Finding List Fixes + Finding Template Permission Fixes (DefectDojo#7997)

* Finding List Fixes + Finding Template Permission Fixes

* Fix Flake8 + AccessLint

* Correct accesslint

* Add trans tags

* Fix missing tag issue

Author: Maffooch

dojo/authorization/roles_permissions.py

@@ -134,79 +134,135 @@ def has_value(cls, value):
 
     @classmethod
     def get_engagement_permissions(cls):
-        return {Permissions.Engagement_View, Permissions.Engagement_Edit,
-            Permissions.Engagement_Delete, Permissions.Risk_Acceptance,
-            Permissions.Test_Add, Permissions.Import_Scan_Result, Permissions.Note_Add,
-            Permissions.Note_Delete, Permissions.Note_Edit, Permissions.Note_View_History} \
+        return {
+            Permissions.Engagement_View,
+            Permissions.Engagement_Edit,
+            Permissions.Engagement_Delete,
+            Permissions.Risk_Acceptance,
+            Permissions.Test_Add,
+            Permissions.Import_Scan_Result,
+            Permissions.Note_Add,
+            Permissions.Note_Delete,
+            Permissions.Note_Edit,
+            Permissions.Note_View_History} \
             .union(cls.get_test_permissions())
 
     @classmethod
     def get_test_permissions(cls):
-        return {Permissions.Test_View, Permissions.Test_Edit, Permissions.Test_Delete,
-            Permissions.Finding_Add, Permissions.Import_Scan_Result, Permissions.Note_Add,
-            Permissions.Note_Delete, Permissions.Note_Edit, Permissions.Note_View_History} \
+        return {
+            Permissions.Test_View,
+            Permissions.Test_Edit,
+            Permissions.Test_Delete,
+            Permissions.Finding_Add,
+            Permissions.Import_Scan_Result,
+            Permissions.Note_Add,
+            Permissions.Note_Delete,
+            Permissions.Note_Edit,
+            Permissions.Note_View_History} \
             .union(cls.get_finding_permissions())
 
     @classmethod
     def get_finding_permissions(cls):
-        return {Permissions.Finding_View, Permissions.Finding_Edit, Permissions.Import_Scan_Result,
-            Permissions.Finding_Delete, Permissions.Risk_Acceptance, Permissions.Note_Add,
-            Permissions.Note_Delete, Permissions.Note_Edit, Permissions.Note_View_History} \
+        return {
+            Permissions.Finding_View,
+            Permissions.Finding_Edit,
+            Permissions.Finding_Add,
+            Permissions.Import_Scan_Result,
+            Permissions.Finding_Delete,
+            Permissions.Note_Add,
+            Permissions.Risk_Acceptance,
+            Permissions.Note_Delete,
+            Permissions.Note_Edit,
+            Permissions.Note_View_History} \
             .union(cls.get_finding_group_permissions())
 
     @classmethod
     def get_finding_group_permissions(cls):
-        return {Permissions.Finding_Group_View, Permissions.Finding_Group_Edit,
+        return {
+            Permissions.Finding_Group_View,
+            Permissions.Finding_Group_Edit,
             Permissions.Finding_Group_Delete}
 
     @classmethod
     def get_endpoint_permissions(cls):
-        return {Permissions.Endpoint_View, Permissions.Endpoint_Edit, Permissions.Endpoint_Delete}
+        return {
+            Permissions.Endpoint_View,
+            Permissions.Endpoint_Edit,
+            Permissions.Endpoint_Delete}
 
     @classmethod
     def get_product_member_permissions(cls):
-        return {Permissions.Product_View, Permissions.Product_Manage_Members,
+        return {
+            Permissions.Product_View,
+            Permissions.Product_Manage_Members,
             Permissions.Product_Member_Delete}
 
     @classmethod
     def get_product_type_member_permissions(cls):
-        return {Permissions.Product_Type_View, Permissions.Product_Type_Manage_Members,
+        return {
+            Permissions.Product_Type_View,
+            Permissions.Product_Type_Manage_Members,
             Permissions.Product_Type_Member_Delete}
 
