def view_edit_risk_acceptance(request, eid, raid, edit_mode=False):
risk_acceptance = get_object_or_404(Risk_Acceptance, pk=raid)
eng = get_object_or_404(Engagement, pk=eid)
if edit_mode and not eng.product.enable_full_risk_acceptance:
raise PermissionDenied()
risk_acceptance_form = None
errors = False
if request.method == 'POST':
# deleting before instantiating the form otherwise django messes up and we end up with an empty path value
if len(request.FILES) > 0:
logger.debug('new proof uploaded')
risk_acceptance.path.delete()
if 'decision' in request.POST:
old_expiration_date = risk_acceptance.expiration_date
risk_acceptance_form = EditRiskAcceptanceForm(request.POST, request.FILES, instance=risk_acceptance)
errors = errors or not risk_acceptance_form.is_valid()
if not errors:
logger.debug('path: %s', risk_acceptance_form.cleaned_data['path'])
risk_acceptance_form.save()
if risk_acceptance.expiration_date != old_expiration_date:
# risk acceptance was changed, check if risk acceptance needs to be reinstated and findings made accepted again
ra_helper.reinstate(risk_acceptance, old_expiration_date)
messages.add_message(
request,
messages.SUCCESS,
'Risk Acceptance saved successfully.',
extra_tags='alert-success')
if 'entry' in request.POST:
note_form = NoteForm(request.POST)
errors = errors or not note_form.is_valid()
if not errors:
new_note = note_form.save(commit=False)
new_note.author = request.user
new_note.date = timezone.now()
new_note.save()
risk_acceptance.notes.add(new_note)
messages.add_message(
request,
messages.SUCCESS,
'Note added successfully.',
extra_tags='alert-success')
if 'delete_note' in request.POST:
note = get_object_or_404(Notes, pk=request.POST['delete_note_id'])
if note.author.username == request.user.username:
risk_acceptance.notes.remove(note)
note.delete()
messages.add_message(
request,
messages.SUCCESS,
'Note deleted successfully.',
extra_tags='alert-success')
else:
messages.add_message(
request,
messages.ERROR,
"Since you are not the note's author, it was not deleted.",
extra_tags='alert-danger')
if 'remove_finding' in request.POST:
finding = get_object_or_404(
Finding, pk=request.POST['remove_finding_id'])
ra_helper.remove_finding_from_risk_acceptance(risk_acceptance, finding)
messages.add_message(
request,
messages.SUCCESS,
'Finding removed successfully from risk acceptance.',
extra_tags='alert-success')
if 'replace_file' in request.POST:
replace_form = ReplaceRiskAcceptanceProofForm(
request.POST, request.FILES, instance=risk_acceptance)
errors = errors or not replace_form.is_valid()
if not errors:
replace_form.save()
messages.add_message(
request,
messages.SUCCESS,
'New Proof uploaded successfully.',
extra_tags='alert-success')
else:
logger.error(replace_form.errors)
if 'add_findings' in request.POST:
add_findings_form = AddFindingsRiskAcceptanceForm(
request.POST, request.FILES, instance=risk_acceptance)
errors = errors or not add_findings_form.is_valid()
if not errors:
findings = add_findings_form.cleaned_data['accepted_findings']
ra_helper.add_findings_to_risk_acceptance(risk_acceptance, findings)
messages.add_message(
request,
messages.SUCCESS,
'Finding%s added successfully.' % ('s' if len(findings) > 1
else ''),
extra_tags='alert-success')
if not errors:
logger.debug('redirecting to return_url')
return redirect_to_return_url_or_else(request, reverse("view_risk_acceptance", args=(eid, raid)))
else:
logger.error('errors found')
else:
if edit_mode:
risk_acceptance_form = EditRiskAcceptanceForm(instance=risk_acceptance)
note_form = NoteForm()
replace_form = ReplaceRiskAcceptanceProofForm(instance=risk_acceptance)
add_findings_form = AddFindingsRiskAcceptanceForm(instance=risk_acceptance)
accepted_findings = risk_acceptance.accepted_findings.order_by('numerical_severity')
