def test_user_has_permission_test_no_permissions(self, mock_foo):
mock_foo.select_related.return_value = mock_foo
mock_foo.select_related.return_value = mock_foo
mock_foo.filter.return_value = [self.product_member_reader]
result = user_has_permission(self.user, self.test, Permissions.Test_Edit)
self.assertFalse(result)
mock_foo.filter.assert_called_with(user=self.user)
def test_user_has_permission_test_success(self, mock_foo):
mock_foo.select_related.return_value = mock_foo
mock_foo.select_related.return_value = mock_foo
mock_foo.filter.return_value = [self.product_member_owner]
result = user_has_permission(self.user, self.test, Permissions.Test_Delete)
self.assertTrue(result)
mock_foo.filter.assert_called_with(user=self.user)
def test_user_has_permission_staff_override(self):
self.user.is_staff = True
result = user_has_permission(self.user, self.product_type,
Permissions.Product_Type_Delete)
self.assertTrue(result)
self.user.is_staff = False
def test_user_has_permission_superuser(self):
self.user.is_superuser = True
result = user_has_permission(self.user, self.product_type,
Permissions.Product_Type_Delete)
self.assertTrue(result)
self.user.is_superuser = False
def test_user_in_group_with_global_role_success(self, mock_foo):
mock_foo.select_related.return_value = mock_foo
mock_foo.select_related.return_value = mock_foo
mock_foo.filter.return_value = [self.group2]
result = user_has_permission(self.user3, self.product,
Permissions.Product_Edit)
self.assertTrue(result)
mock_foo.filter.assert_called_with(users=self.user3)
def test_user_has_permission_endpoint_success(self, mock_get):
mock_get.return_value = self.product_member_owner
result = user_has_permission(self.user, self.endpoint,
Permissions.Endpoint_Delete)
self.assertTrue(result)
self.assertEqual(mock_get.call_args[1]['user'], self.user)
self.assertEqual(mock_get.call_args[1]['product'], self.product)
def test_user_has_permission_endpoint_no_permissions(self, mock_get):
mock_get.return_value = self.product_member_reader
result = user_has_permission(self.user, self.endpoint,
Permissions.Endpoint_Edit)
self.assertFalse(result)
self.assertEqual(mock_get.call_args[1]['user'], self.user)
self.assertEqual(mock_get.call_args[1]['product'], self.product)
def test_dojo_group_member_success(self, mock_foo):
mock_foo.select_related.return_value = mock_foo
mock_foo.select_related.return_value = mock_foo
mock_foo.filter.return_value = [self.group_member]
result = user_has_permission(self.user4, self.group_member,
Permissions.Group_View)
self.assertTrue(result)
mock_foo.filter.assert_called_with(user=self.user4)
def test_dojo_group_member_no_permission(self, mock_foo):
mock_foo.select_related.return_value = mock_foo
mock_foo.select_related.return_value = mock_foo
mock_foo.filter.return_value = [self.group_member]
result = user_has_permission(self.user4, self.group_member,
Permissions.Group_Manage_Members)
self.assertFalse(result)
mock_foo.filter.assert_called_with(user=self.user4)
def check_post_permission(request, post_model, post_pk, post_permission):
if request.method == 'POST':
if request.data.get(post_pk) is None:
raise ParseError(
'Unable to check for permissions: Attribute \'{}\' is required'
.format(post_pk))
object = get_object_or_404(post_model, pk=request.data.get(post_pk))
return user_has_permission(request.user, object, post_permission)
else:
return True
def test_user_has_permission_product_type_success(self, mock_get):
mock_get.return_value = self.product_type_member_owner
result = user_has_permission(self.user, self.product_type,
Permissions.Product_Type_Delete)
self.assertTrue(result)
self.assertEqual(mock_get.call_args[1]['user'], self.user)
self.assertEqual(mock_get.call_args[1]['product_type'],
self.product_type)
def get_authorized_groups_for_product(product, permission):
user = get_current_user()
if user.is_superuser or user_has_permission(user, product, permission):
authorized_groups = get_authorized_groups(Permissions.Group_View)
return Product_Group.objects.filter(
product=product, group__in=authorized_groups).order_by(
'group__name').select_related('role')
else:
return None
def test_user_has_group_product_no_permissions(self, mock_foo):
mock_foo.select_related.return_value = mock_foo
mock_foo.select_related.return_value = mock_foo
mock_foo.filter.return_value = [self.product_group_reader]
result = user_has_permission(self.user, self.product,
Permissions.Product_Delete)
self.assertFalse(result)
mock_foo.filter.assert_called_with(group__users=self.user)
def get_authorized_members_for_product_type(product_type, permission):
user = get_current_user()
if user.is_superuser or user_has_permission(user, product_type,
permission):
return Product_Type_Member.objects.filter(
product_type=product_type).order_by(
'user__first_name', 'user__last_name').select_related('role')
