def test_user_has_permission_test_no_permissions(self, mock_foo): mock_foo.select_related.return_value = mock_foo mock_foo.select_related.return_value = mock_foo mock_foo.filter.return_value = [self.product_member_reader] result = user_has_permission(self.user, self.test, Permissions.Test_Edit) self.assertFalse(result) mock_foo.filter.assert_called_with(user=self.user)
def test_user_has_permission_test_success(self, mock_foo): mock_foo.select_related.return_value = mock_foo mock_foo.select_related.return_value = mock_foo mock_foo.filter.return_value = [self.product_member_owner] result = user_has_permission(self.user, self.test, Permissions.Test_Delete) self.assertTrue(result) mock_foo.filter.assert_called_with(user=self.user)
def test_user_has_permission_staff_override(self): self.user.is_staff = True result = user_has_permission(self.user, self.product_type, Permissions.Product_Type_Delete) self.assertTrue(result) self.user.is_staff = False
def test_user_has_permission_superuser(self): self.user.is_superuser = True result = user_has_permission(self.user, self.product_type, Permissions.Product_Type_Delete) self.assertTrue(result) self.user.is_superuser = False
def test_user_in_group_with_global_role_success(self, mock_foo): mock_foo.select_related.return_value = mock_foo mock_foo.select_related.return_value = mock_foo mock_foo.filter.return_value = [self.group2] result = user_has_permission(self.user3, self.product, Permissions.Product_Edit) self.assertTrue(result) mock_foo.filter.assert_called_with(users=self.user3)
def test_user_has_permission_endpoint_success(self, mock_get): mock_get.return_value = self.product_member_owner result = user_has_permission(self.user, self.endpoint, Permissions.Endpoint_Delete) self.assertTrue(result) self.assertEqual(mock_get.call_args[1]['user'], self.user) self.assertEqual(mock_get.call_args[1]['product'], self.product)
def test_user_has_permission_endpoint_no_permissions(self, mock_get): mock_get.return_value = self.product_member_reader result = user_has_permission(self.user, self.endpoint, Permissions.Endpoint_Edit) self.assertFalse(result) self.assertEqual(mock_get.call_args[1]['user'], self.user) self.assertEqual(mock_get.call_args[1]['product'], self.product)
def test_dojo_group_member_success(self, mock_foo): mock_foo.select_related.return_value = mock_foo mock_foo.select_related.return_value = mock_foo mock_foo.filter.return_value = [self.group_member] result = user_has_permission(self.user4, self.group_member, Permissions.Group_View) self.assertTrue(result) mock_foo.filter.assert_called_with(user=self.user4)
def test_dojo_group_member_no_permission(self, mock_foo): mock_foo.select_related.return_value = mock_foo mock_foo.select_related.return_value = mock_foo mock_foo.filter.return_value = [self.group_member] result = user_has_permission(self.user4, self.group_member, Permissions.Group_Manage_Members) self.assertFalse(result) mock_foo.filter.assert_called_with(user=self.user4)
def check_post_permission(request, post_model, post_pk, post_permission): if request.method == 'POST': if request.data.get(post_pk) is None: raise ParseError( 'Unable to check for permissions: Attribute \'{}\' is required' .format(post_pk)) object = get_object_or_404(post_model, pk=request.data.get(post_pk)) return user_has_permission(request.user, object, post_permission) else: return True
def test_user_has_permission_product_type_success(self, mock_get): mock_get.return_value = self.product_type_member_owner result = user_has_permission(self.user, self.product_type, Permissions.Product_Type_Delete) self.assertTrue(result) self.assertEqual(mock_get.call_args[1]['user'], self.user) self.assertEqual(mock_get.call_args[1]['product_type'], self.product_type)
def get_authorized_groups_for_product(product, permission): user = get_current_user() if user.is_superuser or user_has_permission(user, product, permission): authorized_groups = get_authorized_groups(Permissions.Group_View) return Product_Group.objects.filter( product=product, group__in=authorized_groups).order_by( 'group__name').select_related('role') else: return None
def test_user_has_group_product_no_permissions(self, mock_foo): mock_foo.select_related.return_value = mock_foo mock_foo.select_related.return_value = mock_foo mock_foo.filter.return_value = [self.product_group_reader] result = user_has_permission(self.user, self.product, Permissions.Product_Delete) self.assertFalse(result) mock_foo.filter.assert_called_with(group__users=self.user)
def get_authorized_members_for_product_type(product_type, permission): user = get_current_user() if user.is_superuser or user_has_permission(user, product_type, permission): return Product_Type_Member.objects.filter( product_type=product_type).order_by( 'user__first_name', 'user__last_name').select_related('role') else: return None
