Merge pull request #3411 from DefectDojo/release/1.10.3

Release: Merge release into master from: release/1.10.3

Author: valentijnscholten

components/package.json

@@ -1,6 +1,6 @@
 {
   "name": "DefectDojo",
-  "version": "1.10.2",
+  "version": "1.10.3",
   "dependencies": {
     "JUMFlot": "jumjum123/JUMFlot#*",
     "bootstrap": "^3.4.0",

docker-compose.override.integration_tests.yml

@@ -9,7 +9,9 @@ services:
     depends_on:
       - nginx
       - uwsgi
-    entrypoint: ['/wait-for-it.sh', 'mysql:3306', '-t', '30', '--', '/entrypoint-integration-tests.sh']
+    entrypoint: ['/wait-for-it.sh', 'mysql:3306', '-t', '30', '--', '/app/docker/entrypoint-integration-tests.sh']
+    volumes:
+      - '.:/app:z'
     environment:
       DD_BASE_URL: 'http://nginx:8080/'
       DD_ADMIN_USER: ${DD_ADMIN_USER:-admin}

dojo/__init__.py

@@ -6,6 +6,6 @@
 
 default_app_config = 'dojo.apps.DojoAppConfig'
 
-__version__ = '1.10.2'
+__version__ = '1.10.3'
 __url__ = 'https://github.com/DefectDojo/django-DefectDojo'
 __docs__ = 'http://defectdojo.readthedocs.io/'

dojo/filters.py

@@ -17,9 +17,10 @@
 from dojo.models import Dojo_User, Product_Type, Finding, Product, Test_Type, \
     Endpoint, Development_Environment, Finding_Template, Report, Note_Type, \
     Engagement_Survey, Question, TextQuestion, ChoiceQuestion, Endpoint_Status, Engagement, \
-    ENGAGEMENT_STATUS_CHOICES
+    ENGAGEMENT_STATUS_CHOICES, Test
 from dojo.utils import get_system_setting
 from django.contrib.contenttypes.models import ContentType
+from crum import get_current_user
 
 logger = logging.getLogger(__name__)
 
@@ -1072,6 +1073,18 @@ def __init__(self, *args, **kwargs):
         self.form.fields['severity'].choices = self.queryset.order_by(
             'numerical_severity'
         ).values_list('severity', 'severity').distinct()
+        if get_current_user() is not None and not get_current_user().is_staff:
+            self.form.fields[
+                'test__engagement__product__prod_type'].queryset = Product_Type.objects.filter(
+                authorized_users__in=[get_current_user()])
+            self.form.fields[
+                'test'].queryset = Test.objects.filter(
+                Q(engagement__product__authorized_users__in=[get_current_user()]) |
+                Q(engagement__product__prod_type__authorized_users__in=[get_current_user()]))
+            self.form.fields[
+                'duplicate_finding'].queryset = Finding.objects.filter(
+                Q(test__engagement__product__authorized_users__in=[get_current_user()]) |
+                Q(test__engagement__product__prod_type__authorized_users__in=[get_current_user()]))
 
     class Meta:
         model = Finding
@@ -1117,6 +1130,18 @@ def __init__(self, *args, **kwargs):
         self.form.fields['finding__severity'].choices = self.queryset.order_by(
             'finding__numerical_severity'
         ).values_list('finding__severity', 'finding__severity').distinct()
+        if get_current_user() is not None and not get_current_user().is_staff:
+            self.form.fields[
+                'finding__test__engagement__product__prod_type'].queryset = Product_Type.objects.filter(
+                authorized_users__in=[get_current_user()])
+            self.form.fields[
+                'endpoint'].queryset = Endpoint.objects.filter(
+                Q(product__authorized_users__in=[get_current_user()]) |
+                Q(product__prod_type__authorized_users__in=[get_current_user()]))
+            self.form.fields[
+                'finding'].queryset = Finding.objects.filter(
+                Q(test__engagement__product__authorized_users__in=[get_current_user()]) |
+                Q(test__engagement__product__prod_type__authorized_users__in=[get_current_user()]))
 
     class Meta:
         model = Endpoint_Status
@@ -1227,8 +1252,10 @@ def __init__(self, *args, **kwargs):
             self.user = kwargs.pop('user')
         super(EndpointFilter, self).__init__(*args, **kwargs)
         if self.user and not self.user.is_staff:
-            self.form.fields['product'].queryset = Product.objects.filter(
-                authorized_users__in=[self.user]).distinct().order_by('name')
+            self.form.fields[
+                'product'].queryset = Product.objects.filter(
+                Q(authorized_users__in=[self.user]) |
+                Q(prod_type__authorized_users__in=[self.user])).distinct().order_by('name')
 
     class Meta:
         model = Endpoint
@@ -1286,28 +1313,30 @@ class ReportAuthedFindingFilter(DojoFilter):
     out_of_scope = ReportBooleanFilter()
 
     def __init__(self, *args, **kwargs):
-        self.user = None
-        if 'user' in kwargs:
-            self.user = kwargs.pop('user')
         super(ReportAuthedFindingFilter, self).__init__(*args, **kwargs)
-        if not self.user.is_staff:
+        if get_current_user() and not get_current_user().is_staff:
             self.form.fields[
                 'test__engagement__product'].queryset = Product.objects.filter(
-                authorized_users__in=[self.user])
+                Q(authorized_users__in=[get_current_user()]) |
+                Q(prod_type__authorized_users__in=[get_current_user()]))
             self.form.fields[
                 'test__engagement__product__prod_type'].queryset = Product_Type.objects.filter(
-                authorized_users__in=[self.user])
+                authorized_users__in=[get_current_user()])
+            self.form.fields[
+                'duplicate_finding'].queryset = Finding.objects.filter(
+                Q(test__engagement__product__authorized_users__in=[get_current_user()]) |
+                Q(test__engagement__product__prod_type__authorized_users__in=[get_current_user()]))
 
     @property
     def qs(self):
         parent = super(ReportAuthedFindingFilter, self).qs
-        if self.user.is_staff:
-            return parent
-        else:
+        if get_current_user() and not get_current_user().is_staff:
             return parent.filter(
-                Q(test__engagement__product__authorized_users__in=[self.user]) |
-                Q(test__engagement__product__prod_type__authorized_users__in=[self.user])
+                Q(test__engagement__product__authorized_users__in=[get_current_user()]) |
+                Q(test__engagement__product__prod_type__authorized_users__in=[get_current_user()])
             )
+        else:
+            return parent
 
     class Meta:
         model = Finding

dojo/fixtures/product_type.json

@@ -1,7 +1,8 @@
 [
   {
     "fields": {
-      "name": "Research and Development"
+      "name": "Research and Development",
+      "critical_product": true
     },
     "model": "dojo.product_type",
     "pk": 1

dojo/forms.py

@@ -32,6 +32,7 @@
 from dojo.user.helper import user_is_authorized
 from django.urls import reverse
 import logging
+from crum import get_current_user
 
 logger = logging.getLogger(__name__)
 
@@ -1631,6 +1632,12 @@ class ProductTypeCountsForm(forms.Form):
                                           error_messages={
                                               'required': '*'})
 
+    def __init__(self, *args, **kwargs):
+        super(ProductTypeCountsForm, self).__init__(*args, **kwargs)
+        if get_current_user() is not None and not get_current_user().is_staff:
+            self.fields['product_type'].queryset = Product_Type.objects.filter(
+                authorized_users__in=[get_current_user()])
+
 
 class APIKeyForm(forms.ModelForm):
     id = forms.IntegerField(required=True,