     @classmethod
     def get_product_group_permissions(cls):
-        return {Permissions.Product_Group_View, Permissions.Product_Group_Edit,
+        return {
+            Permissions.Product_Group_View,
+            Permissions.Product_Group_Edit,
             Permissions.Product_Group_Delete}
 
     @classmethod
     def get_product_type_group_permissions(cls):
-        return {Permissions.Product_Type_Group_View, Permissions.Product_Type_Group_Edit,
+        return {
+            Permissions.Product_Type_Group_View,
+            Permissions.Product_Type_Group_Edit,
             Permissions.Product_Type_Group_Delete}
 
     @classmethod
     def get_group_permissions(cls):
-        return {Permissions.Group_View, Permissions.Group_Member_Delete, Permissions.Group_Manage_Members,
-            Permissions.Group_Add_Owner, Permissions.Group_Edit, Permissions.Group_Delete}
+        return {
+            Permissions.Group_View,
+            Permissions.Group_Member_Delete,
+            Permissions.Group_Manage_Members,
+            Permissions.Group_Add_Owner,
+            Permissions.Group_Edit,
+            Permissions.Group_Delete}
 
     @classmethod
     def get_group_member_permissions(cls):
-        return {Permissions.Group_View, Permissions.Group_Manage_Members, Permissions.Group_Member_Delete}
+        return {
+            Permissions.Group_View,
+            Permissions.Group_Manage_Members,
+            Permissions.Group_Member_Delete}
 
     @classmethod
     def get_language_permissions(cls):
-        return {Permissions.Language_View, Permissions.Language_Edit, Permissions.Language_Delete}
+        return {
+            Permissions.Language_View,
+            Permissions.Language_Edit,
+            Permissions.Language_Delete}
 
     @classmethod
     def get_technology_permissions(cls):
-        return {Permissions.Technology_View, Permissions.Technology_Edit, Permissions.Technology_Delete}
+        return {
+            Permissions.Technology_View,
+            Permissions.Technology_Edit,
+            Permissions.Technology_Delete}
 
     @classmethod
     def get_product_api_scan_configuration_permissions(cls):
-        return {Permissions.Product_API_Scan_Configuration_View, Permissions.Product_API_Scan_Configuration_Edit, Permissions.Product_API_Scan_Configuration_Delete}
+        return {
+            Permissions.Product_API_Scan_Configuration_View,
+            Permissions.Product_API_Scan_Configuration_Edit,
+            Permissions.Product_API_Scan_Configuration_Delete}
 
     @classmethod
     def get_credential_permissions(cls):
-        return {Permissions.Credential_View, Permissions.Credential_Add, Permissions.Credential_Edit, Permissions.Credential_Delete}
+        return {
+            Permissions.Credential_View,
+            Permissions.Credential_Add,
+            Permissions.Credential_Edit,
+            Permissions.Credential_Delete}
 
 
 def get_roles_with_permissions():

dojo/finding/views.py

@@ -46,7 +46,7 @@
 import dojo.risk_acceptance.helper as ra_helper
 import dojo.finding.helper as finding_helper
 from dojo.authorization.authorization import user_has_permission_or_403
-from dojo.authorization.authorization_decorators import user_is_authorized, user_is_configuration_authorized
+from dojo.authorization.authorization_decorators import user_is_authorized, user_has_global_permission
 from dojo.authorization.roles_permissions import Permissions
 from dojo.finding.queries import get_authorized_findings
 from dojo.test.queries import get_authorized_tests
@@ -1127,7 +1127,7 @@ def clear_finding_review(request, fid):
     })
 
 
-@user_is_configuration_authorized('dojo.add_finding_template')
+@user_has_global_permission(Permissions.Finding_Add)
 def mktemplate(request, fid):
     finding = get_object_or_404(Finding, id=fid)
     templates = Finding_Template.objects.filter(title=finding.title)
@@ -1169,7 +1169,6 @@ def mktemplate(request, fid):
 
