Merge pull request #10648 from DefectDojo/master-into-dev/2.36.6-2.37.0-dev

Release: Merge back 2.36.6 into dev from: master-into-dev/2.36.6-2.37.0-dev

Author: Maffooch

.github/workflows/refresh_helm_lock_file.yaml

@@ -164,6 +164,7 @@
 from dojo.user.utils import get_configuration_permissions_codenames
 from dojo.utils import (
     async_delete,
+    generate_file_response,
     get_setting,
     get_system_setting,
 )
@@ -646,21 +647,8 @@ def download_file(self, request, file_id, pk=None):
                 {"error": "File ID not associated with Engagement"},
                 status=status.HTTP_404_NOT_FOUND,
             )
-        # Get the path of the file in media root
-        file_path = f"{settings.MEDIA_ROOT}/{file_object.file.url.lstrip(settings.MEDIA_URL)}"
-        file_handle = open(file_path, "rb")
         # send file
-        response = FileResponse(
-            file_handle,
-            content_type=f"{mimetypes.guess_type(file_path)}",
-            status=status.HTTP_200_OK,
-        )
-        response["Content-Length"] = file_object.file.size
-        response[
-            "Content-Disposition"
-        ] = f'attachment; filename="{file_object.file.name}"'
-
-        return response
+        return generate_file_response(file_object)
 
 
 class RiskAcceptanceViewSet(
@@ -1156,21 +1144,8 @@ def download_file(self, request, file_id, pk=None):
                 {"error": "File ID not associated with Finding"},
                 status=status.HTTP_404_NOT_FOUND,
             )
-        # Get the path of the file in media root
-        file_path = f"{settings.MEDIA_ROOT}/{file_object.file.url.lstrip(settings.MEDIA_URL)}"
-        file_handle = open(file_path, "rb")
         # send file
-        response = FileResponse(
-            file_handle,
-            content_type=f"{mimetypes.guess_type(file_path)}",
-            status=status.HTTP_200_OK,
-        )
-        response["Content-Length"] = file_object.file.size
-        response[
-            "Content-Disposition"
-        ] = f'attachment; filename="{file_object.file.name}"'
-
-        return response
+        return generate_file_response(file_object)
 
     @extend_schema(
         request=serializers.FindingNoteSerializer,
@@ -2319,21 +2294,8 @@ def download_file(self, request, file_id, pk=None):
                 {"error": "File ID not associated with Test"},
                 status=status.HTTP_404_NOT_FOUND,
             )
-        # Get the path of the file in media root
-        file_path = f"{settings.MEDIA_ROOT}/{file_object.file.url.lstrip(settings.MEDIA_URL)}"
-        file_handle = open(file_path, "rb")
         # send file
-        response = FileResponse(
-            file_handle,
-            content_type=f"{mimetypes.guess_type(file_path)}",
-            status=status.HTTP_200_OK,
-        )
-        response["Content-Length"] = file_object.file.size
-        response[
-            "Content-Disposition"
-        ] = f'attachment; filename="{file_object.file.name}"'
-
-        return response
+        return generate_file_response(file_object)
 
 
 # Authorization: authenticated, configuration

dojo/api_v2/views.py

@@ -72,14 +72,19 @@ def ready(self):
         # Load any signals here that will be ready for runtime
         # Importing the signals file is good enough if using the reciever decorator
         import dojo.announcement.signals  # noqa: F401
+        import dojo.benchmark.signals  # noqa: F401
+        import dojo.cred.signals  # noqa: F401
         import dojo.endpoint.signals  # noqa: F401
         import dojo.engagement.signals  # noqa: F401
         import dojo.finding_group.signals  # noqa: F401
+        import dojo.notes.signals  # noqa: F401
         import dojo.product.signals  # noqa: F401
         import dojo.product_type.signals  # noqa: F401
+        import dojo.risk_acceptance.signals  # noqa: F401
         import dojo.sla_config.helpers  # noqa: F401
         import dojo.tags_signals  # noqa: F401
         import dojo.test.signals  # noqa: F401
+        import dojo.tool_product.signals  # noqa: F401
 
 
 def get_model_fields_with_extra(model, extra_fields=()):