else:
return None
def test_user_has_group_product_type_success(self, mock_foo):
mock_foo.select_related.return_value = mock_foo
mock_foo.select_related.return_value = mock_foo
mock_foo.filter.return_value = [self.product_type_group_owner]
result = user_has_permission(self.user, self.product_type,
Permissions.Product_Type_Delete)
self.assertTrue(result)
mock_foo.filter.assert_called_with(group__users=self.user)
def check_import_engagement_permission(user, product, product_name,
engagement_name, auto_create_context):
if product and product_name and engagement_name:
if not auto_create_context:
raise serializers.ValidationError(
"Engagement '%s' doesn't exist in Product %s" %
(engagement_name, product_name))
if not user_has_permission(user, product, Permissions.Engagement_Add):
raise PermissionDenied(
'No permission to create engagements in product %s',
product_name)
if not user_has_permission(user, product,
Permissions.Import_Scan_Result):
raise PermissionDenied(
'No permission to import scans into product %s', product_name)
# all good
return True
def edit_product_type_member(request, memberid):
member = get_object_or_404(Product_Type_Member, pk=memberid)
memberform = Edit_Product_Type_MemberForm(instance=member)
if request.method == 'POST':
memberform = Edit_Product_Type_MemberForm(request.POST,
instance=member)
if memberform.is_valid():
if not member.role.is_owner:
owners = Product_Type_Member.objects.filter(
product_type=member.product_type,
role__is_owner=True).exclude(id=member.id).count()
if owners < 1:
messages.add_message(
request,
messages.SUCCESS,
'There must be at least one owner for Product Type {}.'
.format(member.product_type.name),
extra_tags='alert-warning')
if is_title_in_breadcrumbs('View User'):
return HttpResponseRedirect(
reverse('view_user', args=(member.user.id, )))
else:
return HttpResponseRedirect(
reverse('view_product_type',
args=(member.product_type.id, )))
if member.role.is_owner and not user_has_permission(
request.user, member.product_type,
Permissions.Product_Type_Member_Add_Owner):
messages.add_message(
request,
messages.WARNING,
'You are not permitted to make users to owners.',
extra_tags='alert-warning')
else:
memberform.save()
messages.add_message(
request,
messages.SUCCESS,
'Product type member updated successfully.',
extra_tags='alert-success')
if is_title_in_breadcrumbs('View User'):
return HttpResponseRedirect(
reverse('view_user', args=(member.user.id, )))
else:
return HttpResponseRedirect(
reverse('view_product_type',
args=(member.product_type.id, )))
add_breadcrumb(title="Edit Product Type Member",
top_level=False,
request=request)
return render(request, 'dojo/edit_product_type_member.html', {
'memberid': memberid,
'form': memberform,
})
def has_permission(self, request, view):
if request.method == 'POST':
has_permission_result = True
product_id = request.data.get('product', None)
if product_id:
object = get_object_or_404(Product, pk=product_id)
has_permission_result = has_permission_result and \
user_has_permission(request.user, object, Permissions.Product_Edit)
finding_id = request.data.get('finding', None)
if finding_id:
object = get_object_or_404(Finding, pk=finding_id)
has_permission_result = has_permission_result and \
user_has_permission(request.user, object, Permissions.Finding_Edit)
endpoint_id = request.data.get('endpoint', None)
if endpoint_id:
object = get_object_or_404(Endpoint, pk=endpoint_id)
has_permission_result = has_permission_result and \
user_has_permission(request.user, object, Permissions.Endpoint_Edit)
return has_permission_result
else:
return True
def has_permission(self, request, view):
if request.method == 'POST':
has_permission_result = True
engagement_id = request.data.get('engagement', None)
if engagement_id:
object = get_object_or_404(Engagement, pk=engagement_id)
has_permission_result = has_permission_result and \
user_has_permission(request.user, object, Permissions.Engagement_Edit)
finding_id = request.data.get('finding', None)
if finding_id:
object = get_object_or_404(Finding, pk=finding_id)
has_permission_result = has_permission_result and \
user_has_permission(request.user, object, Permissions.Finding_Edit)
finding_group_id = request.data.get('finding_group', None)
if finding_group_id:
object = get_object_or_404(Finding_Group, pk=finding_group_id)
has_permission_result = has_permission_result and \
user_has_permission(request.user, object, Permissions.Finding_Group_Edit)
return has_permission_result
else:
return True
def has_object_permission(self, request, view, obj):
if request.method == 'GET':
# Users need to be authorized to view groups in general and only the groups they are a member of
# because with the group they can see user information that might be considered as confidential
return user_has_configuration_permission(
