Fix risk acceptance API to link to engagement and add validations

Fixes #12644

This commit addresses several issues with the risk acceptance API:

1. Risk acceptances created via API now appear in engagement panel
   - Added engagement.risk_acceptance.add(instance) in create() method
   - Fixes the main bug where API-created risk acceptances were orphaned

2. Added validation for enable_full_risk_acceptance product setting
   - API now respects the product-level setting before creating instances
   - Validates in validate() method to fail early

3. Added protection against engagement switching
   - Prevents moving risk acceptances between engagements via PATCH/PUT
   - Validates even when risk acceptance has no findings (edge case)

4. Performance improvement
   - Use self.instance.accepted_findings.all() instead of filtering

5. Comprehensive API tests
   - Added test_risk_acceptance_api.py with 7 test cases
   - Covers all edge cases and validation scenarios
   - All tests passing

Changes:
- dojo/api_v2/serializers.py: Enhanced RiskAcceptanceSerializer
- unittests/test_risk_acceptance_api.py: New comprehensive test suite

Author: valentijnscholten

dojo/api_v2/serializers.py

@@ -1555,6 +1555,12 @@ def create(self, validated_data):
         instance = super().create(validated_data)
         user = getattr(self.context.get("request", None), "user", None)
         ra_helper.add_findings_to_risk_acceptance(user, instance, instance.accepted_findings.all())
+
+        # Add risk acceptance to engagement
+        if instance.accepted_findings.exists():
+            engagement = instance.accepted_findings.first().test.engagement
+            engagement.risk_acceptance.add(instance)
+
         return instance
 
     def update(self, instance, validated_data):
@@ -1616,10 +1622,26 @@ def validate_findings_have_same_engagement(finding_objects: list[Finding]):
             raise PermissionDenied(msg)
         if self.context["request"].method == "POST":
             validate_findings_have_same_engagement(finding_objects)
+
+            # Validate product allows full risk acceptance BEFORE creating instance
+            if finding_objects.exists():
+                engagement = finding_objects.first().test.engagement
+                if not engagement.product.enable_full_risk_acceptance:
+                    msg = "Full risk acceptance is not enabled for this product"
+                    raise PermissionDenied(msg)
         elif self.context["request"].method in {"PATCH", "PUT"}:
-            existing_findings = Finding.objects.filter(risk_acceptance=self.instance.id)
+            # Use the reverse relation instead of filtering
+            existing_findings = self.instance.accepted_findings.all()
             existing_and_new_findings = existing_findings | finding_objects
             validate_findings_have_same_engagement(existing_and_new_findings)
+
+            # Explicit check to prevent engagement switching
+            risk_acceptance_engagement = self.instance.engagement
+            if risk_acceptance_engagement and finding_objects.exists():
+                new_findings_engagement = finding_objects.first().test.engagement
+                if risk_acceptance_engagement.id != new_findings_engagement.id:
+                    msg = f"Risk Acceptance belongs to engagement {risk_acceptance_engagement.id}. Cannot add findings from engagement {new_findings_engagement.id}"
+                    raise ValidationError(msg)
         return data
 
     class Meta: