def check_import_product_permission(user, product, product_name, product_type, product_type_name, auto_create_context): if not product and product_name: if not auto_create_context: if product_type_name: raise serializers.ValidationError( "Product '%s' doesn't exist in product type '%s'" % (product_name, product_type_name)) else: raise serializers.ValidationError( "Product '%s' doesn't exist" % product_name) if not product_type_name: raise serializers.ValidationError( "Product '%s' doesn't exist and no product_type_name provided to create the new product in" % product_name) if not product_type: if not user_has_global_permission(user, Permissions.Product_Type_Add): raise PermissionDenied( 'No permission to create product_type %s', product_type_name) # new product type can be created with current user as owner, so all objects in it can be created as well return True if not user_has_permission(user, product_type, Permissions.Product_Type_Add_Product): raise PermissionDenied( 'No permission to create products in product_type %s', product_type) # product can be created, so objects in it can be created as well return True
def get_authorized_product_types(permission): user = get_current_user() if user is None: return Product_Type.objects.none() if user.is_superuser: return Product_Type.objects.all().order_by('name') if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE: return Product_Type.objects.all().order_by('name') if user_has_global_permission(user, permission): return Product_Type.objects.all().order_by('name') roles = get_roles_for_permission(permission) authorized_roles = Product_Type_Member.objects.filter( product_type=OuterRef('pk'), user=user, role__in=roles) authorized_groups = Product_Type_Group.objects.filter( product_type=OuterRef('pk'), group__users=user, role__in=roles) product_types = Product_Type.objects.annotate( member=Exists(authorized_roles), authorized_group=Exists(authorized_groups)).order_by('name') product_types = product_types.filter( Q(member=True) | Q(authorized_group=True)) return product_types
def get_authorized_finding_groups(permission, queryset=None, user=None): if user is None: user = get_current_user() if user is None: return Finding_Group.objects.none() if queryset is None: finding_groups = Finding_Group.objects.all() else: finding_groups = queryset if user.is_superuser: return finding_groups if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE: return finding_groups if user_has_global_permission(user, permission): return finding_groups roles = get_roles_for_permission(permission) authorized_product_type_roles = Product_Type_Member.objects.filter( product_type=OuterRef('test__engagement__product__prod_type_id'), user=user, role__in=roles) authorized_product_roles = Product_Member.objects.filter( product=OuterRef('test__engagement__product_id'), user=user, role__in=roles) authorized_product_type_groups = Product_Type_Group.objects.filter( product_type=OuterRef('test__engagement__product__prod_type_id'), group__users=user, role__in=roles) authorized_product_groups = Product_Group.objects.filter( product=OuterRef('test__engagement__product_id'), group__users=user, role__in=roles) finding_groups = finding_groups.annotate( test__engagement__product__prod_type__member=Exists( authorized_product_type_roles), test__engagement__product__member=Exists(authorized_product_roles), test__engagement__product__prod_type__authorized_group=Exists( authorized_product_type_groups), test__engagement__product__authorized_group=Exists( authorized_product_groups)) finding_groups = finding_groups.filter( Q(test__engagement__product__prod_type__member=True) | Q(test__engagement__product__member=True) | Q(test__engagement__product__prod_type__authorized_group=True) | Q(test__engagement__product__authorized_group=True)) return finding_groups
