_product_type_roles),
endpoint__product__member=Exists(endpoint_authorized_product_roles),
endpoint__product__prod_type__authorized_group=Exists(endpoint_authorized_product_type_groups),
endpoint__product__authorized_group=Exists(endpoint_authorized_product_groups),
finding__test__engagement__product__prod_type__member=Exists(finding_authorized_product_type_roles),
finding__test__engagement__product__member=Exists(finding_authorized_product_roles),
finding__test__engagement__product__prod_type__authorized_group=Exists(finding_authorized_product_type_groups),
finding__test__engagement__product__authorized_group=Exists(finding_authorized_product_groups)
).order_by('name')
dojo_meta = dojo_meta.filter(
Q(product__prod_type__member=True) |
Q(product__member=True) |
Q(product__prod_type__authorized_group=True) |
Q(product__authorized_group=True) |
Q(endpoint__product__prod_type__member=True) |
Q(endpoint__product__member=True) |
Q(endpoint__product__prod_type__authorized_group=True) |
Q(endpoint__product__authorized_group=True) |
Q(finding__test__engagement__product__prod_type__member=True) |
Q(finding__test__engagement__product__member=True) |
Q(finding__test__engagement__product__prod_type__authorized_group=True) |
Q(finding__test__engagement__product__authorized_group=True))
return dojo_meta
def check_auto_create_permission(user, product, product_name, engagement,
engagement_name, product_type,
product_type_name, error_message):
"""
For an existing engagement, to be allowed to import a scan, the following must all be True:
- User must have Import_Scan_Result permission for this Engagement
For an existing product, to be allowed to import into a new engagement with name `engagement_name`, the following must all be True:
- Product with name `product_name` must already exist;
- User must have Engagement_Add permission for this Product
- User must have Import_Scan_Result permission for this Product
If the product doesn't exist yet, to be allowed to import into a new product with name `product_name` and prod_type `product_type_name`,
the following must all be True:
- `auto_create_context` must be True
- Product_Type already exists, or the user has the Product_Type_Add permission
- User must have Product_Type_Add_Product permission for the Product_Type, or the user has the Product_Type_Add permission
"""
if not product_name:
raise ValidationError("product_name parameter missing")
if not engagement_name:
raise ValidationError("engagement_name parameter missing")
if engagement:
# existing engagement, nothing special to check
return user_has_permission(user, engagement,
Permissions.Import_Scan_Result)
if product and product_name and engagement_name:
if not user_has_permission(user, product, Permissions.Engagement_Add):
raise PermissionDenied(
"No permission to create engagements in product '%s'",
product_name)
if not user_has_permission(user, product,
Permissions.Import_Scan_Result):
raise PermissionDenied(
"No permission to import scans into product '%s'",
product_name)
# all good
return True
if not product and product_name:
if not product_type_name:
raise serializers.ValidationError(
"Product '%s' doesn't exist and no product_type_name provided to create the new product in"
% product_name)
if not product_type:
if not user_has_global_permission(user,
Permissions.Product_Type_Add):
raise PermissionDenied(
"No permission to create product_type '%s'",
product_type_name)
# new product type can be created with current user as owner, so all objects in it can be created as well
return True
else:
if not user_has_permission(user, product_type,
Permissions.Product_Type_Add_Product):
raise PermissionDenied(
"No permission to create products in product_type '%s'",
product_type)
# product can be created, so objects in it can be created as well
return True
raise ValidationError(error_message)
def has_permission(self, request, view):
if request.method == 'POST':
return user_has_global_permission(request.user,
Permissions.Product_Type_Add)
else:
return True
def get_authorized_jira_issues(permission):
user = get_current_user()
if user is None:
return JIRA_Issue.objects.none()
jira_issues = JIRA_Issue.objects.all()
if user.is_superuser:
return jira_issues
