Skip to content

Add permission checks for moving engagements between products#14634

Open
Jino-T wants to merge 6 commits intoDefectDojo:bugfixfrom
Jino-T:change-to-moving-engagements
Open

Add permission checks for moving engagements between products#14634
Jino-T wants to merge 6 commits intoDefectDojo:bugfixfrom
Jino-T:change-to-moving-engagements

Conversation

@Jino-T
Copy link
Copy Markdown
Contributor

@Jino-T Jino-T commented Apr 3, 2026
edited by Maffooch
Loading

  • When editing an engagement and changing its product (moving it to a different product), the system now
    verifies the user has Engagement_Edit permission on the destination product
  • This applies to both the API (PUT/PATCH on /api/v2/engagements/{id}/) and the UI (edit engagement
    form)
  • Adds 8 new tests covering authorized moves, unauthorized moves, same-product updates, and partial
    updates without a product field

@github-actions github-actions bot added apiv2 New Migration Adding a new migration file. Take care when merging. labels Apr 3, 2026
Jino-T and others added 4 commits April 14, 2026 14:26
@Jino-T @Maffooch
change-to-moving-engagements
342c477
@Jino-T @Maffooch
fix-migration-issue:
ca4c445
@Maffooch @claude
Revert PR DefectDojo#14634 changes (editable=False approach)
72861d0 
Reverting the approach of making Engagement.product editable=False
and splitting serializers. Will replace with proper permission checks
on the destination product when moving engagements.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@Maffooch @claude
Add permission check on destination product when moving engagements
b8a5c0f 
When a user changes an engagement's product (via API PUT/PATCH or
the UI edit form), verify they have Engagement_Edit permission on
the destination product. Previously only the source product was
checked, allowing users to move engagements to products they lack
write access to.

- API: EngagementSerializer.validate() checks destination product
  permission on update, following the ProductMemberSerializer pattern
- UI: edit_engagement() view checks destination product permission
  before saving
- Tests: 8 new tests covering PATCH, PUT, and UI paths for both
  authorized and unauthorized product moves

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@Maffooch Maffooch force-pushed the change-to-moving-engagements branch from 4e2c14c to b8a5c0f Compare April 14, 2026 20:44
@github-actions github-actions bot added unittests helm and removed New Migration Adding a new migration file. Take care when merging. labels Apr 14, 2026
@Maffooch Maffooch changed the base branch from dev to bugfix April 14, 2026 21:00
@Maffooch @claude
Fix UI test: form queryset already rejects unauthorized products
648fdb9 
The EngForm product queryset is filtered to authorized products, so
submitting an unauthorized product fails form validation (200) before
the view-level permission check runs. Update the test to accept both
200 and 403 -- the key assertion is that the engagement does not move.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@github-actions github-actions bot removed the helm label Apr 14, 2026
@Maffooch @claude
Fix ruff lint: docstring formatting
9ed0616 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@Maffooch Maffooch changed the title Change to moving engagements Add permission checks for moving engagements between products Apr 14, 2026
@Maffooch Maffooch marked this pull request as ready for review April 14, 2026 22:18
@Maffooch Maffooch added this to the 2.57.2 milestone Apr 14, 2026
@dryrunsecurity
Copy link
Copy Markdown

dryrunsecurity bot commented Apr 14, 2026

DryRun Security

This pull request includes a sensitive edit in dojo/api_v2/serializers.py (Configured Codepaths Edit flagged as error), indicating changes to a protected file path that may require authorization via .dryrunsecurity.yaml; review and confirm allowed authors or revert if unauthorized.

🔴 Configured Codepaths Edit in dojo/api_v2/serializers.py (drs_42eb70a2)
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

We've notified @mtesauro.

Comment to provide feedback on these findings.

Report false positive: @dryrunsecurity fp [FINDING ID] [FEEDBACK]
Report low-impact: @dryrunsecurity nit [FINDING ID] [FEEDBACK]

Example: @dryrunsecurity fp drs_90eda195 This code is not user-facing

All finding details can be found in the DryRun Security Dashboard.

mtesauro
mtesauro approved these changes Apr 16, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtesauro mtesauro mtesauro approved these changes

@paulOsinski paulOsinski paulOsinski approved these changes

@Maffooch Maffooch Maffooch approved these changes

@valentijnscholten valentijnscholten Awaiting requested review from valentijnscholten

@blakeaowens blakeaowens Awaiting requested review from blakeaowens

At least 4 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

apiv2 unittests

Projects

None yet

Milestone

2.57.2

Development

Successfully merging this pull request may close these issues.

4 participants

@Jino-T @mtesauro @paulOsinski @Maffooch