def get_authorized_tests(permission, product=None): user = get_current_user() if user is None: return Test.objects.none() tests = Test.objects.all() if product: tests = tests.filter(engagement__product=product) if user.is_superuser: return tests if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE: return Test.objects.all() if user_has_global_permission(user, permission): return Test.objects.all() roles = get_roles_for_permission(permission) authorized_product_type_roles = Product_Type_Member.objects.filter( product_type=OuterRef('engagement__product__prod_type_id'), user=user, role__in=roles) authorized_product_roles = Product_Member.objects.filter( product=OuterRef('engagement__product_id'), user=user, role__in=roles) authorized_product_type_groups = Product_Type_Group.objects.filter( product_type=OuterRef('engagement__product__prod_type_id'), group__users=user, role__in=roles) authorized_product_groups = Product_Group.objects.filter( product=OuterRef('engagement__product_id'), group__users=user, role__in=roles) tests = tests.annotate( engagement__product__prod_type__member=Exists( authorized_product_type_roles), engagement__product__member=Exists(authorized_product_roles), engagement__product__prod_type__authorized_group=Exists( authorized_product_type_groups), engagement__product__authorized_group=Exists( authorized_product_groups)) tests = tests.filter( Q(engagement__product__prod_type__member=True) | Q(engagement__product__member=True) | Q(engagement__product__prod_type__authorized_group=True) | Q(engagement__product__authorized_group=True)) return tests
def get_authorized_product_members(permission): user = get_current_user() if user is None: return Product_Member.objects.none() if user.is_superuser: return Product_Member.objects.all().select_related('role') if user_has_global_permission(user, permission): return Product_Member.objects.all().select_related('role') products = get_authorized_products(permission) return Product_Member.objects.filter(product__in=products).select_related('role')
def get_authorized_endpoint_status(permission, queryset=None, user=None): if user is None: user = get_current_user() if user is None: return Endpoint_Status.objects.none() if queryset is None: endpoint_status = Endpoint_Status.objects.all() else: endpoint_status = queryset if user.is_superuser: return endpoint_status if user_has_global_permission(user, permission): return endpoint_status roles = get_roles_for_permission(permission) authorized_product_type_roles = Product_Type_Member.objects.filter( product_type=OuterRef('endpoint__product__prod_type_id'), user=user, role__in=roles) authorized_product_roles = Product_Member.objects.filter( product=OuterRef('endpoint__product_id'), user=user, role__in=roles) authorized_product_type_groups = Product_Type_Group.objects.filter( product_type=OuterRef('endpoint__product__prod_type_id'), group__users=user, role__in=roles) authorized_product_groups = Product_Group.objects.filter( product=OuterRef('endpoint__product_id'), group__users=user, role__in=roles) endpoint_status = endpoint_status.annotate( endpoint__product__prod_type__member=Exists( authorized_product_type_roles), endpoint__product__member=Exists(authorized_product_roles), endpoint__product__prod_type__authorized_group=Exists( authorized_product_type_groups), endpoint__product__authorized_group=Exists(authorized_product_groups)) endpoint_status = endpoint_status.filter( Q(endpoint__product__prod_type__member=True) | Q(endpoint__product__member=True) | Q(endpoint__product__prod_type__authorized_group=True) | Q(endpoint__product__authorized_group=True)) return endpoint_status
def get_authorized_product_type_members(permission): user = get_current_user() if user is None: return Product_Type_Member.objects.none() if user.is_superuser: return Product_Type_Member.objects.all().select_related('role') if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE: return Product_Type_Member.objects.all().select_related('role') if user_has_global_permission(user, permission): return Product_Type_Member.objects.all().select_related('role') product_types = get_authorized_product_types(permission) return Product_Type_Member.objects.filter( product_type__in=product_types).select_related('role')
def get_authorized_cred_mappings(permission, queryset=None): user = get_current_user() if user is None: return Cred_Mapping.objects.none() if queryset is None: cred_mappings = Cred_Mapping.objects.all() else: cred_mappings = queryset if user.is_superuser: return cred_mappings if user_has_global_permission(user, permission): return cred_mappings roles = get_roles_for_permission(permission) authorized_product_type_roles = Product_Type_Member.objects.filter( product_type=OuterRef('product__prod_type_id'), user=user, role__in=roles) authorized_product_roles = Product_Member.objects.filter( product=OuterRef('product_id'), user=user, role__in=roles) authorized_product_type_groups = Product_Type_Group.objects.filter( product_type=OuterRef('product__prod_type_id'), group__users=user, role__in=roles) authorized_product_groups = Product_Group.objects.filter( product=OuterRef('product_id'), group__users=user, role__in=roles) cred_mappings = cred_mappings.annotate( product__prod_type__member=Exists(authorized_product_type_roles), product__member=Exists(authorized_product_roles), product__prod_type__authorized_group=Exists(authorized_product_type_groups), product__authorized_group=Exists(authorized_product_groups)) cred_mappings = cred_mappings.filter( Q(product__prod_type__member=True) | Q(product__member=True) | Q(product__prod_type__authorized_group=True) | Q(product__authorized_group=True)) return cred_mappings
