def view_edit_risk_acceptance(request, eid, raid, edit_mode=False): risk_acceptance = get_object_or_404(Risk_Acceptance, pk=raid) eng = get_object_or_404(Engagement, pk=eid) if edit_mode and not eng.product.enable_full_risk_acceptance: raise PermissionDenied() risk_acceptance_form = None errors = False if request.method == 'POST': # deleting before instantiating the form otherwise django messes up and we end up with an empty path value if len(request.FILES) > 0: logger.debug('new proof uploaded') risk_acceptance.path.delete() if 'decision' in request.POST: old_expiration_date = risk_acceptance.expiration_date risk_acceptance_form = EditRiskAcceptanceForm(request.POST, request.FILES, instance=risk_acceptance) errors = errors or not risk_acceptance_form.is_valid() if not errors: logger.debug('path: %s', risk_acceptance_form.cleaned_data['path']) risk_acceptance_form.save() if risk_acceptance.expiration_date != old_expiration_date: # risk acceptance was changed, check if risk acceptance needs to be reinstated and findings made accepted again ra_helper.reinstate(risk_acceptance, old_expiration_date) messages.add_message( request, messages.SUCCESS, 'Risk Acceptance saved successfully.', extra_tags='alert-success') if 'entry' in request.POST: note_form = NoteForm(request.POST) errors = errors or not note_form.is_valid() if not errors: new_note = note_form.save(commit=False) new_note.author = request.user new_note.date = timezone.now() new_note.save() risk_acceptance.notes.add(new_note) messages.add_message( request, messages.SUCCESS, 'Note added successfully.', extra_tags='alert-success') if 'delete_note' in request.POST: note = get_object_or_404(Notes, pk=request.POST['delete_note_id']) if note.author.username == request.user.username: risk_acceptance.notes.remove(note) note.delete() messages.add_message( request, messages.SUCCESS, 'Note deleted successfully.', extra_tags='alert-success') else: messages.add_message( request, messages.ERROR, "Since you are not the note's author, it was not deleted.", extra_tags='alert-danger') if 'remove_finding' in request.POST: finding = get_object_or_404( Finding, pk=request.POST['remove_finding_id']) ra_helper.remove_finding_from_risk_acceptance(risk_acceptance, finding) messages.add_message( request, messages.SUCCESS, 'Finding removed successfully from risk acceptance.', extra_tags='alert-success') if 'replace_file' in request.POST: replace_form = ReplaceRiskAcceptanceProofForm( request.POST, request.FILES, instance=risk_acceptance) errors = errors or not replace_form.is_valid() if not errors: replace_form.save() messages.add_message( request, messages.SUCCESS, 'New Proof uploaded successfully.', extra_tags='alert-success') else: logger.error(replace_form.errors) if 'add_findings' in request.POST: add_findings_form = AddFindingsRiskAcceptanceForm( request.POST, request.FILES, instance=risk_acceptance) errors = errors or not add_findings_form.is_valid() if not errors: findings = add_findings_form.cleaned_data['accepted_findings'] ra_helper.add_findings_to_risk_acceptance(risk_acceptance, findings) messages.add_message( request, messages.SUCCESS, 'Finding%s added successfully.' % ('s' if len(findings) > 1 else ''), extra_tags='alert-success') if not errors: logger.debug('redirecting to return_url') return redirect_to_return_url_or_else(request, reverse("view_risk_acceptance", args=(eid, raid))) else: logger.error('errors found') else: if edit_mode: risk_acceptance_form = EditRiskAcceptanceForm(instance=risk_acceptance) note_form = NoteForm() replace_form = ReplaceRiskAcceptanceProofForm(instance=risk_acceptance) add_findings_form = AddFindingsRiskAcceptanceForm(instance=risk_acceptance) accepted_findings = risk_acceptance.accepted_findings.order_by('numerical_severity') fpage = get_page_items(request, accepted_findings, 15) unaccepted_findings = Finding.objects.filter(test__in=eng.test_set.all()) \ .exclude(id__in=accepted_findings).order_by("title") add_fpage = get_page_items(request, unaccepted_findings, 10, 'apage') # on this page we need to add unaccepted findings as possible findings to add as accepted add_findings_form.fields[ "accepted_findings"].queryset = add_fpage.object_list product_tab = Product_Tab(eng.product.id, title="Risk Acceptance", tab="engagements") product_tab.setEngagement(eng) return render( request, 'dojo/view_risk_acceptance.html', { 'risk_acceptance': risk_acceptance, 'engagement': eng, 'product_tab': product_tab, 'accepted_findings': fpage, 'notes': risk_acceptance.notes.all(), 'eng': eng, 'edit_mode': edit_mode, 'risk_acceptance_form': risk_acceptance_form, 'note_form': note_form, 'replace_form': replace_form, 'add_findings_form': add_findings_form, # 'show_add_findings_form': len(unaccepted_findings), 'request': request, 'add_findings': add_fpage, 'return_url': get_return_url(request), })
def add_risk_acceptance(request, eid, fid=None): eng = get_object_or_404(Engagement, id=eid) finding = None if fid: finding = get_object_or_404(Finding, id=fid) if not eng.product.enable_full_risk_acceptance: raise PermissionDenied() if request.method == 'POST': form = RiskAcceptanceForm(request.POST, request.FILES) if form.is_valid(): # first capture notes param as it cannot be saved directly as m2m notes = None if form.cleaned_data['notes']: notes = Notes( entry=form.cleaned_data['notes'], author=request.user, date=timezone.now()) notes.save() del form.cleaned_data['notes'] try: # we sometimes see a weird exception here, but are unable to reproduce. # we add some logging in case it happens risk_acceptance = form.save() except Exception as e: logger.debug(vars(request.POST)) logger.error(vars(form)) logger.exception(e) raise # attach note to risk acceptance object now in database if notes: risk_acceptance.notes.add(notes) eng.risk_acceptance.add(risk_acceptance) findings = form.cleaned_data['accepted_findings'] risk_acceptance = ra_helper.add_findings_to_risk_acceptance(risk_acceptance, findings) messages.add_message( request, messages.SUCCESS, 'Risk acceptance saved.', extra_tags='alert-success') return redirect_to_return_url_or_else(request, reverse('view_engagement', args=(eid, ))) else: risk_acceptance_title_suggestion = 'Accept: %s' % finding form = RiskAcceptanceForm(initial={'owner': request.user, 'name': risk_acceptance_title_suggestion}) finding_choices = Finding.objects.filter(duplicate=False, test__engagement=eng).filter(NOT_ACCEPTED_FINDINGS_QUERY).order_by('title') form.fields['accepted_findings'].queryset = finding_choices if fid: form.fields['accepted_findings'].initial = {fid} product_tab = Product_Tab(eng.product.id, title="Risk Acceptance", tab="engagements") product_tab.setEngagement(eng) return render(request, 'dojo/add_risk_acceptance.html', { 'eng': eng, 'product_tab': product_tab, 'form': form })