Use ID-based comparisons and add engagement_name check to import

- Switch permission checks to use ID comparisons (product_id, engagement_id)
  where resolved objects are available, with name fallback for unresolved cases
- Add engagement_name validation to UserHasImportPermission (was missing)
- Fix ruff string quoting in auto_create_context.py

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: Maffooch

dojo/api_v2/permissions.py

@@ -473,9 +473,12 @@ def has_permission(self, request, view):
             # Raise an explicit drf exception here
             raise ValidationError(e)
         if engagement := converted_dict.get("engagement"):
-            # Validate the resolved engagement's parent chain matches any provided names
-            if (product_name := converted_dict.get("product_name")) and engagement.product.name != product_name:
-                msg = f'The resolved engagement is associated with product "{engagement.product.name}", not with product "{product_name}"'
+            # Validate the resolved engagement's parent chain matches any provided identifiers
+            if (product := converted_dict.get("product")) and engagement.product_id != product.id:
+                msg = f'The resolved engagement is associated with product "{engagement.product.name}", not with product "{converted_dict.get("product_name")}"'
+                raise ValidationError(msg)
+            if (engagement_name := converted_dict.get("engagement_name")) and engagement.name != engagement_name:
+                msg = f'The resolved engagement is named "{engagement.name}", not "{engagement_name}"'
                 raise ValidationError(msg)
             return user_has_permission(
                 request.user, engagement, Permissions.Import_Scan_Result,
@@ -777,11 +780,18 @@ def has_permission(self, request, view):
             raise ValidationError(e)
 
         if test := converted_dict.get("test"):
-            # Validate the resolved test's parent chain matches any provided names
-            if (product_name := converted_dict.get("product_name")) and test.engagement.product.name != product_name:
+            # Validate the resolved test's parent chain matches any provided identifiers
+            if (product := converted_dict.get("product")) and test.engagement.product_id != product.id:
+                msg = f'The resolved test is associated with product "{test.engagement.product.name}", not with product "{converted_dict.get("product_name")}"'
+                raise ValidationError(msg)
+            if (engagement := converted_dict.get("engagement")) and test.engagement_id != engagement.id:
+                msg = f'The resolved test is associated with engagement "{test.engagement.name}", not with engagement "{converted_dict.get("engagement_name")}"'
+                raise ValidationError(msg)
+            # Also validate by name when the objects were not resolved (e.g. names that match no existing record)
+            if not converted_dict.get("product") and (product_name := converted_dict.get("product_name")) and test.engagement.product.name != product_name:
                 msg = f'The resolved test is associated with product "{test.engagement.product.name}", not with product "{product_name}"'
                 raise ValidationError(msg)
-            if (engagement_name := converted_dict.get("engagement_name")) and test.engagement.name != engagement_name:
+            if not converted_dict.get("engagement") and (engagement_name := converted_dict.get("engagement_name")) and test.engagement.name != engagement_name:
                 msg = f'The resolved test is associated with engagement "{test.engagement.name}", not with engagement "{engagement_name}"'
                 raise ValidationError(msg)
             return user_has_permission(

dojo/importers/auto_create_context.py

@@ -182,7 +182,7 @@ def get_target_engagement_if_exists(
         if engagement := get_object_or_none(Engagement, pk=engagement_id):
             logger.debug("Using existing engagement by id: %s", engagement_id)
             if product is not None and engagement.product_id != product.id:
-                msg = f"Engagement \"{engagement_id}\" does not belong to product \"{product}\""
+                msg = f'Engagement "{engagement_id}" does not belong to product "{product}"'
                 raise ValueError(msg)
             return engagement
         # if there's no product, then for sure there's no engagement either
@@ -207,7 +207,7 @@ def get_target_test_if_exists(
         if test := get_object_or_none(Test, pk=test_id):
             logger.debug("Using existing Test by id: %s", test_id)
             if engagement is not None and test.engagement_id != engagement.id:
-                msg = f"Test \"{test_id}\" does not belong to engagement \"{engagement}\""
+                msg = f'Test "{test_id}" does not belong to engagement "{engagement}"'
                 raise ValueError(msg)
             return test
         # If the engagement is not supplied, we cannot do anything