def get_authorized_stub_findings(permission): user = get_current_user() if user is None: return Stub_Finding.objects.none() if user.is_superuser: return Stub_Finding.objects.all() if user_has_global_permission(user, permission): return Stub_Finding.objects.all() roles = get_roles_for_permission(permission) authorized_product_type_roles = Product_Type_Member.objects.filter( product_type=OuterRef('test__engagement__product__prod_type_id'), user=user, role__in=roles) authorized_product_roles = Product_Member.objects.filter( product=OuterRef('test__engagement__product_id'), user=user, role__in=roles) authorized_product_type_groups = Product_Type_Group.objects.filter( product_type=OuterRef('test__engagement__product__prod_type_id'), group__users=user, role__in=roles) authorized_product_groups = Product_Group.objects.filter( product=OuterRef('test__engagement__product_id'), group__users=user, role__in=roles) findings = Stub_Finding.objects.annotate( test__engagement__product__prod_type__member=Exists( authorized_product_type_roles), test__engagement__product__member=Exists(authorized_product_roles), test__engagement__product__prod_type__authorized_group=Exists( authorized_product_type_groups), test__engagement__product__authorized_group=Exists( authorized_product_groups)) findings = findings.filter( Q(test__engagement__product__prod_type__member=True) | Q(test__engagement__product__member=True) | Q(test__engagement__product__prod_type__authorized_group=True) | Q(test__engagement__product__authorized_group=True)) return findings
def get_authorized_engagement_presets(permission): user = get_current_user() if user is None: return Engagement_Presets.objects.none() if user.is_superuser: return Engagement_Presets.objects.all().order_by('title') if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE: return Engagement_Presets.objects.all().order_by('title') if user_has_global_permission(user, permission): return Engagement_Presets.objects.all().order_by('title') roles = get_roles_for_permission(permission) authorized_product_type_roles = Product_Type_Member.objects.filter( product_type=OuterRef('product__prod_type_id'), user=user, role__in=roles) authorized_product_roles = Product_Member.objects.filter( product=OuterRef('product_id'), user=user, role__in=roles) authorized_product_type_groups = Product_Type_Group.objects.filter( product_type=OuterRef('product__prod_type_id'), group__users=user, role__in=roles) authorized_product_groups = Product_Group.objects.filter( product=OuterRef('product_id'), group__users=user, role__in=roles) engagement_presets = Engagement_Presets.objects.annotate( product__prod_type__member=Exists(authorized_product_type_roles), product__member=Exists(authorized_product_roles), product__prod_type__authorized_group=Exists( authorized_product_type_groups), product__authorized_group=Exists(authorized_product_groups)).order_by( 'title') engagement_presets = engagement_presets.filter( Q(product__prod_type__member=True) | Q(product__member=True) | Q(product__prod_type__authorized_group=True) | Q(product__authorized_group=True)) return engagement_presets
def get_authorized_products(permission, user=None): if user is None: user = get_current_user() if user is None: return Product.objects.none() if user.is_superuser: return Product.objects.all().order_by('name') if user_has_global_permission(user, permission): return Product.objects.all().order_by('name') roles = get_roles_for_permission(permission) authorized_product_type_roles = Product_Type_Member.objects.filter( product_type=OuterRef('prod_type_id'), user=user, role__in=roles) authorized_product_roles = Product_Member.objects.filter( product=OuterRef('pk'), user=user, role__in=roles) authorized_product_type_groups = Product_Type_Group.objects.filter( product_type=OuterRef('prod_type_id'), group__users=user, role__in=roles) authorized_product_groups = Product_Group.objects.filter( product=OuterRef('pk'), group__users=user, role__in=roles) products = Product.objects.annotate( prod_type__member=Exists(authorized_product_type_roles), member=Exists(authorized_product_roles), prod_type__authorized_group=Exists(authorized_product_type_groups), authorized_group=Exists(authorized_product_groups)).order_by('name') products = products.filter( Q(prod_type__member=True) | Q(member=True) | Q(prod_type__authorized_group=True) | Q(authorized_group=True)) return products