def test_user_has_group_product_type_success(self, mock_foo): mock_foo.select_related.return_value = mock_foo mock_foo.select_related.return_value = mock_foo mock_foo.filter.return_value = [self.product_type_group_owner] result = user_has_permission(self.user, self.product_type, Permissions.Product_Type_Delete) self.assertTrue(result) mock_foo.filter.assert_called_with(group__users=self.user)
def check_import_engagement_permission(user, product, product_name, engagement_name, auto_create_context): if product and product_name and engagement_name: if not auto_create_context: raise serializers.ValidationError( "Engagement '%s' doesn't exist in Product %s" % (engagement_name, product_name)) if not user_has_permission(user, product, Permissions.Engagement_Add): raise PermissionDenied( 'No permission to create engagements in product %s', product_name) if not user_has_permission(user, product, Permissions.Import_Scan_Result): raise PermissionDenied( 'No permission to import scans into product %s', product_name) # all good return True
def edit_product_type_member(request, memberid): member = get_object_or_404(Product_Type_Member, pk=memberid) memberform = Edit_Product_Type_MemberForm(instance=member) if request.method == 'POST': memberform = Edit_Product_Type_MemberForm(request.POST, instance=member) if memberform.is_valid(): if not member.role.is_owner: owners = Product_Type_Member.objects.filter( product_type=member.product_type, role__is_owner=True).exclude(id=member.id).count() if owners < 1: messages.add_message( request, messages.SUCCESS, 'There must be at least one owner for Product Type {}.' .format(member.product_type.name), extra_tags='alert-warning') if is_title_in_breadcrumbs('View User'): return HttpResponseRedirect( reverse('view_user', args=(member.user.id, ))) else: return HttpResponseRedirect( reverse('view_product_type', args=(member.product_type.id, ))) if member.role.is_owner and not user_has_permission( request.user, member.product_type, Permissions.Product_Type_Member_Add_Owner): messages.add_message( request, messages.WARNING, 'You are not permitted to make users to owners.', extra_tags='alert-warning') else: memberform.save() messages.add_message( request, messages.SUCCESS, 'Product type member updated successfully.', extra_tags='alert-success') if is_title_in_breadcrumbs('View User'): return HttpResponseRedirect( reverse('view_user', args=(member.user.id, ))) else: return HttpResponseRedirect( reverse('view_product_type', args=(member.product_type.id, ))) add_breadcrumb(title="Edit Product Type Member", top_level=False, request=request) return render(request, 'dojo/edit_product_type_member.html', { 'memberid': memberid, 'form': memberform, })
def has_permission(self, request, view): if request.method == 'POST': has_permission_result = True product_id = request.data.get('product', None) if product_id: object = get_object_or_404(Product, pk=product_id) has_permission_result = has_permission_result and \ user_has_permission(request.user, object, Permissions.Product_Edit) finding_id = request.data.get('finding', None) if finding_id: object = get_object_or_404(Finding, pk=finding_id) has_permission_result = has_permission_result and \ user_has_permission(request.user, object, Permissions.Finding_Edit) endpoint_id = request.data.get('endpoint', None) if endpoint_id: object = get_object_or_404(Endpoint, pk=endpoint_id) has_permission_result = has_permission_result and \ user_has_permission(request.user, object, Permissions.Endpoint_Edit) return has_permission_result else: return True
def has_permission(self, request, view): if request.method == 'POST': has_permission_result = True engagement_id = request.data.get('engagement', None) if engagement_id: object = get_object_or_404(Engagement, pk=engagement_id) has_permission_result = has_permission_result and \ user_has_permission(request.user, object, Permissions.Engagement_Edit) finding_id = request.data.get('finding', None) if finding_id: object = get_object_or_404(Finding, pk=finding_id) has_permission_result = has_permission_result and \ user_has_permission(request.user, object, Permissions.Finding_Edit) finding_group_id = request.data.get('finding_group', None) if finding_group_id: object = get_object_or_404(Finding_Group, pk=finding_group_id) has_permission_result = has_permission_result and \ user_has_permission(request.user, object, Permissions.Finding_Group_Edit) return has_permission_result else: return True
def has_object_permission(self, request, view, obj): if request.method == 'GET': # Users need to be authorized to view groups in general and only the groups they are a member of # because with the group they can see user information that might be considered as confidential return user_has_configuration_permission( request.user, 'auth.view_group', 'staff') and user_has_permission( request.user, obj, Permissions.Group_View) else: return check_object_permission(request, obj, Permissions.Group_View, Permissions.Group_Edit, Permissions.Group_Delete)
