99from django .utils import timezone
1010
1111from dojo .finding import views
12- from dojo .models import Engagement , Finding , Finding_Template , Product , Product_Type , System_Settings , Test , Test_Type
12+ from dojo .models import (
13+ Engagement ,
14+ Finding ,
15+ Finding_Template ,
16+ Product ,
17+ Product_Member ,
18+ Product_Type ,
19+ Role ,
20+ System_Settings ,
21+ Test ,
22+ Test_Type ,
23+ )
1324
1425from .dojo_test_case import DojoTestCase
1526
@@ -88,6 +99,19 @@ def create_user(is_staff):
8899 user .save ()
89100 return user
90101
102+ @staticmethod
103+ def create_user_with_role (product , role_name , * , is_staff = False ):
104+ """Create a user with a specific role on a product"""
105+ user_count = User .objects .count ()
106+ user = User ()
107+ user .is_staff = is_staff
108+ user .is_superuser = False
109+ user .username = f"TestUser{ role_name } { user_count }
110+ user .save ()
111+ role = Role .objects .get (name = role_name )
112+ Product_Member (user = user , product = product , role = role ).save ()
113+ return user
114+
91115 @staticmethod
92116 def create_get_request (user , path ):
93117 rf = RequestFactory ()
@@ -177,6 +201,7 @@ def test_apply_template_to_finding_with_data_saves_success(self):
177201 self .assertEqual (test_impact , f .impact )
178202
179203 def test_unauthorized_apply_template_to_finding_fails (self ):
204+ """Test that a non-superuser without permissions cannot apply template"""
180205 with self .assertRaises (PermissionDenied ):
181206 self .make_request (user_is_staff = False , finding_id = self .finding .id , template_id = self .template .id ,
182207 data = {"title" : "Finding for Testing Apply Template functionality" ,
@@ -187,6 +212,42 @@ def test_unauthorized_apply_template_to_finding_fails(self):
187212 "impact" : "template impact" },
188213 )
189214
215+ def test_reader_role_cannot_apply_template (self ):
216+ """Test that a Reader role user (read-only) cannot apply template"""
217+ reader_user = FindingTemplateTestUtil .create_user_with_role (
218+ self .finding .test .engagement .product , "Reader" , is_staff = False ,
219+ )
220+ request = FindingTemplateTestUtil .create_post_request (
221+ reader_user , self .apply_template_url ,
222+ data = {"title" : "Finding for Testing Apply Template functionality" ,
223+ "cwe" : "89" ,
224+ "severity" : "High" ,
225+ "description" : "Finding for Testing Apply Template Functionality" ,
226+ "mitigation" : "template mitigation" ,
227+ "impact" : "template impact" },
228+ )
229+ with impersonate (reader_user ), self .assertRaises (PermissionDenied ):
230+ views .apply_template_to_finding (request , fid = self .finding .id , tid = self .template .id )
231+
232+ def test_writer_role_can_apply_template (self ):
233+ """Test that a Writer role user (non-staff) can apply template"""
234+ writer_user = FindingTemplateTestUtil .create_user_with_role (
235+ self .finding .test .engagement .product , "Writer" , is_staff = False ,
236+ )
237+ request = FindingTemplateTestUtil .create_post_request (
238+ writer_user , self .apply_template_url ,
239+ data = {"title" : "Finding for Testing Apply Template functionality" ,
240+ "cwe" : "89" ,
241+ "severity" : "High" ,
242+ "description" : "Finding for Testing Apply Template Functionality" ,
243+ "mitigation" : "template mitigation" ,
244+ "impact" : "template impact" },
245+ )
246+ with impersonate (writer_user ):
247+ result = views .apply_template_to_finding (request , fid = self .finding .id , tid = self .template .id )
248+ self .assertEqual (302 , result .status_code )
249+ self .assertEqual (f"/finding/{ self .finding .id } , result .url )
250+
190251 def test_apply_template_to_finding_with_illegal_finding_fails (self ):
191252 with self .assertRaises (Http404 ):
192253 self .make_request (user_is_staff = True , finding_id = 99999 , template_id = self .template .id )
0 commit comments