From a05c8a8aa21ce319a2ebc3365c5dcddcd4c9d7b6 Mon Sep 17 00:00:00 2001 From: hblankenship Date: Fri, 10 Jan 2025 11:00:17 -0600 Subject: [PATCH 1/2] check for global role permissions as well --- dojo/user/queries.py | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/dojo/user/queries.py b/dojo/user/queries.py index 0a6b4143882..8640f3f1161 100644 --- a/dojo/user/queries.py +++ b/dojo/user/queries.py @@ -5,6 +5,7 @@ from dojo.models import ( Dojo_Group_Member, Dojo_User, + Global_Role, Product_Group, Product_Member, Product_Type_Group, @@ -22,9 +23,12 @@ def get_authorized_users_for_product_type(users, product_type, permission): .select_related("user") product_type_groups = Product_Type_Group.objects \ .filter(product_type=product_type, role__in=roles) + global_roles = Global_Role.objects.filter(role__in=roles) group_members = Dojo_Group_Member.objects \ - .filter(group__in=[ptg.group for ptg in product_type_groups]) \ + .filter(Q(group__in=[ptg.group for ptg in product_type_groups]) \ + | Q(group__in=[gr.group for gr in global_roles])) \ .select_related("user") + return users.filter(Q(id__in=[ptm.user.id for ptm in product_type_members]) | Q(id__in=[gm.user.id for gm in group_members]) | Q(global_role__role__in=roles) @@ -36,6 +40,7 @@ def get_authorized_users_for_product_and_product_type(users, product, permission users = Dojo_User.objects.filter(is_active=True) roles = get_roles_for_permission(permission) + product_members = Product_Member.objects \ .filter(product=product, role__in=roles) \ .select_related("user") @@ -46,11 +51,14 @@ def get_authorized_users_for_product_and_product_type(users, product, permission .filter(product=product, role__in=roles) product_type_groups = Product_Type_Group.objects \ .filter(product_type=product.prod_type, role__in=roles) + global_roles = Global_Role.objects.filter(role__in=roles) group_members = Dojo_Group_Member.objects \ .filter( Q(group__in=[pg.group for pg in product_groups]) - | Q(group__in=[ptg.group for ptg in product_type_groups])) \ + | Q(group__in=[ptg.group for ptg in product_type_groups]) \ + | Q(group__in=[gr.group for gr in global_roles])) \ .select_related("user") + return users.filter(Q(id__in=[pm.user.id for pm in product_members]) | Q(id__in=[ptm.user.id for ptm in product_type_members]) | Q(id__in=[gm.user.id for gm in group_members]) @@ -58,6 +66,7 @@ def get_authorized_users_for_product_and_product_type(users, product, permission | Q(is_superuser=True)) + # Cached because it is a complex SQL query and it is called 3 times for the engagement lists in products @cache_for_request def get_authorized_users(permission, user=None): From c2d69be43ae69587b5549d85f97568ff9b525449 Mon Sep 17 00:00:00 2001 From: hblankenship Date: Fri, 10 Jan 2025 11:05:50 -0600 Subject: [PATCH 2/2] fix too many lines, redundant backslash --- dojo/user/queries.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/dojo/user/queries.py b/dojo/user/queries.py index 8640f3f1161..5b9227e51bb 100644 --- a/dojo/user/queries.py +++ b/dojo/user/queries.py @@ -25,7 +25,7 @@ def get_authorized_users_for_product_type(users, product_type, permission): .filter(product_type=product_type, role__in=roles) global_roles = Global_Role.objects.filter(role__in=roles) group_members = Dojo_Group_Member.objects \ - .filter(Q(group__in=[ptg.group for ptg in product_type_groups]) \ + .filter(Q(group__in=[ptg.group for ptg in product_type_groups]) | Q(group__in=[gr.group for gr in global_roles])) \ .select_related("user") @@ -55,7 +55,7 @@ def get_authorized_users_for_product_and_product_type(users, product, permission group_members = Dojo_Group_Member.objects \ .filter( Q(group__in=[pg.group for pg in product_groups]) - | Q(group__in=[ptg.group for ptg in product_type_groups]) \ + | Q(group__in=[ptg.group for ptg in product_type_groups]) | Q(group__in=[gr.group for gr in global_roles])) \ .select_related("user") @@ -66,7 +66,6 @@ def get_authorized_users_for_product_and_product_type(users, product, permission | Q(is_superuser=True)) - # Cached because it is a complex SQL query and it is called 3 times for the engagement lists in products @cache_for_request def get_authorized_users(permission, user=None):