update model + migration

Author: kiblik

docker-compose.yml

@@ -127,6 +127,7 @@ services:
       POSTGRES_PASSWORD: ${DD_DATABASE_PASSWORD:-defectdojo}
     volumes:
       - defectdojo_postgres:/var/lib/postgresql/data
+      - ./psql_bck:/psql_bck
   redis:
     # Pinning to this version due to licensing constraints
     image: redis:7.2.9-alpine@sha256:fce236b99c58ef7196c4e243e43f533b404d5c17239cae4e6e262b729a1952b3

dojo/api_v2/serializers.py

@@ -1535,53 +1535,47 @@ def create(self, validated_data):
         return instance
 
     def update(self, instance, validated_data):
-        # Determine findings to risk accept, and findings to unaccept risk
-        existing_findings = Finding.objects.filter(risk_acceptance=self.instance.id)
-        new_findings_ids = [x.id for x in validated_data.get("accepted_findings", [])]
-        new_findings = Finding.objects.filter(id__in=new_findings_ids)
-        findings_to_add = set(new_findings) - set(existing_findings)
-        findings_to_remove = set(existing_findings) - set(new_findings)
-        findings_to_add = Finding.objects.filter(id__in=[x.id for x in findings_to_add])
-        findings_to_remove = Finding.objects.filter(id__in=[x.id for x in findings_to_remove])
+        if "accepted_findings" in validated_data:
+            # Determine findings to risk accept, and findings to unaccept risk
+            existing_findings = Finding.objects.filter(risk_acceptance=self.instance.id)
+            new_findings_ids = [x.id for x in validated_data.get("accepted_findings", [])]
+            new_findings = Finding.objects.filter(id__in=new_findings_ids)
+            findings_to_add = set(new_findings) - set(existing_findings)
+            findings_to_remove = set(existing_findings) - set(new_findings)
+            findings_to_add = Finding.objects.filter(id__in=[x.id for x in findings_to_add])
+            findings_to_remove = Finding.objects.filter(id__in=[x.id for x in findings_to_remove])
+        else:
+            findings_to_remove = findings_to_add = []
+
         # Make the update in the database
         instance = super().update(instance, validated_data)
-        user = getattr(self.context.get("request", None), "user", None)
-        # Add the new findings
-        ra_helper.add_findings_to_risk_acceptance(user, instance, findings_to_add)
-        # Remove the ones that were not present in the payload
-        for finding in findings_to_remove:
-            ra_helper.remove_finding_from_risk_acceptance(user, instance, finding)
+
+        if findings_to_add or findings_to_remove:
+            user = getattr(self.context.get("request", None), "user", None)
+            # Add the new findings
+            ra_helper.add_findings_to_risk_acceptance(user, instance, findings_to_add)
+            # Remove the ones that were not present in the payload
+            for finding in findings_to_remove:
+                ra_helper.remove_finding_from_risk_acceptance(user, instance, finding)
         return instance
 
     @extend_schema_field(serializers.CharField())
     def get_path(self, obj):
-        engagement = Engagement.objects.filter(
-            risk_acceptance__id__in=[obj.id],
-        ).first()
         path = "No proof has been supplied"
-        if engagement and obj.filename() is not None:
+        if obj.filename() is not None:
             path = reverse(
-                "download_risk_acceptance", args=(engagement.id, obj.id),
+                "download_risk_acceptance", args=(obj.engagement.id, obj.id),
             )
             request = self.context.get("request")
             if request:
                 path = request.build_absolute_uri(path)
         return path
 
-    @extend_schema_field(serializers.IntegerField())
-    def get_engagement(self, obj):
-        engagement = Engagement.objects.filter(
-            risk_acceptance__id__in=[obj.id],
-        ).first()
-        return EngagementSerializer(read_only=True).to_representation(
-            engagement,
-        )
-
     def validate(self, data):
-        def validate_findings_have_same_engagement(finding_objects: list[Finding]):
+        def validate_findings_have_same_engagement(finding_objects: list[Finding]):  # TODO: check
             engagements = finding_objects.values_list("test__engagement__id", flat=True).distinct().count()
             if engagements > 1:
-                msg = "You are not permitted to add findings from multiple engagements"
+                msg = "You are not permitted to add findings from multiple engagements"  # TODO: same is missing for UI
                 raise PermissionDenied(msg)
 
         findings = data.get("accepted_findings", [])

dojo/api_v2/views.py

@@ -420,7 +420,7 @@ def destroy(self, request, *args, **kwargs):
     def get_queryset(self):
         return (
             get_authorized_engagements(Permissions.Engagement_View)
-            .prefetch_related("notes", "risk_acceptance", "files")
+            .prefetch_related("notes", "risk_acceptance_set", "files")
             .distinct()
         )
 
@@ -704,7 +704,7 @@ def get_queryset(self):
         return (
             get_authorized_risk_acceptances(Permissions.Risk_Acceptance)
             .prefetch_related(
-                "notes", "engagement_set", "owner", "accepted_findings",
+                "notes", "engagement", "owner", "accepted_findings",
             )
             .distinct()
         )

dojo/db_migrations/0231_add_engagement_risk_acceptance.py

@@ -0,0 +1,19 @@
+# Generated by Django 5.1.8 on 2025-05-01 12:54
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('dojo', '0230_alter_jira_instance_accepted_mapping_resolution_and_more'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='risk_acceptance',
+            name='engagement',
+            field=models.ForeignKey(blank=True, editable=False, null=True, on_delete=django.db.models.deletion.CASCADE, to='dojo.engagement'),
+        ),
+    ]

dojo/db_migrations/0232_set_risk_acceptance_engagement.py

@@ -0,0 +1,28 @@
+# Generated by Django 5.1.8 on 2025-05-01 12:59
+
+import django.db.models.deletion
+from django.db import migrations, models
+import logging
+
+logger = logging.getLogger(__name__)
+
+def set_engagement_based_on_findings(apps, schema_editor):
+    Engagement = apps.get_model('dojo', 'Engagement')
+    RiskAcceptance = apps.get_model('dojo', 'Risk_Acceptance')
+    through_model = Engagement.risk_acceptance.through
+
+    for rel in through_model.objects.all():
+        ra = RiskAcceptance.objects.get(pk=rel.risk_acceptance_id)
+        ra.engagement_id = rel.engagement_id
+        ra.save()
+            
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('dojo', '0231_add_engagement_risk_acceptance'),
+    ]
+
+    operations = [
+        migrations.RunPython(set_engagement_based_on_findings, migrations.RunPython.noop),
+    ]

dojo/db_migrations/0233_alter_risk_acceptance_engagement.py

@@ -0,0 +1,23 @@
+# Generated by Django 5.1.8 on 2025-05-01 12:59
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('dojo', '0232_set_risk_acceptance_engagement'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='risk_acceptance',
+            name='engagement',
+            field=models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='dojo.engagement'),
+        ),
+        migrations.RemoveField(
+            model_name='engagement',
+            name='risk_acceptance',
+        ),
+    ]

dojo/engagement/views.py

@@ -425,7 +425,7 @@ def get_template(self):
         return "dojo/view_eng.html"
 
     def get_risks_accepted(self, eng):
-        return eng.risk_acceptance.all().select_related("owner").annotate(accepted_findings_count=Count("accepted_findings__id"))
+        return eng.risk_acceptance_set.all().select_related("owner").annotate(accepted_findings_count=Count("accepted_findings__id"))
 
     def get_filtered_tests(
         self,
@@ -1226,8 +1226,6 @@ def add_risk_acceptance(request, eid, fid=None):
             if notes:
                 risk_acceptance.notes.add(notes)
 
-            eng.risk_acceptance.add(risk_acceptance)
-
             findings = form.cleaned_data["accepted_findings"]
 
             risk_acceptance = ra_helper.add_findings_to_risk_acceptance(request.user, risk_acceptance, findings)
@@ -1241,13 +1239,16 @@ def add_risk_acceptance(request, eid, fid=None):
             return redirect_to_return_url_or_else(request, reverse("view_engagement", args=(eid, )))
     else:
         risk_acceptance_title_suggestion = f"Accept: {finding}"
-        form = RiskAcceptanceForm(initial={"owner": request.user, "name": risk_acceptance_title_suggestion})
+        form = RiskAcceptanceForm(initial={"owner": request.user, "name": risk_acceptance_title_suggestion, "engagement": eng.id})
 
     finding_choices = Finding.objects.filter(duplicate=False, test__engagement=eng).filter(NOT_ACCEPTED_FINDINGS_QUERY).order_by("title")
 
     form.fields["accepted_findings"].queryset = finding_choices
     if fid:
         form.fields["accepted_findings"].initial = {fid}
+    field = form.fields["engagement"]
+    field.widget = field.hidden_widget()
+
     product_tab = Product_Tab(eng.product, title="Risk Acceptance", tab="engagements")
     product_tab.setEngagement(eng)
 
@@ -1386,6 +1387,10 @@ def view_edit_risk_acceptance(request, eid, raid, *, edit_mode=False):
     elif edit_mode:
         risk_acceptance_form = EditRiskAcceptanceForm(instance=risk_acceptance)
 