dojo/apps.py

@@ -0,0 +1,14 @@
+import logging
+
+from django.db.models.signals import pre_delete
+from django.dispatch import receiver
+
+from dojo.models import Benchmark_Product
+from dojo.notes.helper import delete_related_notes
+
+logger = logging.getLogger(__name__)
+
+
+@receiver(pre_delete, sender=Benchmark_Product)
+def benchmark_product_pre_delete(sender, instance, **kwargs):
+    delete_related_notes(instance)

dojo/benchmark/signals.py

@@ -43,6 +43,7 @@ def add_benchmark(queryset, product):
         pass
 
 
+@user_is_authorized(Product, Permissions.Benchmark_Edit, "pid")
 def update_benchmark(request, pid, _type):
     if request.method == "POST":
         bench_id = request.POST.get("bench_id")
@@ -90,6 +91,7 @@ def update_benchmark(request, pid, _type):
     )
 
 
+@user_is_authorized(Product, Permissions.Benchmark_Edit, "pid")
 def update_benchmark_summary(request, pid, _type, summary):
     if request.method == "POST":
         field = request.POST.get("field")

dojo/benchmark/views.py

@@ -70,5 +70,6 @@ def components(request):
             "filter": comp_filter,
             "result": result,
             "component_words": sorted(set(component_words)),
+            "enable_table_filtering": get_system_setting("enable_ui_table_based_searching"),
         },
     )

dojo/components/views.py

@@ -0,0 +1,14 @@
+import logging
+
+from django.db.models.signals import pre_delete
+from django.dispatch import receiver
+
+from dojo.models import Cred_User
+from dojo.notes.helper import delete_related_notes
+
+logger = logging.getLogger(__name__)
+
+
+@receiver(pre_delete, sender=Cred_User)
+def cred_user_pre_delete(sender, instance, **kwargs):
+    delete_related_notes(instance)

dojo/cred/signals.py

@@ -113,6 +113,7 @@ def view_cred_details(request, ttid):
         "form": form,
         "notes": notes,
         "cred_products": cred_products,
+        "person": request.user.username,
     })
 
 
@@ -650,7 +651,7 @@ def delete_cred_controller(request, destination_url, id, ttid):
     if id:
         product = None
         if destination_url == "all_cred_product":
-            product = get_object_or_404(Product, id)
+            product = get_object_or_404(Product, id=id)
         elif destination_url == "view_engagement":
             engagement = get_object_or_404(Engagement, id=id)
             product = engagement.product
@@ -669,7 +670,7 @@ def delete_cred_controller(request, destination_url, id, ttid):
 
 @user_is_authorized(Cred_User, Permissions.Credential_Delete, "ttid")
 def delete_cred(request, ttid):
-    return delete_cred_controller(request, "cred", 0, ttid)
+    return delete_cred_controller(request, "cred", 0, ttid=ttid)
 
 
 @user_is_authorized(Product, Permissions.Product_Edit, "pid")

dojo/cred/views.py

@@ -0,0 +1,18 @@
+# Generated by Django 4.2.13 on 2024-07-23 19:53
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('dojo', '0212_sla_configuration_enforce_critical_and_more'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='system_settings',
+            name='enable_ui_table_based_searching',
+            field=models.BooleanField(default=True, help_text='With this setting enabled, table headings will contain sort buttons for the current page of data in addition to sorting buttons that consider data from all pages.', verbose_name='Enable UI Table Based Filtering/Sorting'),
+        ),
+    ]

dojo/db_migrations/0213_system_settings_enable_ui_table_based_searching.py

@@ -1,12 +1,13 @@
 from auditlog.models import LogEntry
 from django.conf import settings
 from django.contrib.contenttypes.models import ContentType
-from django.db.models.signals import post_delete, post_save, pre_save
+from django.db.models.signals import post_delete, post_save, pre_delete, pre_save
 from django.dispatch import receiver
 from django.urls import reverse
 from django.utils.translation import gettext as _
 
 from dojo.models import Engagement
+from dojo.notes.helper import delete_related_notes
 from dojo.notifications.helper import create_notification
 
 
@@ -55,3 +56,8 @@ def engagement_post_delete(sender, instance, using, origin, **kwargs):
                             url=reverse("view_product", args=(instance.product.id, )),
                             recipients=[instance.lead],
                             icon="exclamation-triangle")
+
+
+@receiver(pre_delete, sender=Engagement)
+def engagement_pre_delete(sender, instance, **kwargs):
+    delete_related_notes(instance)