Strip undeclared engagement field in reimport permission check

The engagement field is not declared on ReImportScanSerializer and gets
stripped during validation. The permission check must also strip it so it
resolves targets the same way execution does — by name, not by a stale
engagement ID from request.data.

Update test to verify the engagement param is ignored and permission is
checked against the name-resolved target.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: Maffooch

dojo/api_v2/permissions.py

@@ -770,6 +770,11 @@ def has_permission(self, request, view):
         try:
             converted_dict = auto_create.convert_querydict_to_dict(request.data)
             auto_create.process_import_meta_data_from_dict(converted_dict)
+            # engagement is not a declared field on ReImportScanSerializer and will be
+            # stripped during validation — don't use it in the permission check either,
+            # so the permission check resolves targets the same way execution does
+            converted_dict.pop("engagement", None)
+            converted_dict.pop("engagement_id", None)
             # Get an existing product
             converted_dict["product_type"] = auto_create.get_target_product_type_if_exists(**converted_dict)
             converted_dict["product"] = auto_create.get_target_product_if_exists(**converted_dict)

unittests/test_rest_framework.py

@@ -3433,8 +3433,13 @@ def test_create_not_authorized_product_name_engagement_name_scan_type_title(self
 
     @patch("dojo.importers.default_reimporter.DefaultReImporter.process_scan")
     @patch("dojo.importers.default_importer.DefaultImporter.process_scan")
-    def test_reimport_with_engagement_id_mismatched_product_name_is_rejected(self, importer_mock, reimporter_mock):
-        """Sending engagement ID from one product with product_name from another must be rejected."""
+    @patch("dojo.api_v2.permissions.user_has_permission")
+    def test_reimport_engagement_param_ignored_permission_checked_on_name_resolved_target(self, mock, importer_mock, reimporter_mock):
+        """
+        Engagement is not a declared field on ReImportScanSerializer — verify
+        the permission check uses the name-resolved target, not the engagement param.
+        """
+        mock.return_value = False
         importer_mock.return_value = IMPORTER_MOCK_RETURN_VALUE
         reimporter_mock.return_value = REIMPORTER_MOCK_RETURN_VALUE
 
@@ -3445,15 +3450,20 @@ def test_reimport_with_engagement_id_mismatched_product_name_is_rejected(self, i
                 "verified": True,
                 "scan_type": "ZAP Scan",
                 "file": testfile,
-                # Engagement 1 belongs to Product 2 ("Security How-to")
+                # engagement=1 belongs to Product 2 Engagement 1, but it should be ignored
                 "engagement": 1,
-                # But product_name points to Product 1 ("Python How-to")
-                "product_name": "Python How-to",
+                # These names resolve to Product 2's Engagement 4 -> Test 4
+                "product_name": "Security How-to",
                 "engagement_name": "April monthly engagement",
                 "version": "1.0.0",
             }
             response = self.client.post(self.url, payload)
-            self.assertEqual(400, response.status_code, response.content[:1000])
+            self.assertEqual(403, response.status_code, response.content[:1000])
+            # Permission must be checked on name-resolved Test 4 (in Engagement 4),
+            # NOT on Test 3 (which belongs to the engagement=1 param)
+            mock.assert_called_with(User.objects.get(username="admin"),
+                Test.objects.get(id=4),
+                Permissions.Import_Scan_Result)
             importer_mock.assert_not_called()
             reimporter_mock.assert_not_called()