Fix #10268: Add context-aware filtering to Finding Group filter

- Implemented hierarchical context filtering (test > engagement > product > global)
- Created get_finding_group_queryset_for_context() helper function to eliminate code duplication
- Modified FindingFilter and FindingFilterWithoutObjectLookups to accept eid/tid parameters
- Updated filter to show only Finding Groups from current test/engagement/product context
- Added query optimization with .only("id", "name") for Finding Groups
- Fixed user parameter passing to get_authorized_finding_groups_for_queryset()
- Updated finding/views.py and test/views.py to pass context parameters to filters
- Created comprehensive unit tests (8 test methods) covering all context levels

This ensures users only see relevant Finding Groups in the filter dropdown based on
their current page context, preventing confusion from seeing unrelated groups.

Author: AbhimanyuGit2507

dojo/filters.py

@@ -2020,6 +2020,32 @@ def filter_mitigated_on(self, queryset, name, value):
         return queryset.filter(mitigated=value)
 
 
+def get_finding_group_queryset_for_context(pid=None, eid=None, tid=None):
+    """
+    Helper function to build finding group queryset based on context hierarchy.
+    Context priority: test > engagement > product > global
+    
+    Args:
+        pid: Product ID (least specific)
+        eid: Engagement ID
+        tid: Test ID (most specific)
+    
+    Returns:
+        QuerySet of Finding_Group filtered by context
+    """
+    if tid is not None:
+        # Most specific: filter by test
+        return Finding_Group.objects.filter(test_id=tid).only("id", "name")
+    if eid is not None:
+        # Filter by engagement's tests
+        return Finding_Group.objects.filter(test__engagement_id=eid).only("id", "name")
+    if pid is not None:
+        # Filter by product's tests
+        return Finding_Group.objects.filter(test__engagement__product_id=pid).only("id", "name")
+    # Global: return all (authorization will be applied separately)
+    return Finding_Group.objects.all().only("id", "name")
+
+
 class FindingFilterWithoutObjectLookups(FindingFilterHelper, FindingTagStringFilter):
     test__engagement__product__prod_type = NumberFilter(widget=HiddenInput())
     test__engagement__product = NumberFilter(widget=HiddenInput())
@@ -2111,20 +2137,45 @@ class Meta:
     def __init__(self, *args, **kwargs):
         self.user = None
         self.pid = None
+        self.eid = None
+        self.tid = None
         if "user" in kwargs:
             self.user = kwargs.pop("user")
 
         if "pid" in kwargs:
             self.pid = kwargs.pop("pid")
+        if "eid" in kwargs:
+            self.eid = kwargs.pop("eid")
+        if "tid" in kwargs:
+            self.tid = kwargs.pop("tid")
         super().__init__(*args, **kwargs)
         # Set some date fields
         self.set_date_fields(*args, **kwargs)
-        # Don't show the product filter on the product finding view
-        if self.pid:
-            del self.form.fields["test__engagement__product__name"]
-            del self.form.fields["test__engagement__product__name_contains"]
-            del self.form.fields["test__engagement__product__prod_type__name"]
-            del self.form.fields["test__engagement__product__prod_type__name_contains"]
+        # Don't show the product/engagement/test filter fields when in specific context
+        if self.tid or self.eid or self.pid:
+            if "test__engagement__product__name" in self.form.fields:
+                del self.form.fields["test__engagement__product__name"]
+            if "test__engagement__product__name_contains" in self.form.fields:
+                del self.form.fields["test__engagement__product__name_contains"]
+            if "test__engagement__product__prod_type__name" in self.form.fields:
+                del self.form.fields["test__engagement__product__prod_type__name"]
+            if "test__engagement__product__prod_type__name_contains" in self.form.fields:
+                del self.form.fields["test__engagement__product__prod_type__name_contains"]
+        # Also hide engagement and test fields if in test or engagement  context
+        if self.tid:
+            if "test__engagement__name" in self.form.fields:
+                del self.form.fields["test__engagement__name"]
+            if "test__engagement__name_contains" in self.form.fields:
+                del self.form.fields["test__engagement__name_contains"]
+            if "test__name" in self.form.fields:
+                del self.form.fields["test__name"]
+            if "test__name_contains" in self.form.fields:
+                del self.form.fields["test__name_contains"]
+        elif self.eid:
+            if "test__engagement__name" in self.form.fields:
+                del self.form.fields["test__engagement__name"]
+            if "test__engagement__name_contains" in self.form.fields:
+                del self.form.fields["test__engagement__name_contains"]
 
