DefectDojo
diff --git a/‎.github/workflows/refresh_helm_lock_file.yaml
Lines changed: 0 additions & 40 deletions b/‎.github/workflows/refresh_helm_lock_file.yaml
Lines changed: 0 additions & 40 deletions
diff --git a/‎components/package.json
Lines changed: 1 addition & 1 deletion b/‎components/package.json
Lines changed: 1 addition & 1 deletion
diff --git a/‎dojo/__init__.py
Lines changed: 1 addition & 1 deletion b/‎dojo/__init__.py
Lines changed: 1 addition & 1 deletion
diff --git a/‎dojo/api_v2/views.py
Lines changed: 4 additions & 42 deletions b/‎dojo/api_v2/views.py
Lines changed: 4 additions & 42 deletions
diff --git a/‎dojo/apps.py
Lines changed: 5 additions & 0 deletions b/‎dojo/apps.py
Lines changed: 5 additions & 0 deletions
diff --git a/‎dojo/benchmark/signals.py
Lines changed: 14 additions & 0 deletions b/‎dojo/benchmark/signals.py
Lines changed: 14 additions & 0 deletions
diff --git a/‎dojo/benchmark/views.py
Lines changed: 2 additions & 0 deletions b/‎dojo/benchmark/views.py
Lines changed: 2 additions & 0 deletions
diff --git a/‎dojo/components/views.py
Lines changed: 1 addition & 0 deletions b/‎dojo/components/views.py
Lines changed: 1 addition & 0 deletions
diff --git a/‎dojo/cred/signals.py
Lines changed: 14 additions & 0 deletions b/‎dojo/cred/signals.py
Lines changed: 14 additions & 0 deletions
diff --git a/‎dojo/cred/views.py
Lines changed: 4 additions & 3 deletions b/‎dojo/cred/views.py
Lines changed: 4 additions & 3 deletions
@@ -1,6 +1,6 @@
 {
   "name": "defectdojo",
-  "version": "2.36.5",
+  "version": "2.36.6",
   "license" : "BSD-3-Clause",
   "private": true,
   "dependencies": {
 
@@ -4,6 +4,6 @@
 # Django starts so that shared_task will use this app.
 from .celery import app as celery_app  # noqa: F401
 
-__version__ = '2.36.5'
+__version__ = '2.36.6'
 __url__ = 'https://github.com/DefectDojo/django-DefectDojo'
 __docs__ = 'https://documentation.defectdojo.com'
@@ -164,6 +164,7 @@
 from dojo.user.utils import get_configuration_permissions_codenames
 from dojo.utils import (
     async_delete,
+    generate_file_response,
     get_setting,
     get_system_setting,
 )
@@ -646,21 +647,8 @@ def download_file(self, request, file_id, pk=None):
                 {"error": "File ID not associated with Engagement"},
                 status=status.HTTP_404_NOT_FOUND,
             )
-        # Get the path of the file in media root
-        file_path = f"{settings.MEDIA_ROOT}/{file_object.file.url.lstrip(settings.MEDIA_URL)}"
-        file_handle = open(file_path, "rb")
         # send file
-        response = FileResponse(
-            file_handle,
-            content_type=f"{mimetypes.guess_type(file_path)}",
-            status=status.HTTP_200_OK,
-        )
-        response["Content-Length"] = file_object.file.size
-        response[
-            "Content-Disposition"
-        ] = f'attachment; filename="{file_object.file.name}"'
-
-        return response
+        return generate_file_response(file_object)
 
 
 class RiskAcceptanceViewSet(
@@ -1156,21 +1144,8 @@ def download_file(self, request, file_id, pk=None):
                 {"error": "File ID not associated with Finding"},
                 status=status.HTTP_404_NOT_FOUND,
             )
-        # Get the path of the file in media root
-        file_path = f"{settings.MEDIA_ROOT}/{file_object.file.url.lstrip(settings.MEDIA_URL)}"
-        file_handle = open(file_path, "rb")
         # send file
-        response = FileResponse(
-            file_handle,
-            content_type=f"{mimetypes.guess_type(file_path)}",
-            status=status.HTTP_200_OK,
-        )
-        response["Content-Length"] = file_object.file.size
-        response[
-            "Content-Disposition"
-        ] = f'attachment; filename="{file_object.file.name}"'
-
-        return response
+        return generate_file_response(file_object)
 
     @extend_schema(
         request=serializers.FindingNoteSerializer,
@@ -2320,21 +2295,8 @@ def download_file(self, request, file_id, pk=None):
                 {"error": "File ID not associated with Test"},
                 status=status.HTTP_404_NOT_FOUND,
             )
-        # Get the path of the file in media root
-        file_path = f"{settings.MEDIA_ROOT}/{file_object.file.url.lstrip(settings.MEDIA_URL)}"
-        file_handle = open(file_path, "rb")
         # send file
-        response = FileResponse(
-            file_handle,
-            content_type=f"{mimetypes.guess_type(file_path)}",
-            status=status.HTTP_200_OK,
-        )
-        response["Content-Length"] = file_object.file.size
-        response[
-            "Content-Disposition"
-        ] = f'attachment; filename="{file_object.file.name}"'
-
-        return response
+        return generate_file_response(file_object)
 