fpage = get_page_items(request, accepted_findings, 15)
unaccepted_findings = Finding.objects.filter(test__in=eng.test_set.all()) \
.exclude(id__in=accepted_findings).order_by("title")
add_fpage = get_page_items(request, unaccepted_findings, 10, 'apage')
# on this page we need to add unaccepted findings as possible findings to add as accepted
add_findings_form.fields[
"accepted_findings"].queryset = add_fpage.object_list
product_tab = Product_Tab(eng.product.id, title="Risk Acceptance", tab="engagements")
product_tab.setEngagement(eng)
return render(
request, 'dojo/view_risk_acceptance.html', {
'risk_acceptance': risk_acceptance,
'engagement': eng,
'product_tab': product_tab,
'accepted_findings': fpage,
'notes': risk_acceptance.notes.all(),
'eng': eng,
'edit_mode': edit_mode,
'risk_acceptance_form': risk_acceptance_form,
'note_form': note_form,
'replace_form': replace_form,
'add_findings_form': add_findings_form,
# 'show_add_findings_form': len(unaccepted_findings),
'request': request,
'add_findings': add_fpage,
'return_url': get_return_url(request),
})
def view_risk(request, eid, raid):
risk_approval = get_object_or_404(Risk_Acceptance, pk=raid)
eng = get_object_or_404(Engagement, pk=eid)
if request.user.is_staff or check_auth_users_list(request.user, eng):
pass
else:
raise PermissionDenied
a_file = risk_approval.path
if request.method == 'POST':
note_form = NoteForm(request.POST)
if note_form.is_valid():
new_note = note_form.save(commit=False)
new_note.author = request.user
new_note.date = timezone.now()
new_note.save()
risk_approval.notes.add(new_note)
messages.add_message(request,
messages.SUCCESS,
'Note added successfully.',
extra_tags='alert-success')
if 'delete_note' in request.POST:
note = get_object_or_404(Notes, pk=request.POST['delete_note_id'])
if note.author.username == request.user.username:
risk_approval.notes.remove(note)
note.delete()
messages.add_message(request,
messages.SUCCESS,
'Note deleted successfully.',
extra_tags='alert-success')
else:
messages.add_message(
request,
messages.ERROR,
"Since you are not the note's author, it was not deleted.",
extra_tags='alert-danger')
if 'remove_finding' in request.POST:
finding = get_object_or_404(Finding,
pk=request.POST['remove_finding_id'])
risk_approval.accepted_findings.remove(finding)
finding.active = True
finding.save()
messages.add_message(request,
messages.SUCCESS,
'Finding removed successfully.',
extra_tags='alert-success')
if 'replace_file' in request.POST:
replace_form = ReplaceRiskAcceptanceForm(request.POST,
request.FILES,
instance=risk_approval)
if replace_form.is_valid():
risk_approval.path.delete(save=False)
risk_approval.path = replace_form.cleaned_data['path']
risk_approval.save()
messages.add_message(request,
messages.SUCCESS,
'File replaced successfully.',
extra_tags='alert-success')
if 'add_findings' in request.POST:
add_findings_form = AddFindingsRiskAcceptanceForm(
request.POST, request.FILES, instance=risk_approval)
if add_findings_form.is_valid():
findings = add_findings_form.cleaned_data['accepted_findings']
for finding in findings:
finding.active = False
finding.save()
risk_approval.accepted_findings.add(finding)
risk_approval.save()
messages.add_message(request,
messages.SUCCESS,
'Finding%s added successfully.' %
('s' if len(findings) > 1 else ''),
extra_tags='alert-success')
note_form = NoteForm()
replace_form = ReplaceRiskAcceptanceForm()
add_findings_form = AddFindingsRiskAcceptanceForm()
accepted_findings = risk_approval.accepted_findings.order_by(
'numerical_severity')
fpage = get_page_items(request, accepted_findings, 15)
unaccepted_findings = Finding.objects.filter(test__in=eng.test_set.all()) \
.exclude(id__in=accepted_findings).order_by("title")
add_fpage = get_page_items(request, unaccepted_findings, 10, 'apage')
