def has_permission(self, request, view): if request.method == 'GET': return user_has_configuration_permission(request.user, 'auth.view_group', 'staff') elif request.method == 'POST': return user_has_configuration_permission(request.user, 'auth.add_group', 'staff') else: return True
def edit_questionnaire_questions(request, sid): survey = get_object_or_404(Engagement_Survey, id=sid) if not user_has_configuration_permission(request.user, 'dojo.add_engagement_survey', 'staff') and \ not user_has_configuration_permission(request.user, 'dojo.change_engagement_survey', 'staff'): raise PermissionDenied() answered_surveys = Answered_Survey.objects.filter(survey=survey) reverted = False form = EditQuestionnaireQuestionsForm(instance=survey) if request.method == 'POST': form = EditQuestionnaireQuestionsForm(request.POST, instance=survey) if form.is_valid(): form.save() for answered_survey in answered_surveys: answered_survey.completed = False answered_survey.answered_on = None answered_survey.save() reverted = True if reverted: messages.add_message( request, messages.SUCCESS, 'Answered questionnaires associated with this survey have been set to uncompleted.', extra_tags='alert-warning') messages.add_message(request, messages.SUCCESS, 'Questionnaire questions successfully saved.', extra_tags='alert-success') return HttpResponseRedirect(reverse('questionnaire')) else: messages.add_message( request, messages.ERROR, 'Questionnaire questions not saved, please correct any errors displayed below.', extra_tags='alert-success') add_breadcrumb(title="Update Questionnaire Questions", top_level=False, request=request) return render(request, 'defectDojo-engagement-survey/edit_survey_questions.html', { "survey": survey, "form": form, "name": "Update Survey Questions", })
def dashboard(request: HttpRequest) -> HttpResponse: engagements = get_authorized_engagements(Permissions.Engagement_View).distinct() findings = get_authorized_findings(Permissions.Finding_View).distinct() findings = findings.filter(duplicate=False) engagement_count = engagements.filter(active=True).count() today = timezone.now().date() date_range = [today - timedelta(days=6), today] # 7 days (6 days plus today) finding_count = findings\ .filter(created__date__range=date_range)\ .count() mitigated_count = findings\ .filter(mitigated__date__range=date_range)\ .count() accepted_count = findings\ .filter(risk_acceptance__created__date__range=date_range)\ .count() severity_count_all = get_severities_all(findings) severity_count_by_month = get_severities_by_month(findings, today) punchcard, ticks = get_punchcard_data(findings, today - relativedelta(weeks=26), 26) if user_has_configuration_permission(request.user, 'dojo.view_engagement_survey', 'staff'): unassigned_surveys = Answered_Survey.objects.filter(assignee_id__isnull=True, completed__gt=0, ) \ .filter(Q(engagement__isnull=True) | Q(engagement__in=engagements)) else: unassigned_surveys = None if request.user.is_superuser and not settings.FEATURE_CONFIGURATION_AUTHORIZATION: message = '''Legacy authorization for changing configurations based on staff users will be removed with version 2.12.0 / 5. July 2022. If you have set `FEATURE_CONFIGURATION_AUTHORIZATION` to `False` in your local configuration, remove this local setting and start using the new authorization.''' messages.add_message(request, messages.WARNING, message, extra_tags='alert-warning') add_breadcrumb(request=request, clear=True) return render(request, 'dojo/dashboard.html', { 'engagement_count': engagement_count, 'finding_count': finding_count, 'mitigated_count': mitigated_count, 'accepted_count': accepted_count, 'critical': severity_count_all['Critical'], 'high': severity_count_all['High'], 'medium': severity_count_all['Medium'], 'low': severity_count_all['Low'], 'info': severity_count_all['Info'], 'by_month': severity_count_by_month, 'punchcard': punchcard, 'ticks': ticks, 'surveys': unassigned_surveys, })
def has_object_permission(self, request, view, obj): if request.method == 'GET': # Users need to be authorized to view groups in general and only the groups they are a member of # because with the group they can see user information that might be considered as confidential return user_has_configuration_permission( request.user, 'auth.view_group', 'staff') and user_has_permission( request.user, obj, Permissions.Group_View) else: return check_object_permission(request, obj, Permissions.Group_View, Permissions.Group_Edit, Permissions.Group_Delete)
def dashboard(request: HttpRequest) -> HttpResponse: engagements = get_authorized_engagements(Permissions.Engagement_View).distinct() findings = get_authorized_findings(Permissions.Finding_View).distinct() findings = findings.filter(duplicate=False) engagement_count = engagements.filter(active=True).count() today = timezone.now().date() date_range = [today - timedelta(days=6), today] # 7 days (6 days plus today) finding_count = findings\ .filter(created__date__range=date_range)\ .count() mitigated_count = findings\ .filter(mitigated__date__range=date_range)\ .count() accepted_count = findings\ .filter(risk_acceptance__created__date__range=date_range)\ .count() severity_count_all = get_severities_all(findings) severity_count_by_month = get_severities_by_month(findings, today) punchcard, ticks = get_punchcard_data(findings, today - relativedelta(weeks=26), 26) if user_has_configuration_permission(request.user, 'dojo.view_engagement_survey', 'staff'): unassigned_surveys = Answered_Survey.objects.filter(assignee_id__isnull=True, completed__gt=0, ) \ .filter(Q(engagement__isnull=True) | Q(engagement__in=engagements)) else: unassigned_surveys = None add_breadcrumb(request=request, clear=True) return render(request, 'dojo/dashboard.html', { 'engagement_count': engagement_count, 'finding_count': finding_count, 'mitigated_count': mitigated_count, 'accepted_count': accepted_count, 'critical': severity_count_all['Critical'], 'high': severity_count_all['High'], 'medium': severity_count_all['Medium'], 'low': severity_count_all['Low'], 'info': severity_count_all['Info'], 'by_month': severity_count_by_month, 'punchcard': punchcard, 'ticks': ticks, 'surveys': unassigned_surveys, })
def _wrapped(request, *args, **kwargs): if not user_has_configuration_permission(request.user, permission, legacy): raise PermissionDenied return func(request, *args, **kwargs)
def test_configuration_permission_false(self, mock): mock.return_value = False self.assertFalse( user_has_configuration_permission(self.user, 'test', 'test')) mock.assert_called_with('test')
def test_configuration_permission_legacy_exception(self): with self.assertRaisesMessage( Exception, 'test is not allowed for parameter legacy'): user_has_configuration_permission(self.user, None, 'test')
def test_configuration_permission_legacy_superuser(self): self.user.is_superuser = True self.assertTrue( user_has_configuration_permission(self.user, None, 'superuser')) self.user.is_superuser = False
def test_configuration_permission_legacy_staff(self): self.user.is_staff = True self.assertTrue( user_has_configuration_permission(self.user, None, 'staff')) self.user.is_staff = False