def test_user_has_permission_product_member_success(self, mock_get): other_user = User() product_member_other_user = Product_Member() product_member_other_user.user = other_user product_member_other_user.product_type = self.product product_member_other_user.role = Roles.Owner mock_get.return_value = product_member_other_user result = user_has_permission(other_user, self.product_member_reader, Permissions.Product_Remove_Member) self.assertTrue(result) self.assertEqual(mock_get.call_args[1]['user'], other_user) self.assertEqual(mock_get.call_args[1]['product'], self.product)
def test_user_has_permission_product_member_no_permission(self, mock_get): other_user = User() other_user.id = 2 product_member_other_user = Product_Member() product_member_other_user.id = 2 product_member_other_user.user = other_user product_member_other_user.product = self.product product_member_other_user.role = Roles.Reader mock_get.return_value = product_member_other_user result = user_has_permission(other_user, self.product_member_owner, Permissions.Product_Member_Delete) self.assertFalse(result) self.assertEqual(mock_get.call_args[1]['user'], other_user) self.assertEqual(mock_get.call_args[1]['product'], self.product)
def test_user_has_permission_product_member_success(self, mock_foo): other_user = User() other_user.id = 2 product_member_other_user = Product_Member() product_member_other_user.id = 2 product_member_other_user.user = other_user product_member_other_user.product = self.product product_member_other_user.role = Role.objects.get(id=Roles.Owner) mock_foo.select_related.return_value = mock_foo mock_foo.select_related.return_value = mock_foo mock_foo.filter.return_value = [product_member_other_user] result = user_has_permission(other_user, self.product_member_reader, Permissions.Product_Member_Delete) self.assertTrue(result) mock_foo.filter.assert_called_with(user=other_user)
def add_product_type_group(request, ptid): pt = get_object_or_404(Product_Type, pk=ptid) group_form = Add_Product_Type_GroupForm(initial={'product_type': pt.id}) if request.method == 'POST': group_form = Add_Product_Type_GroupForm( request.POST, initial={'product_type': pt.id}) if group_form.is_valid(): if group_form.cleaned_data[ 'role'].is_owner and not user_has_permission( request.user, pt, Permissions.Product_Type_Group_Add_Owner): messages.add_message( request, messages.WARNING, 'You are not permitted to add groups as owners.', extra_tags='alert-warning') else: if 'groups' in group_form.cleaned_data and len( group_form.cleaned_data['groups']) > 0: for group in group_form.cleaned_data['groups']: groups = Product_Type_Group.objects.filter( product_type=pt, group=group) if groups.count() == 0: product_type_group = Product_Type_Group() product_type_group.product_type = pt product_type_group.group = group product_type_group.role = group_form.cleaned_data[ 'role'] product_type_group.save() messages.add_message(request, messages.SUCCESS, 'Product type groups added successfully.', extra_tags='alert-success') return HttpResponseRedirect( reverse('view_product_type', args=(ptid, ))) add_breadcrumb(title="Add Product Type Group", top_level=False, request=request) return render(request, 'dojo/new_product_type_group.html', { 'pt': pt, 'form': group_form, })
def add_group_member(request, gid): group = get_object_or_404(Dojo_Group, id=gid) groupform = Add_Group_MemberForm(initial={'group': group.id}) if request.method == 'POST': groupform = Add_Group_MemberForm(request.POST, initial={'group': group.id}) if groupform.is_valid(): if groupform.cleaned_data[ 'role'].is_owner and not user_has_permission( request.user, group, Permissions.Group_Add_Owner): messages.add_message( request, messages.WARNING, 'You are not permitted to add users as owners.', extra_tags='alert-warning') else: if 'users' in groupform.cleaned_data and len( groupform.cleaned_data['users']) > 0: for user in groupform.cleaned_data['users']: existing_users = Dojo_Group_Member.objects.filter( group=group, user=user) if existing_users.count() == 0: group_member = Dojo_Group_Member() group_member.group = group group_member.user = user group_member.role = groupform.cleaned_data['role'] group_member.save() messages.add_message( request, messages.SUCCESS, 'Group members added successfully.', extra_tags='alert-success') return HttpResponseRedirect(reverse('view_group', args=(gid, ))) add_breadcrumb(title="Add Group Member", top_level=False, request=request) return render(request, 'dojo/new_group_member.html', { 'group': group, 'form': groupform })