request.user,
'auth.view_group', 'staff') and user_has_permission(
request.user, obj, Permissions.Group_View)
else:
return check_object_permission(request, obj,
Permissions.Group_View,
Permissions.Group_Edit,
Permissions.Group_Delete)
def test_user_has_permission_product_member_success(self, mock_get):
other_user = User()
product_member_other_user = Product_Member()
product_member_other_user.user = other_user
product_member_other_user.product_type = self.product
product_member_other_user.role = Roles.Owner
mock_get.return_value = product_member_other_user
result = user_has_permission(other_user, self.product_member_reader,
Permissions.Product_Remove_Member)
self.assertTrue(result)
self.assertEqual(mock_get.call_args[1]['user'], other_user)
self.assertEqual(mock_get.call_args[1]['product'], self.product)
def test_user_has_permission_product_member_no_permission(self, mock_get):
other_user = User()
other_user.id = 2
product_member_other_user = Product_Member()
product_member_other_user.id = 2
product_member_other_user.user = other_user
product_member_other_user.product = self.product
product_member_other_user.role = Roles.Reader
mock_get.return_value = product_member_other_user
result = user_has_permission(other_user, self.product_member_owner, Permissions.Product_Member_Delete)
self.assertFalse(result)
self.assertEqual(mock_get.call_args[1]['user'], other_user)
self.assertEqual(mock_get.call_args[1]['product'], self.product)
def test_user_has_permission_product_member_success(self, mock_foo):
other_user = User()
other_user.id = 2
product_member_other_user = Product_Member()
product_member_other_user.id = 2
product_member_other_user.user = other_user
product_member_other_user.product = self.product
product_member_other_user.role = Role.objects.get(id=Roles.Owner)
mock_foo.select_related.return_value = mock_foo
mock_foo.select_related.return_value = mock_foo
mock_foo.filter.return_value = [product_member_other_user]
result = user_has_permission(other_user, self.product_member_reader, Permissions.Product_Member_Delete)
self.assertTrue(result)
mock_foo.filter.assert_called_with(user=other_user)
def add_product_type_group(request, ptid):
pt = get_object_or_404(Product_Type, pk=ptid)
group_form = Add_Product_Type_GroupForm(initial={'product_type': pt.id})
if request.method == 'POST':
group_form = Add_Product_Type_GroupForm(
request.POST, initial={'product_type': pt.id})
if group_form.is_valid():
if group_form.cleaned_data[
'role'].is_owner and not user_has_permission(
request.user, pt,
Permissions.Product_Type_Group_Add_Owner):
messages.add_message(
request,
messages.WARNING,
'You are not permitted to add groups as owners.',
extra_tags='alert-warning')
else:
if 'groups' in group_form.cleaned_data and len(
group_form.cleaned_data['groups']) > 0:
for group in group_form.cleaned_data['groups']:
groups = Product_Type_Group.objects.filter(
product_type=pt, group=group)
if groups.count() == 0:
product_type_group = Product_Type_Group()
product_type_group.product_type = pt
product_type_group.group = group
product_type_group.role = group_form.cleaned_data[
'role']
product_type_group.save()
messages.add_message(request,
messages.SUCCESS,
'Product type groups added successfully.',
extra_tags='alert-success')
return HttpResponseRedirect(
reverse('view_product_type', args=(ptid, )))
add_breadcrumb(title="Add Product Type Group",
top_level=False,
request=request)
return render(request, 'dojo/new_product_type_group.html', {
'pt': pt,
'form': group_form,
})
def add_group_member(request, gid):
group = get_object_or_404(Dojo_Group, id=gid)
groupform = Add_Group_MemberForm(initial={'group': group.id})
if request.method == 'POST':
groupform = Add_Group_MemberForm(request.POST,
initial={'group': group.id})
if groupform.is_valid():
if groupform.cleaned_data[
'role'].is_owner and not user_has_permission(
request.user, group, Permissions.Group_Add_Owner):
messages.add_message(
request,
messages.WARNING,
'You are not permitted to add users as owners.',
extra_tags='alert-warning')
else:
if 'users' in groupform.cleaned_data and len(
groupform.cleaned_data['users']) > 0:
for user in groupform.cleaned_data['users']:
existing_users = Dojo_Group_Member.objects.filter(
group=group, user=user)
if existing_users.count() == 0:
group_member = Dojo_Group_Member()
group_member.group = group
group_member.user = user
group_member.role = groupform.cleaned_data['role']
group_member.save()
messages.add_message(
request,
messages.SUCCESS,
'Group members added successfully.',
extra_tags='alert-success')
return HttpResponseRedirect(reverse('view_group',
args=(gid, )))
add_breadcrumb(title="Add Group Member", top_level=False, request=request)
return render(request, 'dojo/new_group_member.html', {
'group': group,
'form': groupform
})
def has_permission(self, request, view):