 
 class FindingFilter(FindingFilterHelper, FindingTagFilter):
@@ -2163,29 +2214,57 @@ class Meta:
     def __init__(self, *args, **kwargs):
         self.user = None
         self.pid = None
+        self.eid = None
+        self.tid = None
         if "user" in kwargs:
             self.user = kwargs.pop("user")
 
         if "pid" in kwargs:
             self.pid = kwargs.pop("pid")
+        if "eid" in kwargs:
+            self.eid = kwargs.pop("eid")
+        if "tid" in kwargs:
+            self.tid = kwargs.pop("tid")
         super().__init__(*args, **kwargs)
         # Set some date fields
         self.set_date_fields(*args, **kwargs)
         # Don't show the product filter on the product finding view
         self.set_related_object_fields(*args, **kwargs)
 
     def set_related_object_fields(self, *args: list, **kwargs: dict):
-        finding_group_query = Finding_Group.objects.all()
-        if self.pid is not None:
+        # Use helper to get contextual finding group queryset
+        finding_group_query = get_finding_group_queryset_for_context(
+            pid=self.pid,
+            eid=self.eid,
+            tid=self.tid,
+        )
+        
+        # Filter by most specific context: test > engagement > product
+        if self.tid is not None:
+            # Test context: filter finding groups by test
+            del self.form.fields["test__engagement__product"]
+            del self.form.fields["test__engagement__product__prod_type"]
+            del self.form.fields["test__engagement"]
+            del self.form.fields["test"]
+        elif self.eid is not None:
+            # Engagement context: filter finding groups by engagement
+            del self.form.fields["test__engagement__product"]
+            del self.form.fields["test__engagement__product__prod_type"]
+            del self.form.fields["test__engagement"]
+            # Filter tests by engagement - get_authorized_tests doesn't support engagement param
+            engagement = Engagement.objects.get(id=self.eid)
+            self.form.fields["test"].queryset = get_authorized_tests(Permissions.Test_View, product=engagement.product).filter(engagement_id=self.eid).prefetch_related("test_type")
+        elif self.pid is not None:
+            # Product context: filter finding groups by product
             del self.form.fields["test__engagement__product"]
             del self.form.fields["test__engagement__product__prod_type"]
             # TODO: add authorized check to be sure
             self.form.fields["test__engagement"].queryset = Engagement.objects.filter(
                 product_id=self.pid,
             ).all()
             self.form.fields["test"].queryset = get_authorized_tests(Permissions.Test_View, product=self.pid).prefetch_related("test_type")
-            finding_group_query = Finding_Group.objects.filter(test__engagement__product_id=self.pid)
         else:
+            # Global context: show all authorized finding groups
             self.form.fields[
                 "test__engagement__product__prod_type"].queryset = get_authorized_product_types(Permissions.Product_Type_View)
             self.form.fields["test__engagement"].queryset = get_authorized_engagements(Permissions.Engagement_View)
@@ -2194,7 +2273,7 @@ def set_related_object_fields(self, *args: list, **kwargs: dict):
         if self.form.fields.get("test__engagement__product"):
             self.form.fields["test__engagement__product"].queryset = get_authorized_products(Permissions.Product_View)
         if self.form.fields.get("finding_group", None):
-            self.form.fields["finding_group"].queryset = get_authorized_finding_groups_for_queryset(Permissions.Finding_Group_View, finding_group_query)
+            self.form.fields["finding_group"].queryset = get_authorized_finding_groups_for_queryset(Permissions.Finding_Group_View, finding_group_query, user=self.user)
         self.form.fields["reporter"].queryset = get_authorized_users(Permissions.Finding_View)
         self.form.fields["reviewers"].queryset = self.form.fields["reporter"].queryset
 

dojo/finding/views.py

@@ -267,6 +267,8 @@ def filter_findings_by_form(self, request: HttpRequest, findings: QuerySet[Findi
         kwargs = {
             "user": request.user,
             "pid": self.get_product_id(),
+            "eid": self.get_engagement_id(),
+            "tid": self.get_test_id(),
         }
 
         filter_string_matching = get_system_setting("filter_string_matching", False)
@@ -360,10 +362,11 @@ def add_breadcrumbs(self, request: HttpRequest, context: dict):
 
         return request, context
 
-    def get(self, request: HttpRequest, product_id: int | None = None, engagement_id: int | None = None):
-        # Store the product and engagement ids
+    def get(self, request: HttpRequest, product_id: int | None = None, engagement_id: int | None = None, test_id: int | None = None):
+        # Store the product, engagement, and test ids
         self.product_id = product_id
         self.engagement_id = engagement_id
+        self.test_id = test_id
         # Get the initial context
         request, context = self.get_initial_context(request)
         # Get the filtered findings
@@ -386,46 +389,46 @@ def get(self, request: HttpRequest, product_id: int | None = None, engagement_id
 
