def modify_permissions(backend, uid, user=None, social=None, *args, **kwargs):
if kwargs.get('is_new'):
system_settings = System_Settings.objects.get()
if system_settings.default_group is not None and system_settings.default_group_role is not None:
dojo_group_member = Dojo_Group_Member(
group=system_settings.default_group,
user=user,
role=system_settings.default_group_role)
dojo_group_member.save()
if system_settings.staff_user_email_pattern is not None and \
re.fullmatch(system_settings.staff_user_email_pattern, user.email) is not None:
user.is_staff = True
else:
user.is_staff = False
if settings.GITLAB_PROJECT_AUTO_IMPORT is True and not settings.FEATURE_AUTHORIZATION_V2:
# Add engagement creation permission if auto_import is set
user.user_permissions.set([
Permission.objects.get(
codename='add_engagement',
content_type=ContentType.objects.get_for_model(
Engagement)),
Permission.objects.get(
codename='add_test',
content_type=ContentType.objects.get_for_model(Test)),
Permission.objects.get(
codename='change_test',
content_type=ContentType.objects.get_for_model(Test))
])
def test_user_post_save_with_template(self, mock_notifications,
mock_member, mock_settings):
user = Dojo_User()
user.id = 1
group = Dojo_Group()
group.id = 1
template = Mock(Notifications(template=False, user=user))
role = Role.objects.get(id=Roles.Reader)
system_settings_group = System_Settings()
system_settings_group.default_group = group
system_settings_group.default_group_role = role
mock_settings.get.return_value = system_settings_group
save_mock_member = Mock(return_value=Dojo_Group_Member())
mock_member.return_value = save_mock_member
mock_notifications.objects.get.return_value = template
user_post_save(None, user, True)
mock_member.assert_called_with(group=group, user=user, role=role)
save_mock_member.save.assert_called_once()
mock_notifications.objects.get.assert_called_with(template=True)
template.save.assert_called_once()
def test_user_post_save_without_template(self, mock_notifications,
mock_member, mock_settings):
user = Dojo_User()
user.id = 1
group = Dojo_Group()
group.id = 1
role = Role.objects.get(id=Roles.Reader)
system_settings_group = System_Settings()
system_settings_group.default_group = group
system_settings_group.default_group_role = role
mock_settings.get.return_value = system_settings_group
save_mock_member = Mock(return_value=Dojo_Group_Member())
mock_member.return_value = save_mock_member
save_mock_notifications = Mock(return_value=Notifications())
mock_notifications.return_value = save_mock_notifications
mock_notifications.objects.get.side_effect = Exception(
"Mock no templates")
user_post_save(None, user, True)
mock_member.assert_called_with(group=group, user=user, role=role)
save_mock_member.save.assert_called_once()
mock_notifications.assert_called_with(user=user)
save_mock_notifications.save.assert_called_once()
def test_user_post_save_email_pattern_does_not_match(
self, mock_notifications, mock_member, mock_settings):
user = Dojo_User()
user.id = 1
user.email = '*****@*****.**'
group = Dojo_Group()
group.id = 1
role = Role.objects.get(id=Roles.Reader)
system_settings_group = System_Settings()
system_settings_group.default_group = group
system_settings_group.default_group_role = role
system_settings_group.default_group_email_pattern = '.*@example.com'
save_mock_notifications = Mock(return_value=Notifications())
mock_notifications.return_value = save_mock_notifications
mock_notifications.objects.get.side_effect = Exception(
"Mock no templates")
mock_settings.get.return_value = system_settings_group
save_mock_member = Mock(return_value=Dojo_Group_Member())
mock_member.return_value = save_mock_member
user_post_save(None, user, True)
mock_member.assert_not_called()
save_mock_member.save.assert_not_called()
def add_group_member(request, uid):
user = get_object_or_404(Dojo_User, id=uid)
memberform = Add_Group_Member_UserForm(initial={'user': user.id})
if request.method == 'POST':