def has_permission(self, request, view): # permission check takes place before validation, so we don't have access to serializer.validated_data() # and we have to validate ourselves unfortunately _, _, _, _, _, product_name, _, _ = get_import_meta_data_from_dict( request.data) product = get_target_product_if_exists(product_name) if not product: product_id = get_product_id_from_dict(request.data) product = get_target_product_by_id_if_exists(product_id) if product: # existing product, nothing special to check return user_has_permission(request.user, product, Permissions.Import_Scan_Result) elif product_id: # product_id doesn't exist raise serializers.ValidationError("product '%s' doesn''t exist" % product_id) else: raise serializers.ValidationError( "Need product_id or product_name to perform import")
def add_product_type_member(request, ptid): pt = get_object_or_404(Product_Type, pk=ptid) memberform = Add_Product_Type_MemberForm(initial={'product_type': pt.id}) if request.method == 'POST': memberform = Add_Product_Type_MemberForm( request.POST, initial={'product_type': pt.id}) if memberform.is_valid(): members = Product_Type_Member.objects.filter( product_type=pt, user=memberform.instance.user) if members.count() > 0: messages.add_message(request, messages.WARNING, 'Product type member already exists.', extra_tags='alert-warning') elif memberform.instance.role == Roles.Owner and not user_has_permission( request.user, pt, Permissions.Product_Type_Member_Add_Owner): messages.add_message( request, messages.WARNING, 'You are not permitted to add users as owners.', extra_tags='alert-warning') else: memberform.save() messages.add_message(request, messages.SUCCESS, 'Product type member added successfully.', extra_tags='alert-success') return HttpResponseRedirect( reverse('view_product_type', args=(ptid, ))) add_breadcrumb(title="Add Product Type Member", top_level=False, request=request) return render(request, 'dojo/new_product_type_member.html', { 'pt': pt, 'form': memberform, })
def edit_product_type_group(request, groupid): group = get_object_or_404(Product_Type_Group, pk=groupid) groupform = Edit_Product_Type_Group_Form(instance=group) if request.method == 'POST': groupform = Edit_Product_Type_Group_Form(request.POST, instance=group) if groupform.is_valid(): if group.role.is_owner and not user_has_permission( request.user, group.product_type, Permissions.Product_Type_Group_Add_Owner): messages.add_message( request, messages.WARNING, 'You are not permitted to make groups owners.', extra_tags='alert-warning') else: groupform.save() messages.add_message( request, messages.SUCCESS, 'Product type group updated successfully.', extra_tags='alert-success') if is_title_in_breadcrumbs('View Group'): return HttpResponseRedirect( reverse('view_group', args=(group.group.id, ))) else: return HttpResponseRedirect( reverse('view_product_type', args=(group.product_type.id, ))) add_breadcrumb(title="Edit Product Type Group", top_level=False, request=request) return render(request, 'dojo/edit_product_type_group.html', { 'groupid': groupid, 'form': groupform })
def has_permission(self, request, view): # permission check takes place before validation, so we don't have access to serializer.validated_data() # and we have to validate ourselves unfortunately test_id, test_title, scan_type, _, engagement_name, product_name, product_type_name, auto_create_context = get_import_meta_data_from_dict( request.data) product_type = get_target_product_type_if_exists(product_type_name) product = get_target_product_if_exists(product_name, product_type_name) engagement = get_target_engagement_if_exists(None, engagement_name, product) test = get_target_test_if_exists(test_id, test_title, scan_type, engagement) if test: # existing test, nothing special to check return user_has_permission(request.user, test, Permissions.Import_Scan_Result) elif test_id: # test_id doesn't exist raise serializers.ValidationError("Test '%s' doesn't exist" % test_id) if not auto_create_context: raise_no_auto_create_import_validation_error( test_title, scan_type, engagement_name, product_name, product_type_name, engagement, product, product_type, "Need test_id or product_name + engagement_name + scan_type to perform reimport" ) else: # the test doesn't exist, so we need to check if the user has requested and is allowed to use auto_create return check_auto_create_permission( request.user, product, product_name, engagement, engagement_name, product_type, product_type_name, "Need test_id or product_name + engagement_name + scan_type to perform reimport" )
def check_post_permission(request, post_model, post_pk, post_permission): if request.method == 'POST': object = get_object_or_404(post_model, pk=request.data.get(post_pk)) return user_has_permission(request.user, object, post_permission) else: return True