 
 class ListOpenFindings(ListFindings):
-    def get(self, request: HttpRequest, product_id: int | None = None, engagement_id: int | None = None):
+    def get(self, request: HttpRequest, product_id: int | None = None, engagement_id: int | None = None, test_id: int | None = None):
         self.filter_name = "Open"
-        return super().get(request, product_id=product_id, engagement_id=engagement_id)
+        return super().get(request, product_id=product_id, engagement_id=engagement_id, test_id=test_id)
 
 
 class ListVerifiedFindings(ListFindings):
-    def get(self, request: HttpRequest, product_id: int | None = None, engagement_id: int | None = None):
+    def get(self, request: HttpRequest, product_id: int | None = None, engagement_id: int | None = None, test_id: int | None = None):
         self.filter_name = "Verified"
-        return super().get(request, product_id=product_id, engagement_id=engagement_id)
+        return super().get(request, product_id=product_id, engagement_id=engagement_id, test_id=test_id)
 
 
 class ListOutOfScopeFindings(ListFindings):
-    def get(self, request: HttpRequest, product_id: int | None = None, engagement_id: int | None = None):
+    def get(self, request: HttpRequest, product_id: int | None = None, engagement_id: int | None = None, test_id: int | None = None):
         self.filter_name = "Out of Scope"
-        return super().get(request, product_id=product_id, engagement_id=engagement_id)
+        return super().get(request, product_id=product_id, engagement_id=engagement_id, test_id=test_id)
 
 
 class ListFalsePositiveFindings(ListFindings):
-    def get(self, request: HttpRequest, product_id: int | None = None, engagement_id: int | None = None):
+    def get(self, request: HttpRequest, product_id: int | None = None, engagement_id: int | None = None, test_id: int | None = None):
         self.filter_name = "False Positive"
-        return super().get(request, product_id=product_id, engagement_id=engagement_id)
+        return super().get(request, product_id=product_id, engagement_id=engagement_id, test_id=test_id)
 
 
 class ListInactiveFindings(ListFindings):
-    def get(self, request: HttpRequest, product_id: int | None = None, engagement_id: int | None = None):
+    def get(self, request: HttpRequest, product_id: int | None = None, engagement_id: int | None = None, test_id: int | None = None):
         self.filter_name = "Inactive"
-        return super().get(request, product_id=product_id, engagement_id=engagement_id)
+        return super().get(request, product_id=product_id, engagement_id=engagement_id, test_id=test_id)
 
 
 class ListAcceptedFindings(ListFindings):
-    def get(self, request: HttpRequest, product_id: int | None = None, engagement_id: int | None = None):
+    def get(self, request: HttpRequest, product_id: int | None = None, engagement_id: int | None = None, test_id: int | None = None):
         self.filter_name = "Accepted"
-        return super().get(request, product_id=product_id, engagement_id=engagement_id)
+        return super().get(request, product_id=product_id, engagement_id=engagement_id, test_id=test_id)
 
 
 class ListClosedFindings(ListFindings):
-    def get(self, request: HttpRequest, product_id: int | None = None, engagement_id: int | None = None):
+    def get(self, request: HttpRequest, product_id: int | None = None, engagement_id: int | None = None, test_id: int | None = None):
         self.filter_name = "Closed"
         self.order_by = "-mitigated"
-        return super().get(request, product_id=product_id, engagement_id=engagement_id)
+        return super().get(request, product_id=product_id, engagement_id=engagement_id, test_id=test_id)
 
 
 class ViewFinding(View):

dojo/test/views.py

@@ -122,7 +122,7 @@ def get_findings(self, request: HttpRequest, test: Test):
         findings = Finding.objects.filter(test=test).order_by("numerical_severity")
         filter_string_matching = get_system_setting("filter_string_matching", False)
         finding_filter_class = FindingFilterWithoutObjectLookups if filter_string_matching else FindingFilter
-        findings = finding_filter_class(request.GET, pid=test.engagement.product.id, queryset=findings)
+        findings = finding_filter_class(request.GET, pid=test.engagement.product.id, eid=test.engagement.id, tid=test.id, queryset=findings)
         paged_findings = get_page_items_and_count(request, prefetch_for_findings(findings.qs), 25, prefix="findings")
         fix_available_count = findings.qs.filter(fix_available=True).count()