memberform = Add_Group_Member_UserForm(request.POST,
initial={'user': user.id})
if memberform.is_valid():
if 'groups' in memberform.cleaned_data and len(
memberform.cleaned_data['groups']) > 0:
for group in memberform.cleaned_data['groups']:
existing_groups = Dojo_Group_Member.objects.filter(
user=user, group=group)
if existing_groups.count() == 0:
group_member = Dojo_Group_Member()
group_member.group = group
group_member.user = user
group_member.role = memberform.cleaned_data['role']
group_member.save()
messages.add_message(request,
messages.SUCCESS,
'Groups added successfully.',
extra_tags='alert-success')
return HttpResponseRedirect(reverse('view_user', args=(uid, )))
add_breadcrumb(title="Add Group Member", top_level=False, request=request)
return render(request, 'dojo/new_group_member_user.html', {
'user': user,
'form': memberform
})
def add_group(request):
form = DojoGroupForm
group = None
if request.method == 'POST':
form = DojoGroupForm(request.POST)
if form.is_valid():
group = form.save(commit=False)
group.save()
member = Dojo_Group_Member()
member.user = request.user
member.group = group
member.role = Role.objects.get(is_owner=True)
member.save()
messages.add_message(request,
messages.SUCCESS,
'Group was added successfully.',
extra_tags='alert-success')
return HttpResponseRedirect(
reverse('view_group', args=(group.id, )))
else:
messages.add_message(request,
messages.ERROR,
'Group was not added successfully.',
extra_tags='alert-danger')
add_breadcrumb(title="Add Group", top_level=False, request=request)
return render(request, "dojo/add_group.html", {'form': form})
def test_modify_permissions_default_group(self, mock_member,
mock_settings):
mock_settings.get.return_value = self.system_settings_group
save_mock = Mock(return_value=Dojo_Group_Member())
mock_member.return_value = save_mock
modify_permissions(backend=None, uid=None, user=self.user, is_new=True)
mock_member.assert_called_with(group=self.group,
user=self.user,
role=self.role)
save_mock.save.assert_called_once()
def add_group(request):
form = DojoGroupForm
global_role_form = GlobalRoleForm()
group = None
if request.method == 'POST':
form = DojoGroupForm(request.POST)
global_role_form = GlobalRoleForm(request.POST)
if form.is_valid() and global_role_form.is_valid():
if global_role_form.cleaned_data[
'role'] is not None and not request.user.is_superuser:
messages.add_message(
request,
messages.ERROR,
'Only superusers are allowed to set global role.',
extra_tags='alert-warning')
else:
group = form.save(commit=False)
group.save()
global_role = global_role_form.save(commit=False)
global_role.group = group
global_role.save()
member = Dojo_Group_Member()
member.user = request.user
member.group = group
member.role = Role.objects.get(is_owner=True)
member.save()
messages.add_message(request,
messages.SUCCESS,
'Group was added successfully.',
extra_tags='alert-success')
return HttpResponseRedirect(
reverse('view_group', args=(group.id, )))
else:
messages.add_message(request,
messages.ERROR,
'Group was not added successfully.',
extra_tags='alert-danger')
add_breadcrumb(title="Add Group", top_level=False, request=request)
return render(request, "dojo/add_group.html", {
'form': form,
'global_role_form': global_role_form,
})
def group_post_save_handler(sender, **kwargs):
created = kwargs.pop('created')
group = kwargs.pop('instance')
if created:
# Create authentication group
auth_group = Group(name=get_auth_group_name(group))
auth_group.save()
group.auth_group = auth_group
group.save()
user = get_current_user()
if user:
# Add the current user as the owner of the group
member = Dojo_Group_Member()
member.user = user
member.group = group
member.role = Role.objects.get(is_owner=True)
member.save()
# Add user to authentication group as well
auth_group.user_set.add(user)
def add_group_member(request, gid):
group = get_object_or_404(Dojo_Group, id=gid)
groupform = Add_Group_MemberForm(initial={'group': group.id})
if request.method == 'POST':
groupform = Add_Group_MemberForm(request.POST,
