def vuln_review(vcdb_id, vuln_id):
vulnerability_details = get_vulnerability_details(vcdb_id, simplify_id=False)
vuln = vulnerability_details.get_or_create_vulnerability()
proposal_vulnerability_details = get_vulnerability_details(
None, vuln_id=vuln_id, simplify_id=False
)
proposal_vuln = proposal_vulnerability_details.get_or_create_vulnerability()
ensure(READ, proposal_vuln)
form_reject = VulnerabilityProposalReject()
form_approve = VulnerabilityProposalApprove()
form_assign = VulnerabilityProposalAssign()
form_unassign = VulnerabilityProposalUnassign()
form_publish = VulnerabilityProposalPublish()
if request.method == "POST":
if (
request.form["review_response"] == "assign"
and form_assign.validate_on_submit()
):
ensure(ASSIGN, proposal_vuln)
if proposal_vuln.is_reviewable:
proposal_vuln.accept_review(g.user)
db.session.add(proposal_vuln)
db.session.commit()
flash("The review was successfully assigned to you.", "success")
return redirect(request.url)
flash_error("This entry is not in a reviewable state.")
if (
request.form["review_response"] == "unassign"
and form_unassign.validate_on_submit()
):
ensure(ASSIGN, proposal_vuln)
if proposal_vuln.is_reviewer(g.user):
proposal_vuln.deny_review()
db.session.add(proposal_vuln)
db.session.commit()
flash(
"You successfully unassigned yourself from this review.", "success"
)
return redirect(request.url)
flash_error("This entry is not assigned to you.")
if (
request.form["review_response"] == "approve"
and form_approve.validate_on_submit()
):
ensure(APPROVE, proposal_vuln)
proposal_vuln.accept_change()
db.session.add(proposal_vuln)
db.session.commit()
flash(
"You approved the proposal. "
"Waiting for the entry to be published by an admin.",
"success",
)
return redirect(request.url)
if (
request.form["review_response"] == "reject"
and form_reject.validate_on_submit()
):
ensure(REJECT, proposal_vuln)
proposal_vuln.deny_change(g.user, form_reject.data["review_feedback"])
db.session.add(proposal_vuln)
db.session.commit()
flash("Waiting for the author to address your feedback.", "success")
return redirect(request.url)
if (
request.form["review_response"] == "publish"
and form_publish.validate_on_submit()
):
ensure("PUBLISH", proposal_vuln)
proposal_vuln.publish_change()
db.session.add(proposal_vuln)
db.session.commit()
# This might be the first entry of its kind
# so no archiving is necessary.
if vuln.state:
vuln.archive_entry()
db.session.add(vuln)
db.session.commit()
flash("Entry was successfully published.", "success")
return redirect(request.url)
# Published entries can't be reviewed.
# if view.state == VulnerabilityState.PUBLISHED:
# raise RequestRedirect("/" + str(vcdb_id))
return render_template(
"vulnerability/review/review.html",
proposal_vulnerability_details=proposal_vulnerability_details,
vulnerability_details=vulnerability_details,
form_assign=form_assign,
form_unassign=form_unassign,
form_reject=form_reject,
form_approve=form_approve,
form_publish=form_publish,
)
def vuln_review(vcdb_id, vuln_id):
vulnerability_details = _get_vulnerability_details(vcdb_id,
simplify_id=False)
view = vulnerability_details.vulnerability_view
vuln = vulnerability_details.get_or_create_vulnerability()
proposal_vulnerability_details = _get_vulnerability_details(
None, vuln_id=vuln_id, simplify_id=False)
proposal_view = proposal_vulnerability_details.vulnerability_view
proposal_vuln = proposal_vulnerability_details.get_or_create_vulnerability(
)
form_reject = VulnerabilityProposalReject()
form_approve = VulnerabilityProposalApprove()
form_assign = VulnerabilityProposalAssign()
form_publish = VulnerabilityProposalPublish()
if request.method == 'POST':
# TODO: Add proper ACL changes to all actions here.
if request.form[
"review_response"] == "assign" and form_assign.validate_on_submit(
):
ensure('ASSIGN', proposal_vuln)
if proposal_vuln.is_reviewable():
proposal_vuln.accept_review(g.user)
db.session.add(proposal_vuln)
db.session.commit()
flash("The review was successfully assigned to you.",
"success")
return redirect(request.url)
else:
flash_error("This entry is not in a reviewable state.")
if request.form[
"review_response"] == "approve" and form_approve.validate_on_submit(
):
ensure('APRROVE', proposal_vuln)
proposal_vuln.accept_change()
db.session.add(proposal_vuln)
db.session.commit()
flash(
"You approved the proposal. Waiting for the entry to be published by an admin.",
"success")
return redirect(request.url)
if request.form[
"review_response"] == "reject" and form_reject.validate_on_submit(
):
ensure('REJECT', proposal_vuln)
proposal_vuln.deny_change(form_reject.data["review_feedback"])
db.session.add(proposal_vuln)
db.session.commit()
flash("Waiting for the author to address your feedback.",
"success")
return redirect(request.url)
if request.form[
"review_response"] == "publish" and form_publish.validate_on_submit(
):
ensure('PUBLISH', proposal_vuln)
proposal_vuln.publish_change()
db.session.add(proposal_vuln)
vuln.archive_entry()
db.session.add(vuln)
db.session.commit()
flash("Entry was successfully published.", "success")
return redirect(request.url)
# Published entries can't be reviewed.
# if view.state == VulnerabilityState.PUBLISHED:
# raise RequestRedirect("/" + str(vcdb_id))
return render_template(
"vulnerability/review.html",
proposal_vulnerability_details=proposal_vulnerability_details,
vulnerability_details=vulnerability_details,
form_assign=form_assign,
form_reject=form_reject,
form_approve=form_approve,
form_publish=form_publish)