forked from DefectDojo/django-DefectDojo
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathviews.py
executable file
·174 lines (151 loc) · 6.61 KB
/
views.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
import logging
import os
from auditlog.models import LogEntry
from django.contrib.contenttypes.models import ContentType
from django.contrib import messages
from django.core.exceptions import PermissionDenied
from django.http import Http404, HttpResponseRedirect
from django.conf import settings
from django.urls import reverse
from django.shortcuts import render, get_object_or_404
from dojo.models import Engagement, Test, Finding, Endpoint, Product, FileUpload
from dojo.filters import LogEntryFilter
from dojo.forms import ManageFileFormSet
from dojo.utils import get_page_items, Product_Tab, get_system_setting
from dojo.authorization.authorization import user_has_permission_or_403
from dojo.authorization.roles_permissions import Permissions
from dojo.user.helper import user_is_authorized
logger = logging.getLogger(__name__)
def action_history(request, cid, oid):
try:
ct = ContentType.objects.get_for_id(cid)
obj = ct.get_object_for_this_type(pk=oid)
except KeyError:
raise Http404()
if not settings.FEATURE_AUTHORIZATION_V2 and not user_is_authorized(request.user, 'view', obj):
raise PermissionDenied
product_id = None
active_tab = None
finding = None
test = False
object_value = None
if str(ct) == "product":
if settings.FEATURE_AUTHORIZATION_V2:
user_has_permission_or_403(request.user, obj, Permissions.Product_View)
product_id = obj.id
active_tab = "overview"
object_value = Product.objects.get(id=obj.id)
elif str(ct) == "engagement":
if settings.FEATURE_AUTHORIZATION_V2:
user_has_permission_or_403(request.user, obj, Permissions.Engagement_View)
object_value = Engagement.objects.get(id=obj.id)
product_id = object_value.product.id
active_tab = "engagements"
elif str(ct) == "test":
if settings.FEATURE_AUTHORIZATION_V2:
user_has_permission_or_403(request.user, obj, Permissions.Test_View)
object_value = Test.objects.get(id=obj.id)
product_id = object_value.engagement.product.id
active_tab = "engagements"
test = True
elif str(ct) == "finding":
if settings.FEATURE_AUTHORIZATION_V2:
user_has_permission_or_403(request.user, obj, Permissions.Finding_View)
object_value = Finding.objects.get(id=obj.id)
product_id = object_value.test.engagement.product.id
active_tab = "findings"
finding = object_value
elif str(ct) == "endpoint":
if settings.FEATURE_AUTHORIZATION_V2:
user_has_permission_or_403(request.user, obj, Permissions.Endpoint_View)
object_value = Endpoint.objects.get(id=obj.id)
product_id = object_value.product.id
active_tab = "endpoints"
product_tab = None
if product_id:
product_tab = Product_Tab(product_id, title="History", tab=active_tab)
if active_tab == "engagements":
if str(ct) == "engagement":
product_tab.setEngagement(object_value)
else:
product_tab.setEngagement(object_value.engagement)
history = LogEntry.objects.filter(content_type=ct,
object_pk=obj.id).order_by('-timestamp')
history = LogEntryFilter(request.GET, queryset=history)
paged_history = get_page_items(request, history.qs, 25)
if not get_system_setting('enable_auditlog'):
messages.add_message(
request,
messages.WARNING,
'Audit logging is currently disabled in System Settings.',
extra_tags='alert-danger')
return render(request, 'dojo/action_history.html',
{"history": paged_history,
'product_tab': product_tab,
"filtered": history,
"obj": obj,
"test": test,
"object_value": object_value,
"finding": finding
})
def manage_files(request, oid, obj_type):
if not settings.FEATURE_AUTHORIZATION_V2 and not request.user.is_staff:
raise PermissionDenied
if obj_type == 'Engagement':
obj = get_object_or_404(Engagement, pk=oid)
if settings.FEATURE_AUTHORIZATION_V2:
user_has_permission_or_403(request.user, obj, Permissions.Engagement_Edit)
obj_vars = ('view_engagement', 'engagement_set')
elif obj_type == 'Test':
obj = get_object_or_404(Test, pk=oid)
if settings.FEATURE_AUTHORIZATION_V2:
user_has_permission_or_403(request.user, obj, Permissions.Test_Edit)
obj_vars = ('view_test', 'test_set')
elif obj_type == 'Finding':
obj = get_object_or_404(Finding, pk=oid)
if settings.FEATURE_AUTHORIZATION_V2:
user_has_permission_or_403(request.user, obj, Permissions.Finding_Edit)
obj_vars = ('view_finding', 'finding_set')
else:
raise Http404()
files_formset = ManageFileFormSet(queryset=obj.files.all())
error = False
if request.method == 'POST':
files_formset = ManageFileFormSet(
request.POST, request.FILES, queryset=obj.files.all())
if files_formset.is_valid():
# remove all from database and disk
files_formset.save()
for o in files_formset.deleted_objects:
logger.debug("removing file: %s", o.file.name)
os.remove(os.path.join(settings.MEDIA_ROOT, o.file.name))
for o in files_formset.new_objects:
logger.debug("adding file: %s", o.file.name)
obj.files.add(o)
orphan_files = FileUpload.objects.filter(engagement__isnull=True,
test__isnull=True,
finding__isnull=True)
for o in orphan_files:
logger.debug("purging orphan file: %s", o.file.name)
os.remove(os.path.join(settings.MEDIA_ROOT, o.file.name))
o.delete()
messages.add_message(
request,
messages.SUCCESS,
'Files updated successfully.',
extra_tags='alert-success')
else:
error = True
messages.add_message(
request,
messages.ERROR,
'Please check form data and try again.',
extra_tags='alert-danger')
if not error:
return HttpResponseRedirect(reverse(obj_vars[0], args=(oid, )))
return render(
request, 'dojo/manage_files.html', {
'files_formset': files_formset,
'obj': obj,
'obj_type': obj_type,
})