def has_permission(self, request, view):
if request.method == 'GET':
return user_has_configuration_permission(request.user,
'auth.view_group',
'staff')
elif request.method == 'POST':
return user_has_configuration_permission(request.user,
'auth.add_group', 'staff')
else:
return True
def edit_questionnaire_questions(request, sid):
survey = get_object_or_404(Engagement_Survey, id=sid)
if not user_has_configuration_permission(request.user, 'dojo.add_engagement_survey', 'staff') and \
not user_has_configuration_permission(request.user, 'dojo.change_engagement_survey', 'staff'):
raise PermissionDenied()
answered_surveys = Answered_Survey.objects.filter(survey=survey)
reverted = False
form = EditQuestionnaireQuestionsForm(instance=survey)
if request.method == 'POST':
form = EditQuestionnaireQuestionsForm(request.POST, instance=survey)
if form.is_valid():
form.save()
for answered_survey in answered_surveys:
answered_survey.completed = False
answered_survey.answered_on = None
answered_survey.save()
reverted = True
if reverted:
messages.add_message(
request,
messages.SUCCESS,
'Answered questionnaires associated with this survey have been set to uncompleted.',
extra_tags='alert-warning')
messages.add_message(request,
messages.SUCCESS,
'Questionnaire questions successfully saved.',
extra_tags='alert-success')
return HttpResponseRedirect(reverse('questionnaire'))
else:
messages.add_message(
request,
messages.ERROR,
'Questionnaire questions not saved, please correct any errors displayed below.',
extra_tags='alert-success')
add_breadcrumb(title="Update Questionnaire Questions",
top_level=False,
request=request)
return render(request,
'defectDojo-engagement-survey/edit_survey_questions.html', {
"survey": survey,
"form": form,
"name": "Update Survey Questions",
})
def dashboard(request: HttpRequest) -> HttpResponse:
engagements = get_authorized_engagements(Permissions.Engagement_View).distinct()
findings = get_authorized_findings(Permissions.Finding_View).distinct()
findings = findings.filter(duplicate=False)
engagement_count = engagements.filter(active=True).count()
today = timezone.now().date()
date_range = [today - timedelta(days=6), today] # 7 days (6 days plus today)
finding_count = findings\
.filter(created__date__range=date_range)\
.count()
mitigated_count = findings\
.filter(mitigated__date__range=date_range)\
.count()
accepted_count = findings\
.filter(risk_acceptance__created__date__range=date_range)\
.count()
severity_count_all = get_severities_all(findings)
severity_count_by_month = get_severities_by_month(findings, today)
punchcard, ticks = get_punchcard_data(findings, today - relativedelta(weeks=26), 26)
if user_has_configuration_permission(request.user, 'dojo.view_engagement_survey', 'staff'):
unassigned_surveys = Answered_Survey.objects.filter(assignee_id__isnull=True, completed__gt=0, ) \
.filter(Q(engagement__isnull=True) | Q(engagement__in=engagements))
else:
unassigned_surveys = None
if request.user.is_superuser and not settings.FEATURE_CONFIGURATION_AUTHORIZATION:
message = '''Legacy authorization for changing configurations based on staff users will be
removed with version 2.12.0 / 5. July 2022. If you have set
`FEATURE_CONFIGURATION_AUTHORIZATION` to `False` in your local configuration,
remove this local setting and start using the new authorization.'''
messages.add_message(request, messages.WARNING, message, extra_tags='alert-warning')
add_breadcrumb(request=request, clear=True)
return render(request, 'dojo/dashboard.html', {
'engagement_count': engagement_count,
'finding_count': finding_count,
'mitigated_count': mitigated_count,
'accepted_count': accepted_count,
'critical': severity_count_all['Critical'],
'high': severity_count_all['High'],
'medium': severity_count_all['Medium'],
'low': severity_count_all['Low'],
'info': severity_count_all['Info'],
'by_month': severity_count_by_month,
'punchcard': punchcard,
'ticks': ticks,
'surveys': unassigned_surveys,
})
def has_object_permission(self, request, view, obj):
if request.method == 'GET':
# Users need to be authorized to view groups in general and only the groups they are a member of
# because with the group they can see user information that might be considered as confidential
return user_has_configuration_permission(
request.user,
'auth.view_group', 'staff') and user_has_permission(
request.user, obj, Permissions.Group_View)
else:
return check_object_permission(request, obj,
Permissions.Group_View,
Permissions.Group_Edit,
Permissions.Group_Delete)
def dashboard(request: HttpRequest) -> HttpResponse:
engagements = get_authorized_engagements(Permissions.Engagement_View).distinct()
findings = get_authorized_findings(Permissions.Finding_View).distinct()
findings = findings.filter(duplicate=False)
engagement_count = engagements.filter(active=True).count()
today = timezone.now().date()
date_range = [today - timedelta(days=6), today] # 7 days (6 days plus today)
finding_count = findings\
.filter(created__date__range=date_range)\
.count()
mitigated_count = findings\
.filter(mitigated__date__range=date_range)\
.count()
accepted_count = findings\
.filter(risk_acceptance__created__date__range=date_range)\
.count()
severity_count_all = get_severities_all(findings)
severity_count_by_month = get_severities_by_month(findings, today)
punchcard, ticks = get_punchcard_data(findings, today - relativedelta(weeks=26), 26)
if user_has_configuration_permission(request.user, 'dojo.view_engagement_survey', 'staff'):
unassigned_surveys = Answered_Survey.objects.filter(assignee_id__isnull=True, completed__gt=0, ) \
.filter(Q(engagement__isnull=True) | Q(engagement__in=engagements))
else:
unassigned_surveys = None
add_breadcrumb(request=request, clear=True)
return render(request, 'dojo/dashboard.html', {
'engagement_count': engagement_count,
'finding_count': finding_count,
'mitigated_count': mitigated_count,
'accepted_count': accepted_count,
'critical': severity_count_all['Critical'],
'high': severity_count_all['High'],
'medium': severity_count_all['Medium'],
'low': severity_count_all['Low'],
'info': severity_count_all['Info'],
'by_month': severity_count_by_month,
'punchcard': punchcard,
'ticks': ticks,
'surveys': unassigned_surveys,
})
def _wrapped(request, *args, **kwargs):
if not user_has_configuration_permission(request.user, permission,
legacy):
raise PermissionDenied
return func(request, *args, **kwargs)
def test_configuration_permission_false(self, mock):
mock.return_value = False
self.assertFalse(
user_has_configuration_permission(self.user, 'test', 'test'))
mock.assert_called_with('test')
def test_configuration_permission_legacy_exception(self):
with self.assertRaisesMessage(
Exception, 'test is not allowed for parameter legacy'):
user_has_configuration_permission(self.user, None, 'test')
def test_configuration_permission_legacy_superuser(self):
self.user.is_superuser = True
self.assertTrue(
user_has_configuration_permission(self.user, None, 'superuser'))
self.user.is_superuser = False
def test_configuration_permission_legacy_staff(self):
self.user.is_staff = True
self.assertTrue(
user_has_configuration_permission(self.user, None, 'staff'))
self.user.is_staff = False