Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Request Review does not apply RBAC in an expected way #11545

Open
wants to merge 2 commits into
base: bugfix
Choose a base branch
from
Open

Request Review does not apply RBAC in an expected way #11545

wants to merge 2 commits into from
+10 −2

Conversation

hblankenship
Copy link
Collaborator

When a user is added to a group with the global role Owner those users should be able to be requested to review any Finding that exists. They should also be able to be added as leads on tests and engagements.

[sc-9708]

@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Jan 10, 2025
edited
Loading

DryRun Security Summary

The pull request enhances the Dojo application's authorization and access control by introducing global roles, expanding authorization checks, implementing performance-improving caching, and ensuring only active users are considered in the access control process.

Expand for full summary

Summary:

The code changes in this pull request are focused on enhancing the authorization and access control functionality within the Dojo application. The key changes include the introduction of "Global Roles", expanded authorization checks that consider global roles and group memberships, caching of the get_authorized_users function to improve performance, and handling of superuser and global permissions. Additionally, the changes ensure that only active users are considered in the authorization process.

From an application security perspective, these changes are positive as they help to enforce the principle of least privilege and prevent unauthorized access to sensitive data or functionality. The more granular access control system, which takes into account global roles and group memberships, helps to ensure a robust and comprehensive authorization mechanism. The caching of the get_authorized_users function also improves the overall performance and scalability of the application's access control system.

Files Changed:

  • dojo/user/queries.py: This file contains the changes related to the authorization and access control functionality. The key changes include:
    • Introduction of "Global Roles" (Global_Role model) and their inclusion in the authorization checks.
    • Expansion of the get_authorized_users_for_product_type and get_authorized_users_for_product_and_product_type functions to consider global roles, group memberships, superuser status, and global permissions.
    • Caching of the get_authorized_users function using the @cache_for_request decorator to improve performance.
    • Handling of inactive users by retrieving only active users when the users parameter is None.

Overall, these changes demonstrate a strong focus on enhancing the application's access control and authorization mechanisms, which is a crucial aspect of application security.

Code Analysis

We ran 9 analyzers against 1 file and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@hblankenship