 
 # Authorization: authenticated, configuration
 
@@ -72,14 +72,19 @@ def ready(self):
         # Load any signals here that will be ready for runtime
         # Importing the signals file is good enough if using the reciever decorator
         import dojo.announcement.signals  # noqa: F401
+        import dojo.benchmark.signals  # noqa: F401
+        import dojo.cred.signals  # noqa: F401
         import dojo.endpoint.signals  # noqa: F401
         import dojo.engagement.signals  # noqa: F401
         import dojo.finding_group.signals  # noqa: F401
+        import dojo.notes.signals  # noqa: F401
         import dojo.product.signals  # noqa: F401
         import dojo.product_type.signals  # noqa: F401
+        import dojo.risk_acceptance.signals  # noqa: F401
         import dojo.sla_config.helpers  # noqa: F401
         import dojo.tags_signals  # noqa: F401
         import dojo.test.signals  # noqa: F401
+        import dojo.tool_product.signals  # noqa: F401
 
 
 def get_model_fields_with_extra(model, extra_fields=()):
 
@@ -0,0 +1,14 @@
+import logging
+
+from django.db.models.signals import pre_delete
+from django.dispatch import receiver
+
+from dojo.models import Benchmark_Product
+from dojo.notes.helper import delete_related_notes
+
+logger = logging.getLogger(__name__)
+
+
+@receiver(pre_delete, sender=Benchmark_Product)
+def benchmark_product_pre_delete(sender, instance, **kwargs):
+    delete_related_notes(instance)
@@ -43,6 +43,7 @@ def add_benchmark(queryset, product):
         pass
 
 
+@user_is_authorized(Product, Permissions.Benchmark_Edit, "pid")
 def update_benchmark(request, pid, _type):
     if request.method == "POST":
         bench_id = request.POST.get("bench_id")
@@ -90,6 +91,7 @@ def update_benchmark(request, pid, _type):
     )
 
 
+@user_is_authorized(Product, Permissions.Benchmark_Edit, "pid")
 def update_benchmark_summary(request, pid, _type, summary):
     if request.method == "POST":
         field = request.POST.get("field")
 
@@ -70,5 +70,6 @@ def components(request):
             "filter": comp_filter,
             "result": result,
             "component_words": sorted(set(component_words)),
+            "enable_table_filtering": get_system_setting("enable_ui_table_based_searching"),
         },
     )
@@ -0,0 +1,14 @@
+import logging
+
+from django.db.models.signals import pre_delete
+from django.dispatch import receiver
+
+from dojo.models import Cred_User
+from dojo.notes.helper import delete_related_notes
+
+logger = logging.getLogger(__name__)
+
+
+@receiver(pre_delete, sender=Cred_User)
+def cred_user_pre_delete(sender, instance, **kwargs):
+    delete_related_notes(instance)
@@ -112,7 +112,8 @@ def view_cred_details(request, ttid):
         'cred': cred,
         'form': form,
         'notes': notes,
-        'cred_products': cred_products
+        'cred_products': cred_products,
+        'person': request.user.username,
     })
 
 
@@ -650,7 +651,7 @@ def delete_cred_controller(request, destination_url, id, ttid):
     if id:
         product = None
         if destination_url == "all_cred_product":
-            product = get_object_or_404(Product, id)
+            product = get_object_or_404(Product, id=id)
         elif destination_url == "view_engagement":
             engagement = get_object_or_404(Engagement, id=id)
             product = engagement.product
@@ -669,7 +670,7 @@ def delete_cred_controller(request, destination_url, id, ttid):
 
 @user_is_authorized(Cred_User, Permissions.Credential_Delete, 'ttid')
 def delete_cred(request, ttid):
-    return delete_cred_controller(request, "cred", 0, ttid)
+    return delete_cred_controller(request, "cred", 0, ttid=ttid)
 
 
 @user_is_authorized(Product, Permissions.Product_Edit, 'pid')
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "defectdojo",`
`3`		`- "version": "2.36.5",`
	`3`	`+ "version": "2.36.6",`
`4`	`4`	`"license" : "BSD-3-Clause",`
`5`	`5`	`"private": true,`
`6`	`6`	`"dependencies": {`
Original file line number	Diff line number	Diff line change
`@@ -70,5 +70,6 @@ def components(request):`
`70`	`70`	`"filter": comp_filter,`
`71`	`71`	`"result": result,`
`72`	`72`	`"component_words": sorted(set(component_words)),`
	`73`	`+ "enable_table_filtering": get_system_setting("enable_ui_table_based_searching"),`
`73`	`74`	`},`
`74`	`75`	`)`