API: Allow filtering users on last_login/date_joined (#12640)

Author: valentijnscholten

dojo/api_v2/views.py

@@ -60,6 +60,7 @@
     ApiRiskAcceptanceFilter,
     ApiTemplateFindingFilter,
     ApiTestFilter,
+    ApiUserFilter,
     ReportFindingFilter,
     ReportFindingFilterWithoutObjectLookups,
     TestImportAPIFilter,
@@ -2379,15 +2380,7 @@ class UsersViewSet(
     serializer_class = serializers.UserSerializer
     queryset = User.objects.none()
     filter_backends = (DjangoFilterBackend,)
-    filterset_fields = [
-        "id",
-        "username",
-        "first_name",
-        "last_name",
-        "email",
-        "is_active",
-        "is_superuser",
-    ]
+    filterset_class = ApiUserFilter
     permission_classes = (permissions.UserHasConfigurationPermissionSuperuser,)
 
     def get_queryset(self):

dojo/filters.py

@@ -85,6 +85,7 @@
     Test_Import_Finding_Action,
     Test_Type,
     TextQuestion,
+    User,
     Vulnerability_Id,
 )
 from dojo.product.queries import get_authorized_products
@@ -3553,6 +3554,44 @@ def filter(self, qs, value):
         return self.options[value][1](self, qs, self.options[value][0])
 
 
+class ApiUserFilter(filters.FilterSet):
+    last_login = filters.DateFromToRangeFilter()
+    date_joined = filters.DateFromToRangeFilter()
+    is_active = filters.BooleanFilter()
+    is_superuser = filters.BooleanFilter()
+    username = filters.CharFilter(lookup_expr="icontains")
+    first_name = filters.CharFilter(lookup_expr="icontains")
+    last_name = filters.CharFilter(lookup_expr="icontains")
+    email = filters.CharFilter(lookup_expr="icontains")
+    class Meta:
+        model = User
+        fields = [
+            "id",
+            "username",
+            "first_name",
+            "last_name",
+            "email",
+            "is_active",
+            "is_superuser",
+            "last_login",
+            "date_joined",
+        ]
+
+    o = OrderingFilter(
+        # tuple-mapping retains order
+        fields=(
+            ("username", "username"),
+            ("last_name", "last_name"),
+            ("first_name", "first_name"),
+            ("email", "email"),
+            ("is_active", "is_active"),
+            ("is_superuser", "is_superuser"),
+            ("date_joined", "date_joined"),
+            ("last_login", "last_login"),
+        ),
+    )
+
+
 with warnings.catch_warnings(action="ignore", category=ManagerInheritanceWarning):
     class QuestionFilter(FilterSet):
         text = CharFilter(lookup_expr="icontains")

unittests/test_apiv2_user.py

@@ -88,3 +88,41 @@ def test_user_change_password(self):
         }, format="json")
         self.assertEqual(r.status_code, 400, r.content[:1000])
         self.assertIn("Update of password though API is not allowed", r.content.decode("utf-8"))
+
+    def test_user_deactivate(self):
+        # user with good password
+        password = "testTEST1234!@#$"
+        r = self.client.post(reverse("user-list"), {
+            "username": "api-user-10",
+            "email": "admin@dojo.com",
+            "password": password,
+        }, format="json")
+        self.assertEqual(r.status_code, 201, r.content[:1000])
+
+        # user with good password
+        password = "testTEST1234!@#$"
+        r = self.client.post(reverse("user-list"), {
+            "username": "api-user-2",
+            "email": "admin@dojo.com",
+            "password": password,
+        }, format="json")
+        self.assertEqual(r.status_code, 201, r.content[:1000])
+        user_id = r.json()["id"]
+
+        # deactivate
+        r = self.client.patch("{}{}/".format(reverse("user-list"), user_id), {
+            "is_active": False,
+        }, format="json")
+        self.assertEqual(r.status_code, 200, r.content[:1000])
+
+        # check is_active field
+        r = self.client.get("{}{}/".format(reverse("user-list"), user_id))
+        self.assertEqual(r.status_code, 200, r.content[:1000])
+        self.assertEqual(r.json()["is_active"], False, r.content[:1000])
+
+        # API key retrieval should fail for inactive user
+        r = self.client.post(reverse("api-token-auth"), {
+            "username": "api-user-2",
+            "password": password,
+        }, format="json")
+        self.assertEqual(r.status_code, 400, r.content[:1000])