initial={'group': group.id})
if groupform.is_valid():
if groupform.cleaned_data[
'role'].is_owner and not user_has_permission(
request.user, group, Permissions.Group_Add_Owner):
messages.add_message(
request,
messages.WARNING,
'You are not permitted to add users as owners.',
extra_tags='alert-warning')
else:
if 'users' in groupform.cleaned_data and len(
groupform.cleaned_data['users']) > 0:
for user in groupform.cleaned_data['users']:
existing_users = Dojo_Group_Member.objects.filter(
group=group, user=user)
if existing_users.count() == 0:
group_member = Dojo_Group_Member()
group_member.group = group
group_member.user = user
group_member.role = groupform.cleaned_data['role']
group_member.save()
messages.add_message(
request,
messages.SUCCESS,
'Group members added successfully.',
extra_tags='alert-success')
return HttpResponseRedirect(reverse('view_group',
args=(gid, )))
add_breadcrumb(title="Add Group Member", top_level=False, request=request)
return render(request, 'dojo/new_group_member.html', {
'group': group,
'form': groupform
})
def setUpTestData(cls):
cls.user = Dojo_User()
cls.user.id = 1
cls.user2 = Dojo_User()
cls.user2.id = 2
cls.global_role_user = Global_Role()
cls.global_role_user.id = 1
cls.global_role_user.user = cls.user2
cls.global_role_user.role = Role.objects.get(id=Roles.Reader)
cls.product_type = Product_Type()
cls.product_type.id = 1
cls.product_type_member = Product_Type_Member()
cls.product_type_member.id = 1
cls.product = Product()
cls.product.id = 1
cls.product_member = Product_Member()
cls.product_member.id = 1
cls.product.prod_type = cls.product_type
cls.engagement = Engagement()
cls.engagement.product = cls.product
cls.test = Test()
cls.test.engagement = cls.engagement
cls.finding = Finding()
cls.finding.test = cls.test
cls.stub_finding = Stub_Finding()
cls.stub_finding.test = cls.test
cls.endpoint = Endpoint()
cls.endpoint.product = cls.product
cls.technology = App_Analysis()
cls.technology.product = cls.product
cls.language = Languages()
cls.language.product = cls.product
cls.product_type_member_reader = Product_Type_Member()
cls.product_type_member_reader.user = cls.user
cls.product_type_member_reader.product_type = cls.product_type
cls.product_type_member_reader.role = Role.objects.get(id=Roles.Reader)
cls.product_type_member_owner = Product_Type_Member()
cls.product_type_member_owner.user = cls.user
cls.product_type_member_owner.product_type = cls.product_type
cls.product_type_member_owner.role = Role.objects.get(id=Roles.Owner)
cls.product_member_reader = Product_Member()
cls.product_member_reader.user = cls.user
cls.product_member_reader.product = cls.product
cls.product_member_reader.role = Role.objects.get(id=Roles.Reader)
cls.product_member_owner = Product_Member()
cls.product_member_owner.user = cls.user
cls.product_member_owner.product = cls.product
cls.product_member_owner.role = Role.objects.get(id=Roles.Owner)
cls.group = Dojo_Group()
cls.group.id = 1
cls.product_group_reader = Product_Group()
cls.product_group_reader.id = 1
cls.product_group_reader.product = cls.product
cls.product_group_reader.group = cls.group
cls.product_group_reader.role = Role.objects.get(id=Roles.Reader)
cls.product_group_owner = Product_Group()
cls.product_group_owner.id = 2
cls.product_group_owner.product = cls.product
cls.product_group_owner.group = cls.group
cls.product_group_owner.role = Role.objects.get(id=Roles.Owner)
cls.product_type_group_reader = Product_Type_Group()
cls.product_type_group_reader.id = 1
cls.product_type_group_reader.product_type = cls.product_type
cls.product_type_group_reader.group = cls.group
cls.product_type_group_reader.role = Role.objects.get(id=Roles.Reader)
cls.product_type_group_owner = Product_Type_Group()
cls.product_type_group_owner.id = 2
cls.product_type_group_owner.product_type = cls.product_type
cls.product_type_group_owner.group = cls.group
cls.product_type_group_owner.role = Role.objects.get(id=Roles.Owner)