if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE:
return jira_issues
if user_has_global_permission(user, permission):
return jira_issues
roles = get_roles_for_permission(permission)
engagement_authorized_product_type_roles = Product_Type_Member.objects.filter(
product_type=OuterRef('engagement__product__prod_type_id'),
user=user,
role__in=roles)
engagement_authorized_product_roles = Product_Member.objects.filter(
product=OuterRef('engagement__product_id'), user=user, role__in=roles)
engagement_authorized_product_type_groups = Product_Type_Group.objects.filter(
product_type=OuterRef('engagement__product__prod_type_id'),
group__users=user,
role__in=roles)
engagement_authorized_product_groups = Product_Group.objects.filter(
product=OuterRef('engagement__product_id'),
group__users=user,
role__in=roles)
finding_group_authorized_product_type_roles = Product_Type_Member.objects.filter(
product_type=OuterRef(
'finding_group__test__engagement__product__prod_type_id'),
user=user,
role__in=roles)
finding_group_authorized_product_roles = Product_Member.objects.filter(
product=OuterRef('finding_group__test__engagement__product_id'),
user=user,
role__in=roles)
finding_group_authorized_product_type_groups = Product_Type_Group.objects.filter(
product_type=OuterRef(
'finding_group__test__engagement__product__prod_type_id'),
group__users=user,
role__in=roles)
finding_group_authorized_product_groups = Product_Group.objects.filter(
product=OuterRef('finding_group__test__engagement__product_id'),
group__users=user,
role__in=roles)
finding_authorized_product_type_roles = Product_Type_Member.objects.filter(
product_type=OuterRef(
'finding__test__engagement__product__prod_type_id'),
user=user,
role__in=roles)
finding_authorized_product_roles = Product_Member.objects.filter(
product=OuterRef('finding__test__engagement__product_id'),
user=user,
role__in=roles)
finding_authorized_product_type_groups = Product_Type_Group.objects.filter(
product_type=OuterRef(
'finding__test__engagement__product__prod_type_id'),
group__users=user,
role__in=roles)
finding_authorized_product_groups = Product_Group.objects.filter(
product=OuterRef('finding__test__engagement__product_id'),
group__users=user,
role__in=roles)
jira_issues = jira_issues.annotate(
engagement__product__prod_type__member=Exists(
engagement_authorized_product_type_roles),
engagement__product__member=Exists(
engagement_authorized_product_roles),
engagement__product__prod_type__authorized_group=Exists(
engagement_authorized_product_type_groups),
engagement__product__authorized_group=Exists(
engagement_authorized_product_groups),
finding_group__test__engagement__product__prod_type__member=Exists(
finding_group_authorized_product_type_roles),
finding_group__test__engagement__product__member=Exists(
finding_group_authorized_product_roles),
finding_group__test__engagement__product__prod_type__authorized_group=
Exists(finding_group_authorized_product_type_groups),
finding_group__test__engagement__product__authorized_group=Exists(
finding_group_authorized_product_groups),
finding__test__engagement__product__prod_type__member=Exists(
finding_authorized_product_type_roles),
finding__test__engagement__product__member=Exists(
finding_authorized_product_roles),
finding__test__engagement__product__prod_type__authorized_group=Exists(
finding_authorized_product_type_groups),
finding__test__engagement__product__authorized_group=Exists(
finding_authorized_product_groups))
jira_issues = jira_issues.filter(
Q(engagement__product__prod_type__member=True)
| Q(engagement__product__member=True)
| Q(engagement__product__prod_type__authorized_group=True)
| Q(engagement__product__authorized_group=True)
| Q(finding_group__test__engagement__product__prod_type__member=True)
| Q(finding_group__test__engagement__product__member=True) |
Q(finding_group__test__engagement__product__prod_type__authorized_group
=True)
| Q(finding_group__test__engagement__product__authorized_group=True)
| Q(finding__test__engagement__product__prod_type__member=True)
| Q(finding__test__engagement__product__member=True) |
Q(finding__test__engagement__product__prod_type__authorized_group=True)
| Q(finding__test__engagement__product__authorized_group=True))
return jira_issues