# permission check takes place before validation, so we don't have access to serializer.validated_data()
# and we have to validate ourselves unfortunately
_, _, _, _, _, product_name, _, _ = get_import_meta_data_from_dict(
request.data)
product = get_target_product_if_exists(product_name)
if not product:
product_id = get_product_id_from_dict(request.data)
product = get_target_product_by_id_if_exists(product_id)
if product:
# existing product, nothing special to check
return user_has_permission(request.user, product,
Permissions.Import_Scan_Result)
elif product_id:
# product_id doesn't exist
raise serializers.ValidationError("product '%s' doesn''t exist" %
product_id)
else:
raise serializers.ValidationError(
"Need product_id or product_name to perform import")
def add_product_type_member(request, ptid):
pt = get_object_or_404(Product_Type, pk=ptid)
memberform = Add_Product_Type_MemberForm(initial={'product_type': pt.id})
if request.method == 'POST':
memberform = Add_Product_Type_MemberForm(
request.POST, initial={'product_type': pt.id})
if memberform.is_valid():
members = Product_Type_Member.objects.filter(
product_type=pt, user=memberform.instance.user)
if members.count() > 0:
messages.add_message(request,
messages.WARNING,
'Product type member already exists.',
extra_tags='alert-warning')
elif memberform.instance.role == Roles.Owner and not user_has_permission(
request.user, pt,
Permissions.Product_Type_Member_Add_Owner):
messages.add_message(
request,
messages.WARNING,
'You are not permitted to add users as owners.',
extra_tags='alert-warning')
else:
memberform.save()
messages.add_message(request,
messages.SUCCESS,
'Product type member added successfully.',
extra_tags='alert-success')
return HttpResponseRedirect(
reverse('view_product_type', args=(ptid, )))
add_breadcrumb(title="Add Product Type Member",
top_level=False,
request=request)
return render(request, 'dojo/new_product_type_member.html', {
'pt': pt,
'form': memberform,
})
def edit_product_type_group(request, groupid):
group = get_object_or_404(Product_Type_Group, pk=groupid)
groupform = Edit_Product_Type_Group_Form(instance=group)
if request.method == 'POST':
groupform = Edit_Product_Type_Group_Form(request.POST, instance=group)
if groupform.is_valid():
if group.role.is_owner and not user_has_permission(
request.user, group.product_type,
Permissions.Product_Type_Group_Add_Owner):
messages.add_message(
request,
messages.WARNING,
'You are not permitted to make groups owners.',
extra_tags='alert-warning')
else:
groupform.save()
messages.add_message(
request,
messages.SUCCESS,
'Product type group updated successfully.',
extra_tags='alert-success')
if is_title_in_breadcrumbs('View Group'):
return HttpResponseRedirect(
reverse('view_group', args=(group.group.id, )))
else:
return HttpResponseRedirect(
reverse('view_product_type',
args=(group.product_type.id, )))
add_breadcrumb(title="Edit Product Type Group",
top_level=False,
request=request)
return render(request, 'dojo/edit_product_type_group.html', {
'groupid': groupid,
'form': groupform
})
def has_permission(self, request, view):
# permission check takes place before validation, so we don't have access to serializer.validated_data()
# and we have to validate ourselves unfortunately
test_id, test_title, scan_type, _, engagement_name, product_name, product_type_name, auto_create_context = get_import_meta_data_from_dict(
request.data)
product_type = get_target_product_type_if_exists(product_type_name)
product = get_target_product_if_exists(product_name, product_type_name)
engagement = get_target_engagement_if_exists(None, engagement_name,
product)
test = get_target_test_if_exists(test_id, test_title, scan_type,
engagement)
if test:
# existing test, nothing special to check
return user_has_permission(request.user, test,
Permissions.Import_Scan_Result)
elif test_id:
# test_id doesn't exist
raise serializers.ValidationError("Test '%s' doesn't exist" %
test_id)
if not auto_create_context:
raise_no_auto_create_import_validation_error(
test_title, scan_type, engagement_name, product_name,
product_type_name, engagement, product, product_type,
"Need test_id or product_name + engagement_name + scan_type to perform reimport"
)
else:
# the test doesn't exist, so we need to check if the user has requested and is allowed to use auto_create
return check_auto_create_permission(
request.user, product, product_name, engagement,
engagement_name, product_type, product_type_name,
"Need test_id or product_name + engagement_name + scan_type to perform reimport"
)
def check_post_permission(request, post_model, post_pk, post_permission):
if request.method == 'POST':
object = get_object_or_404(post_model, pk=request.data.get(post_pk))
return user_has_permission(request.user, object, post_permission)
else:
return True