# on this page we need to add unaccepted findings as possible findings to add as accepted
add_findings_form.fields[
"accepted_findings"].queryset = add_fpage.object_list
authorized = (request.user == risk_approval.owner.username
or request.user.is_staff)
product_tab = Product_Tab(eng.product.id,
title="Risk Exception",
tab="engagements")
product_tab.setEngagement(eng)
return render(
request,
'dojo/view_risk.html',
{
'risk_approval': risk_approval,
'product_tab': product_tab,
'accepted_findings': fpage,
'notes': risk_approval.notes.all(),
'a_file': a_file,
'eng': eng,
'note_form': note_form,
'replace_form': replace_form,
'add_findings_form': add_findings_form,
# 'show_add_findings_form': len(unaccepted_findings),
'request': request,
'add_findings': add_fpage,
'authorized': authorized,
})
def view_risk(request, eid, raid):
risk_approval = get_object_or_404(Risk_Acceptance, pk=raid)
eng = get_object_or_404(Engagement, pk=eid)
if (request.user.is_staff
or request.user in eng.product.authorized_users.all()):
pass
else:
raise PermissionDenied
a_file = risk_approval.path
if request.method == 'POST':
note_form = NoteForm(request.POST)
if note_form.is_valid():
new_note = note_form.save(commit=False)
new_note.author = request.user
new_note.date = datetime.now(tz=localtz)
new_note.save()
risk_approval.notes.add(new_note)
messages.add_message(request,
messages.SUCCESS,
'Note added successfully.',
extra_tags='alert-success')
if 'delete_note' in request.POST:
note = get_object_or_404(Notes, pk=request.POST['delete_note_id'])
if note.author.username == request.user.username:
risk_approval.notes.remove(note)
note.delete()
messages.add_message(request,
messages.SUCCESS,
'Note deleted successfully.',
extra_tags='alert-success')
else:
messages.add_message(
request,
messages.ERROR,
"Since you are not the note's author, it was not deleted.",
extra_tags='alert-danger')
if 'remove_finding' in request.POST:
finding = get_object_or_404(Finding,
pk=request.POST['remove_finding_id'])
risk_approval.accepted_findings.remove(finding)
finding.active = True
finding.save()
messages.add_message(request,
messages.SUCCESS,
'Finding removed successfully.',
extra_tags='alert-success')
if 'replace_file' in request.POST:
replace_form = ReplaceRiskAcceptanceForm(request.POST,
request.FILES,
instance=risk_approval)
if replace_form.is_valid():
risk_approval.path.delete(save=False)
risk_approval.path = replace_form.cleaned_data['path']
risk_approval.save()
messages.add_message(request,
messages.SUCCESS,
'File replaced successfully.',
extra_tags='alert-success')
if 'add_findings' in request.POST:
add_findings_form = AddFindingsRiskAcceptanceForm(
request.POST, request.FILES, instance=risk_approval)
if add_findings_form.is_valid():
findings = add_findings_form.cleaned_data['accepted_findings']
for finding in findings:
finding.active = False
finding.save()
risk_approval.accepted_findings.add(finding)
risk_approval.save()
messages.add_message(request,
messages.SUCCESS,
'Finding%s added successfully.' %
('s' if len(findings) > 1 else ''),
extra_tags='alert-success')
note_form = NoteForm()
replace_form = ReplaceRiskAcceptanceForm()
add_findings_form = AddFindingsRiskAcceptanceForm()
exclude_findings = [
finding.id for ra in eng.risk_acceptance.all()
for finding in ra.accepted_findings.all()
]
findings = Finding.objects.filter(test__in=eng.test_set.all()) \
.exclude(id__in=exclude_findings).order_by("title")
add_fpage = get_page_items(request, findings, 10, 'apage')
add_findings_form.fields[
"accepted_findings"].queryset = add_fpage.object_list
fpage = get_page_items(
request,
risk_approval.accepted_findings.order_by('numerical_severity'), 15)
authorized = (request.user == risk_approval.reporter.username
or request.user.is_staff)
add_breadcrumb(parent=risk_approval, top_level=False, request=request)