def get_authorized_product_api_scan_configurations(permission): user = get_current_user() if user is None: return Product_API_Scan_Configuration.objects.none() if user.is_superuser: return Product_API_Scan_Configuration.objects.all() if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE: return Product_API_Scan_Configuration.objects.all() if user_has_global_permission(user, permission): return Product_API_Scan_Configuration.objects.all() roles = get_roles_for_permission(permission) authorized_product_type_roles = Product_Type_Member.objects.filter( product_type=OuterRef('product__prod_type_id'), user=user, role__in=roles) authorized_product_roles = Product_Member.objects.filter( product=OuterRef('product_id'), user=user, role__in=roles) authorized_product_type_groups = Product_Type_Group.objects.filter( product_type=OuterRef('product__prod_type_id'), group__users=user, role__in=roles) authorized_product_groups = Product_Group.objects.filter( product=OuterRef('product_id'), group__users=user, role__in=roles) product_api_scan_configurations = Product_API_Scan_Configuration.objects.annotate( product__prod_type__member=Exists(authorized_product_type_roles), product__member=Exists(authorized_product_roles), product__prod_type__authorized_group=Exists( authorized_product_type_groups), product__authorized_group=Exists(authorized_product_groups)) product_api_scan_configurations = product_api_scan_configurations.filter( Q(product__prod_type__member=True) | Q(product__member=True) | Q(product__prod_type__authorized_group=True) | Q(product__authorized_group=True)) return product_api_scan_configurations
def get_authorized_tool_product_settings(permission): user = get_current_user() if user is None: return Tool_Product_Settings.objects.none() if user.is_superuser: return Tool_Product_Settings.objects.all() if user_has_global_permission(user, permission): return Tool_Product_Settings.objects.all() roles = get_roles_for_permission(permission) authorized_product_type_roles = Product_Type_Member.objects.filter( product_type=OuterRef('product__prod_type_id'), user=user, role__in=roles) authorized_product_roles = Product_Member.objects.filter( product=OuterRef('product_id'), user=user, role__in=roles) authorized_product_type_groups = Product_Type_Group.objects.filter( product_type=OuterRef('product__prod_type_id'), group__users=user, role__in=roles) authorized_product_groups = Product_Group.objects.filter( product=OuterRef('product_id'), group__users=user, role__in=roles) tool_product_settings = Tool_Product_Settings.objects.annotate( product__prod_type__member=Exists(authorized_product_type_roles), product__member=Exists(authorized_product_roles), product__prod_type__authorized_group=Exists( authorized_product_type_groups), product__authorized_group=Exists(authorized_product_groups)) tool_product_settings = tool_product_settings.filter( Q(product__prod_type__member=True) | Q(product__member=True) | Q(product__prod_type__authorized_group=True) | Q(product__authorized_group=True)) return tool_product_settings
def get_authorized_jira_projects(permission, user=None): if user is None: user = get_current_user() if user is None: return JIRA_Project.objects.none() jira_projects = JIRA_Project.objects.all() if user.is_superuser: return jira_projects if user_has_global_permission(user, permission): return jira_projects roles = get_roles_for_permission(permission) engagement_authorized_product_type_roles = Product_Type_Member.objects.filter( product_type=OuterRef('engagement__product__prod_type_id'), user=user, role__in=roles) engagement_authorized_product_roles = Product_Member.objects.filter( product=OuterRef('engagement__product_id'), user=user, role__in=roles) engagement_authorized_product_type_groups = Product_Type_Group.objects.filter( product_type=OuterRef('engagement__product__prod_type_id'), group__users=user, role__in=roles) engagement_authorized_product_groups = Product_Group.objects.filter( product=OuterRef('engagement__product_id'), group__users=user, role__in=roles) product_authorized_product_type_roles = Product_Type_Member.objects.filter( product_type=OuterRef('product__prod_type_id'), user=user, role__in=roles) product_authorized_product_roles = Product_Member.objects.filter( product=OuterRef('product_id'), user=user, role__in=roles) product_authorized_product_type_groups = Product_Type_Group.objects.filter( product_type=OuterRef('product__prod_type_id'), group__users=user, role__in=roles) product_authorized_product_groups = Product_Group.objects.filter( product=OuterRef('product_id'), group__users=user, role__in=roles) jira_projects = jira_projects.annotate( engagement__product__prod_type__member=Exists( engagement_authorized_product_type_roles), engagement__product__member=Exists( engagement_authorized_product_roles), engagement__product__prod_type__authorized_group=Exists( engagement_authorized_product_type_groups), engagement__product__authorized_group=Exists( engagement_authorized_product_groups), product__prod_type__member=Exists( product_authorized_product_type_roles), product__member=Exists(product_authorized_product_roles), product__prod_type__authorized_group=Exists( product_authorized_product_type_groups), product__authorized_group=Exists(product_authorized_product_groups)) jira_projects = jira_projects.filter( Q(engagement__product__prod_type__member=True) | Q(engagement__product__member=True) | Q(engagement__product__prod_type__authorized_group=True) | Q(engagement__product__authorized_group=True) | Q(product__prod_type__member=True) | Q(product__member=True) | Q(product__prod_type__authorized_group=True) | Q(product__authorized_group=True)) return jira_projects
def has_global_permission(permission): return user_has_global_permission(crum.get_current_user(), Permissions[permission])
def test_user_has_global_role_global_permission_success(self): result = user_has_global_permission(self.user5, Permissions.Product_Type_Add) self.assertTrue(result)
def test_user_has_global_role_global_permission_no_permission(self): result = user_has_global_permission(self.user2, Permissions.Product_Type_Add) self.assertFalse(result)
def get_authorized_dojo_meta(permission): user = get_current_user() if user is None: return DojoMeta.objects.none() if user.is_superuser: return DojoMeta.objects.all().order_by('name') if user_has_global_permission(user, permission): return DojoMeta.objects.all().order_by('name') roles = get_roles_for_permission(permission) product_authorized_product_type_roles = Product_Type_Member.objects.filter( product_type=OuterRef('product__prod_type_id'), user=user, role__in=roles) product_authorized_product_roles = Product_Member.objects.filter( product=OuterRef('product_id'), user=user, role__in=roles) product_authorized_product_type_groups = Product_Type_Group.objects.filter( product_type=OuterRef('product__prod_type_id'), group__users=user, role__in=roles) product_authorized_product_groups = Product_Group.objects.filter( product=OuterRef('product_id'), group__users=user, role__in=roles) endpoint_authorized_product_type_roles = Product_Type_Member.objects.filter( product_type=OuterRef('endpoint__product__prod_type_id'), user=user, role__in=roles) endpoint_authorized_product_roles = Product_Member.objects.filter( product=OuterRef('endpoint__product_id'), user=user, role__in=roles) endpoint_authorized_product_type_groups = Product_Type_Group.objects.filter( product_type=OuterRef('endpoint__product__prod_type_id'), group__users=user, role__in=roles) endpoint_authorized_product_groups = Product_Group.objects.filter( product=OuterRef('endpoint__product_id'), group__users=user, role__in=roles) finding_authorized_product_type_roles = Product_Type_Member.objects.filter( product_type=OuterRef('finding__test__engagement__product__prod_type_id'), user=user, role__in=roles) finding_authorized_product_roles = Product_Member.objects.filter( product=OuterRef('finding__test__engagement__product_id'), user=user, role__in=roles) finding_authorized_product_type_groups = Product_Type_Group.objects.filter( product_type=OuterRef('finding__test__engagement__product__prod_type_id'), group__users=user, role__in=roles) finding_authorized_product_groups = Product_Group.objects.filter( product=OuterRef('finding__test__engagement__product_id'), group__users=user, role__in=roles) dojo_meta = DojoMeta.objects.annotate( product__prod_type__member=Exists(product_authorized_product_type_roles), product__member=Exists(product_authorized_product_roles), product__prod_type__authorized_group=Exists(product_authorized_product_type_groups), product__authorized_group=Exists(product_authorized_product_groups), endpoint__product__prod_type__member=Exists(endpoint_authorized_product_type_roles), endpoint__product__member=Exists(endpoint_authorized_product_roles), endpoint__product__prod_type__authorized_group=Exists(endpoint_authorized_product_type_groups), endpoint__product__authorized_group=Exists(endpoint_authorized_product_groups), finding__test__engagement__product__prod_type__member=Exists(finding_authorized_product_type_roles), finding__test__engagement__product__member=Exists(finding_authorized_product_roles), finding__test__engagement__product__prod_type__authorized_group=Exists(finding_authorized_product_type_groups), finding__test__engagement__product__authorized_group=Exists(finding_authorized_product_groups) ).order_by('name') dojo_meta = dojo_meta.filter( Q(product__prod_type__member=True) | Q(product__member=True) | Q(product__prod_type__authorized_group=True) | Q(product__authorized_group=True) | Q(endpoint__product__prod_type__member=True) | Q(endpoint__product__member=True) | Q(endpoint__product__prod_type__authorized_group=True) | Q(endpoint__product__authorized_group=True) | Q(finding__test__engagement__product__prod_type__member=True) | Q(finding__test__engagement__product__member=True) | Q(finding__test__engagement__product__prod_type__authorized_group=True) | Q(finding__test__engagement__product__authorized_group=True)) return dojo_meta
def check_auto_create_permission(user, product, product_name, engagement, engagement_name, product_type, product_type_name, error_message): """ For an existing engagement, to be allowed to import a scan, the following must all be True: - User must have Import_Scan_Result permission for this Engagement For an existing product, to be allowed to import into a new engagement with name `engagement_name`, the following must all be True: - Product with name `product_name` must already exist; - User must have Engagement_Add permission for this Product - User must have Import_Scan_Result permission for this Product If the product doesn't exist yet, to be allowed to import into a new product with name `product_name` and prod_type `product_type_name`, the following must all be True: - `auto_create_context` must be True - Product_Type already exists, or the user has the Product_Type_Add permission - User must have Product_Type_Add_Product permission for the Product_Type, or the user has the Product_Type_Add permission """ if not product_name: raise ValidationError("product_name parameter missing") if not engagement_name: raise ValidationError("engagement_name parameter missing") if engagement: # existing engagement, nothing special to check return user_has_permission(user, engagement, Permissions.Import_Scan_Result) if product and product_name and engagement_name: if not user_has_permission(user, product, Permissions.Engagement_Add): raise PermissionDenied( "No permission to create engagements in product '%s'", product_name) if not user_has_permission(user, product, Permissions.Import_Scan_Result): raise PermissionDenied( "No permission to import scans into product '%s'", product_name) # all good return True if not product and product_name: if not product_type_name: raise serializers.ValidationError( "Product '%s' doesn't exist and no product_type_name provided to create the new product in" % product_name) if not product_type: if not user_has_global_permission(user, Permissions.Product_Type_Add): raise PermissionDenied( "No permission to create product_type '%s'", product_type_name) # new product type can be created with current user as owner, so all objects in it can be created as well return True else: if not user_has_permission(user, product_type, Permissions.Product_Type_Add_Product): raise PermissionDenied( "No permission to create products in product_type '%s'", product_type) # product can be created, so objects in it can be created as well return True raise ValidationError(error_message)
def has_permission(self, request, view): if request.method == 'POST': return user_has_global_permission(request.user, Permissions.Product_Type_Add) else: return True