 
 @user_is_authorized(Finding, Permissions.Finding_Edit, 'fid')
-@user_is_configuration_authorized('dojo.view_finding_template')
 def find_template_to_apply(request, fid):
     finding = get_object_or_404(Finding, id=fid)
     test = get_object_or_404(Test, id=finding.test.id)
@@ -1471,7 +1470,7 @@ def promote_to_finding(request, fid):
         })
 
 
-@user_is_configuration_authorized('dojo.view_finding_template')
+@user_has_global_permission(Permissions.Finding_Edit)
 def templates(request):
     templates = Finding_Template.objects.all().order_by('cwe')
     templates = TemplateFindingFilter(request.GET, queryset=templates)
@@ -1489,7 +1488,7 @@ def templates(request):
         })
 
 
-@user_is_configuration_authorized('dojo.view_finding_template')
+@user_has_global_permission(Permissions.Finding_Edit)
 def export_templates_to_json(request):
     leads_as_json = serializers.serialize('json', Finding_Template.objects.all())
     return HttpResponse(leads_as_json, content_type='json')
@@ -1540,7 +1539,7 @@ def apply_cwe_mitigation(apply_to_findings, template, update=True):
     return count
 
 
-@user_is_configuration_authorized('dojo.add_finding_template')
+@user_has_global_permission(Permissions.Finding_Add)
 def add_template(request):
     form = FindingTemplateForm()
     if request.method == 'POST':
@@ -1575,7 +1574,7 @@ def add_template(request):
     })
 
 
-@user_is_configuration_authorized('dojo.change_finding_template')
+@user_has_global_permission(Permissions.Finding_Edit)
 def edit_template(request, tid):
     template = get_object_or_404(Finding_Template, id=tid)
     form = FindingTemplateForm(
@@ -1621,7 +1620,7 @@ def edit_template(request, tid):
     })
 
 
-@user_is_configuration_authorized('dojo.delete_finding_template')
+@user_has_global_permission(Permissions.Finding_Delete)
 def delete_template(request, tid):
     template = get_object_or_404(Finding_Template, id=tid)
 

dojo/templates/base.html

@@ -319,7 +319,7 @@
                                                         {% trans "Risk Accepted Findings" %}
                                                     </a>
                                                 </li>
-                                                {% if "dojo.view_finding_template"|has_configuration_permission:request %}
+                                                {% if "Finding_View"|has_global_permission %}
                                                     <li>
                                                         <a href="{% url 'templates' %}">
                                                             {% trans "Finding Templates" %}

dojo/templates/dojo/add_template.html

@@ -1,5 +1,6 @@
 {% extends "base.html" %}
 {% load static %}
+{% load authorization_tags %}
 {% block add_css %}
     {{ block.super }}
 
@@ -32,16 +33,18 @@ <h3> {{ name }} {{ template }}</h3>
         </div>
     </form>
     {% if template %}
-        <form method="post" action="{% url 'delete_template' template.id %}"
-              style="display: inline" class="form-horizontal">
-            {% csrf_token %}
-            <div class="form-group">
-                <div class="col-sm-offset-2 col-sm-10">
-                    <input type="hidden" name="id" value="{{ template.id }}"/>
-                    <button type="submit" class="btn btn-danger template-delete">Delete Template</button>
+        {% if "Finding_Delete"|has_global_permission %}
+            <form method="post" action="{% url 'delete_template' template.id %}"
+                style="display: inline" class="form-horizontal">
+                {% csrf_token %}
+                <div class="form-group">
+                    <div class="col-sm-offset-2 col-sm-10">
+                        <input type="hidden" name="id" value="{{ template.id }}"/>
+                        <button type="submit" class="btn btn-danger template-delete">Delete Template</button>
+                    </div>
                 </div>
-            </div>
-        </form>
+            </form>
+        {% endif %}
     {% endif %}
 {% endblock %}
 {% block postscript %}