return render(
request, 'dojo/view_risk.html', {
'risk_approval': risk_approval,
'accepted_findings': fpage,
'notes': risk_approval.notes.all(),
'a_file': a_file,
'eng': eng,
'note_form': note_form,
'replace_form': replace_form,
'add_findings_form': add_findings_form,
'show_add_findings_form': len(findings),
'request': request,
'add_findings': add_fpage,
'authorized': authorized,
})
def view_risk(request, eid, raid):
risk_approval = get_object_or_404(Risk_Acceptance, pk=raid)
eng = get_object_or_404(Engagement, pk=eid)
if (request.user.is_staff or
request.user in eng.product.authorized_users.all()):
pass
else:
raise PermissionDenied
a_file = risk_approval.path
if request.method == 'POST':
note_form = NoteForm(request.POST)
if note_form.is_valid():
new_note = note_form.save(commit=False)
new_note.author = request.user
new_note.date = datetime.now(tz=localtz)
new_note.save()
risk_approval.notes.add(new_note)
messages.add_message(request,
messages.SUCCESS,
'Note added successfully.',
extra_tags='alert-success')
if 'delete_note' in request.POST:
note = get_object_or_404(Notes, pk=request.POST['delete_note_id'])
if note.author.username == request.user.username:
risk_approval.notes.remove(note)
note.delete()
messages.add_message(request,
messages.SUCCESS,
'Note deleted successfully.',
extra_tags='alert-success')
else:
messages.add_message(
request,
messages.ERROR,
"Since you are not the note's author, it was not deleted.",
extra_tags='alert-danger')
if 'remove_finding' in request.POST:
finding = get_object_or_404(Finding,
pk=request.POST['remove_finding_id'])
risk_approval.accepted_findings.remove(finding)
finding.active = True
finding.save()
messages.add_message(request,
messages.SUCCESS,
'Finding removed successfully.',
extra_tags='alert-success')
if 'replace_file' in request.POST:
replace_form = ReplaceRiskAcceptanceForm(
request.POST,
request.FILES,
instance=risk_approval)
if replace_form.is_valid():
risk_approval.path.delete(save=False)
risk_approval.path = replace_form.cleaned_data['path']
risk_approval.save()
messages.add_message(request,
messages.SUCCESS,
'File replaced successfully.',
extra_tags='alert-success')
if 'add_findings' in request.POST:
add_findings_form = AddFindingsRiskAcceptanceForm(
request.POST,
request.FILES,
instance=risk_approval)
if add_findings_form.is_valid():
findings = add_findings_form.cleaned_data[
'accepted_findings']
for finding in findings:
finding.active = False
finding.save()
risk_approval.accepted_findings.add(finding)
risk_approval.save()
messages.add_message(
request,
messages.SUCCESS,
'Finding%s added successfully.' % ('s'
if len(findings) > 1 else ''),
extra_tags='alert-success')
note_form = NoteForm()
replace_form = ReplaceRiskAcceptanceForm()
add_findings_form = AddFindingsRiskAcceptanceForm()
exclude_findings = [finding.id for ra in eng.risk_acceptance.all()
for finding in ra.accepted_findings.all()]
findings = Finding.objects.filter(test__in=eng.test_set.all()) \
.exclude(id__in=exclude_findings).order_by("title")
add_fpage = get_page_items(request, findings, 10, 'apage')
add_findings_form.fields[
"accepted_findings"].queryset = add_fpage.object_list
fpage = get_page_items(request, risk_approval.accepted_findings.order_by(
'numerical_severity'), 15)
authorized = (request.user == risk_approval.reporter.username
or request.user.is_staff)
add_breadcrumb(parent=risk_approval, top_level=False, request=request)
return render(request, 'dojo/view_risk.html',
{'risk_approval': risk_approval,
'accepted_findings': fpage,
'notes': risk_approval.notes.all(),
'a_file': a_file,
'eng': eng,
'note_form': note_form,
'replace_form': replace_form,
'add_findings_form': add_findings_form,
'show_add_findings_form': len(findings),
'request': request,
'add_findings': add_fpage,
'authorized': authorized,
})