def get_authorized_jira_issues(permission): user = get_current_user() if user is None: return JIRA_Issue.objects.none() jira_issues = JIRA_Issue.objects.all() if user.is_superuser: return jira_issues if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE: return jira_issues if user_has_global_permission(user, permission): return jira_issues roles = get_roles_for_permission(permission) engagement_authorized_product_type_roles = Product_Type_Member.objects.filter( product_type=OuterRef('engagement__product__prod_type_id'), user=user, role__in=roles) engagement_authorized_product_roles = Product_Member.objects.filter( product=OuterRef('engagement__product_id'), user=user, role__in=roles) engagement_authorized_product_type_groups = Product_Type_Group.objects.filter( product_type=OuterRef('engagement__product__prod_type_id'), group__users=user, role__in=roles) engagement_authorized_product_groups = Product_Group.objects.filter( product=OuterRef('engagement__product_id'), group__users=user, role__in=roles) finding_group_authorized_product_type_roles = Product_Type_Member.objects.filter( product_type=OuterRef( 'finding_group__test__engagement__product__prod_type_id'), user=user, role__in=roles) finding_group_authorized_product_roles = Product_Member.objects.filter( product=OuterRef('finding_group__test__engagement__product_id'), user=user, role__in=roles) finding_group_authorized_product_type_groups = Product_Type_Group.objects.filter( product_type=OuterRef( 'finding_group__test__engagement__product__prod_type_id'), group__users=user, role__in=roles) finding_group_authorized_product_groups = Product_Group.objects.filter( product=OuterRef('finding_group__test__engagement__product_id'), group__users=user, role__in=roles) finding_authorized_product_type_roles = Product_Type_Member.objects.filter( product_type=OuterRef( 'finding__test__engagement__product__prod_type_id'), user=user, role__in=roles) finding_authorized_product_roles = Product_Member.objects.filter( product=OuterRef('finding__test__engagement__product_id'), user=user, role__in=roles) finding_authorized_product_type_groups = Product_Type_Group.objects.filter( product_type=OuterRef( 'finding__test__engagement__product__prod_type_id'), group__users=user, role__in=roles) finding_authorized_product_groups = Product_Group.objects.filter( product=OuterRef('finding__test__engagement__product_id'), group__users=user, role__in=roles) jira_issues = jira_issues.annotate( engagement__product__prod_type__member=Exists( engagement_authorized_product_type_roles), engagement__product__member=Exists( engagement_authorized_product_roles), engagement__product__prod_type__authorized_group=Exists( engagement_authorized_product_type_groups), engagement__product__authorized_group=Exists( engagement_authorized_product_groups), finding_group__test__engagement__product__prod_type__member=Exists( finding_group_authorized_product_type_roles), finding_group__test__engagement__product__member=Exists( finding_group_authorized_product_roles), finding_group__test__engagement__product__prod_type__authorized_group= Exists(finding_group_authorized_product_type_groups), finding_group__test__engagement__product__authorized_group=Exists( finding_group_authorized_product_groups), finding__test__engagement__product__prod_type__member=Exists( finding_authorized_product_type_roles), finding__test__engagement__product__member=Exists( finding_authorized_product_roles), finding__test__engagement__product__prod_type__authorized_group=Exists( finding_authorized_product_type_groups), finding__test__engagement__product__authorized_group=Exists( finding_authorized_product_groups)) jira_issues = jira_issues.filter( Q(engagement__product__prod_type__member=True) | Q(engagement__product__member=True) | Q(engagement__product__prod_type__authorized_group=True) | Q(engagement__product__authorized_group=True) | Q(finding_group__test__engagement__product__prod_type__member=True) | Q(finding_group__test__engagement__product__member=True) | Q(finding_group__test__engagement__product__prod_type__authorized_group =True) | Q(finding_group__test__engagement__product__authorized_group=True) | Q(finding__test__engagement__product__prod_type__member=True) | Q(finding__test__engagement__product__member=True) | Q(finding__test__engagement__product__prod_type__authorized_group=True) | Q(finding__test__engagement__product__authorized_group=True)) return jira_issues