cls.group2 = Dojo_Group()
cls.group2.id = 2
cls.global_role_group = Global_Role()
cls.global_role_group.id = 2
cls.global_role_group.group = cls.group2
cls.global_role_group.role = Role.objects.get(id=Roles.Maintainer)
cls.user3 = Dojo_User()
cls.user3.id = 3
cls.global_role_user = Global_Role()
cls.global_role_user.id = 3
cls.global_role_user.user = cls.user3
cls.global_role_user.role = None
cls.group3 = Dojo_Group()
cls.group3.id = 3
cls.user4 = Dojo_User()
cls.user4.id = 4
cls.group_member = Dojo_Group_Member()
cls.group_member.id = 1
cls.group_member.group = cls.group3
cls.group_member.user = cls.user4
cls.group_member.role = Role.objects.get(id=Roles.Writer)
cls.user5 = Dojo_User()
cls.user5.id = 5
cls.global_role_user = Global_Role()
cls.global_role_user.id = 5
cls.global_role_user.user = cls.user5
cls.global_role_user.role = Role.objects.get(id=Roles.Owner)
def handle(self, *args, **options):
# If group already exists, then the migration has been running before
group_name = 'Staff users'
groups = Dojo_Group.objects.filter(name=group_name).count()
if groups > 0:
sys.exit(f'Group {group_name} already exists, migration aborted')
# The superuser with the lowest id will be set as the owner of the group
users = Dojo_User.objects.filter(is_superuser=True).order_by('id')
if len(users) == 0:
sys.exit('No superuser found, migration aborted')
user = users[0]
group = Dojo_Group(name=group_name, description='Migrated staff users')
group.save()
owner_role = Role.objects.get(is_owner=True)
owner = Dojo_Group_Member(
user=user,
group=group,
role=owner_role,
)
owner.save()
# All staff users are made to members of the group
reader_role = Role.objects.get(name='Reader')
staff_users = Dojo_User.objects.filter(is_staff=True)
for staff_user in staff_users:
if staff_user != owner.user:
member = Dojo_Group_Member(
user=staff_user,
group=group,
role=reader_role,
)
member.save()
# If AUTHORIZATION_STAFF_OVERRIDE is True, then the group is made a global owner
if settings.AUTHORIZATION_STAFF_OVERRIDE:
global_role = Global_Role(group=group, role=owner_role)
global_role.save()
permissions_list = Permission.objects.all()
permissions = {}
for permission in permissions_list:
permissions[permission.codename] = permission
# Set the same configuration permissions, staff users had in previous releases
auth_group = group.auth_group
if not auth_group:
sys.exit('Group has no auth_group, migration aborted')
auth_group.permissions.add(permissions['view_group'])
auth_group.permissions.add(permissions['add_group'])
auth_group.permissions.add(permissions['view_development_environment'])
auth_group.permissions.add(permissions['add_development_environment'])
auth_group.permissions.add(
permissions['change_development_environment'])
auth_group.permissions.add(
permissions['delete_development_environment'])
auth_group.permissions.add(permissions['view_finding_template'])
auth_group.permissions.add(permissions['add_finding_template'])
auth_group.permissions.add(permissions['change_finding_template'])
auth_group.permissions.add(permissions['delete_finding_template'])
auth_group.permissions.add(permissions['view_engagement_survey'])
auth_group.permissions.add(permissions['add_engagement_survey'])
auth_group.permissions.add(permissions['change_engagement_survey'])
auth_group.permissions.add(permissions['delete_engagement_survey'])
auth_group.permissions.add(permissions['view_question'])
auth_group.permissions.add(permissions['add_question'])
auth_group.permissions.add(permissions['change_question'])
auth_group.permissions.add(permissions['delete_question'])
auth_group.permissions.add(permissions['view_test_type'])
auth_group.permissions.add(permissions['add_test_type'])
auth_group.permissions.add(permissions['change_test_type'])
auth_group.permissions.add(permissions['delete_test_type'])
auth_group.permissions.add(permissions['view_user'])
auth_group.permissions.add(permissions['add_product_type'])
logger.info(f'Migrated {len(staff_users)} staff users')