dojo/templates/dojo/dev_env.html

@@ -41,6 +41,7 @@ <h3 class="has-filters">
                            class="tablesorter-bootstrap table table-bordered table-condensed table-striped">
                         <thead>
                         <tr>
+                            {% comment %} The display field is translated in the function. No need to translate here as well{% endcomment %}
                             <th>{% dojo_sort request 'Environment' 'name' 'asc' %}</th>
                         </tr>
                         </thead>

dojo/templates/dojo/endpoints.html

@@ -77,11 +77,14 @@ <h3 class="has-filters">
                             </th>
                             {% endif %}
                             {% if host_view %}
+                                {% comment %} The display field is translated in the function. No need to translate here as well{% endcomment %}    
                                 <th>{% dojo_sort request 'Host' 'host' %}</th>
                             {% else %}
+                                {% comment %} The display field is translated in the function. No need to translate here as well{% endcomment %}    
                                 <th>{% dojo_sort request 'Endpoint' 'endpoint' %}</th>
                             {% endif %}
                             {% if not product_tab %}
+                                {% comment %} The display field is translated in the function. No need to translate here as well{% endcomment %}    
                                 <th>{% dojo_sort request 'Product' 'product' 'asc' %}</th>
                             {% endif %}
 							<th class="text-center" nowrap="nowrap">Active Verified Findings</th>

dojo/templates/dojo/engagement.html

@@ -50,11 +50,16 @@ <h3 class="has-filters">
                            class="tablesorter-bootstrap table table-condensed table-striped table-hover">
                         <tr>
                             <th></th>
+                            {% comment %} The display field is translated in the function. No need to translate here as well{% endcomment %}
                             <th>{% dojo_sort request 'Engagement' 'name' 'asc' %}</th>
+                            {% comment %} The display field is translated in the function. No need to translate here as well{% endcomment %}
                             <th>{% dojo_sort request 'Period' 'target_start' 'asc' %}</th>
                             <th>Status</th>
+                            {% comment %} The display field is translated in the function. No need to translate here as well{% endcomment %}
                             <th class="prod_name">{% dojo_sort request 'Product' 'product__name' 'asc' %}</th>
+                            {% comment %} The display field is translated in the function. No need to translate here as well{% endcomment %}
                             <th class="prod_name">{% dojo_sort request 'Product Type' 'product__prod_type__name' %}</th>
+                            {% comment %} The display field is translated in the function. No need to translate here as well{% endcomment %}
                             <th>{% dojo_sort request 'Lead' 'lead__first_name' %}</th>
                             <th>Tests</th>
                             {% if system_settings.enable_jira %}

dojo/templates/dojo/engineer_metrics.html

@@ -27,12 +27,19 @@ <h3 class="has-filters">
                     <table id="users"
                         class="tablesorter-bootstrap table table-condensed table-striped">
                         <tr>
+                            {% comment %} The display field is translated in the function. No need to translate here as well{% endcomment %}
                             <th class="nowrap">{% dojo_sort request 'First Name' 'first_name' %}</th>
+                            {% comment %} The display field is translated in the function. No need to translate here as well{% endcomment %}
                             <th class="nowrap">{% dojo_sort request 'Last Name' 'last_name' %}</th>
+                            {% comment %} The display field is translated in the function. No need to translate here as well{% endcomment %}
                             <th class="nowrap">{% dojo_sort request 'User Name' 'username' 'asc' %}</th>
+                            {% comment %} The display field is translated in the function. No need to translate here as well{% endcomment %}
                             <th class="nowrap">{% dojo_sort request 'Email' 'email' %}</th>
+                            {% comment %} The display field is translated in the function. No need to translate here as well{% endcomment %}
                             <th class="nowrap">{% dojo_sort request 'Last Login' 'last_login'%}</th>
+                            {% comment %} The display field is translated in the function. No need to translate here as well{% endcomment %}
                             <th class="nowrap, text-center">{% dojo_sort request 'Active' 'is_active' %}</th>
+                            {% comment %} The display field is translated in the function. No need to translate here as well{% endcomment %}
                             <th class="nowrap, text-center">{% dojo_sort request 'Superuser' 'is_superuser' %}</th>
                         </tr>
                         {% for u in users %}