+    if risk_acceptance_form:
+        field = risk_acceptance_form.fields["engagement"]
+        field.widget = field.hidden_widget()
+
     note_form = NoteForm()
     replace_form = ReplaceRiskAcceptanceProofForm(instance=risk_acceptance)
     add_findings_form = AddFindingsRiskAcceptanceForm(instance=risk_acceptance)

dojo/filters.py

@@ -2800,7 +2800,7 @@ class Meta:
             "name", "accepted_findings", "recommendation", "recommendation_details",
             "decision", "decision_details", "accepted_by", "owner", "expiration_date",
             "expiration_date_warned", "expiration_date_handled", "reactivate_expired",
-            "restart_sla_expired", "notes",
+            "restart_sla_expired", "notes", "engagement",
         ]
 
 

dojo/fixtures/defect_dojo_sample_data.json

@@ -2784,7 +2784,6 @@
     "deduplication_on_engagement": false,
     "notes": [],
     "files": [],
-    "risk_acceptance": [],
     "tags": [],
     "inherited_tags": []
   }
@@ -2831,7 +2830,6 @@
     "deduplication_on_engagement": false,
     "notes": [],
     "files": [],
-    "risk_acceptance": [],
     "tags": [],
     "inherited_tags": []
   }
@@ -2878,7 +2876,6 @@
     "deduplication_on_engagement": false,
     "notes": [],
     "files": [],
-    "risk_acceptance": [],
     "tags": [],
     "inherited_tags": []
   }
@@ -2925,7 +2922,6 @@
     "deduplication_on_engagement": false,
     "notes": [],
     "files": [],
-    "risk_acceptance": [],
     "tags": [],
     "inherited_tags": []
   }
@@ -2972,7 +2968,6 @@
     "deduplication_on_engagement": false,
     "notes": [],
     "files": [],
-    "risk_acceptance": [],
     "tags": [
       "pci"
     ],
@@ -3019,7 +3014,6 @@
     "deduplication_on_engagement": false,
     "notes": [],
     "files": [],
-    "risk_acceptance": [],
     "tags": [],
     "inherited_tags": []
   }
@@ -3066,7 +3060,6 @@
     "deduplication_on_engagement": false,
     "notes": [],
     "files": [],
-    "risk_acceptance": [],
     "tags": [],
     "inherited_tags": []
   }
@@ -3113,7 +3106,6 @@
     "deduplication_on_engagement": false,
     "notes": [],
     "files": [],
-    "risk_acceptance": [],
     "tags": [
       "pci"
     ],
@@ -3162,7 +3154,6 @@
     "deduplication_on_engagement": false,
     "notes": [],
     "files": [],
-    "risk_acceptance": [],
     "tags": [],
     "inherited_tags": []
   }
@@ -3209,7 +3200,6 @@
     "deduplication_on_engagement": false,
     "notes": [],
     "files": [],
-    "risk_acceptance": [],
     "tags": [],
     "inherited_tags": []
   }
@@ -3254,7 +3244,6 @@
     "deduplication_on_engagement": false,
     "notes": [],
     "files": [],
-    "risk_acceptance": [],
     "tags": [],
     "inherited_tags": []
   }
@@ -33296,6 +33285,7 @@
     "restart_sla_expired": false,
     "created": "2024-01-29T15:35:18.089Z",
     "updated": "2024-01-29T15:35:18.089Z",
+    "engagement": 1,
     "accepted_findings": [
       2
     ],

dojo/fixtures/dojo_testdata.json

@@ -532,7 +532,6 @@
       "report_type": null,
       "first_contacted": null,
       "tmodel_path": "none",
-      "risk_acceptance": [],
       "lead": 2,
       "version": null,
       "progress": "threat_model",
@@ -562,9 +561,6 @@
       "report_type": null,
       "first_contacted": null,
       "tmodel_path": "none",
-      "risk_acceptance": [
-        1
-      ],
       "lead": 1,
       "version": null,
       "progress": "threat_model",
@@ -594,7 +590,6 @@
       "report_type": null,
       "first_contacted": null,
       "tmodel_path": "none",
-      "risk_acceptance": [],
       "lead": 2,
       "version": null,
       "progress": "threat_model",
@@ -627,7 +622,6 @@
       "report_type": null,
       "first_contacted": null,
       "tmodel_path": "none",
-      "risk_acceptance": [],
       "lead": 1,
       "version": null,
       "progress": "threat_model",
@@ -657,7 +651,6 @@
       "report_type": null,
       "first_contacted": null,
       "tmodel_path": "none",
-      "risk_acceptance": [],
       "lead": 1,
       "version": null,
       "progress": "threat_model",
@@ -697,6 +690,7 @@
       "restart_sla_expired": false,
       "created": "2023-03-01T22:12:43.829Z",
       "updated": "2023-03-01T22:12:43.891Z",
+      "engagement": 2,
       "accepted_findings": [
         226
       ],
@@ -712,7 +706,6 @@
       "report_type": null,
       "first_contacted": null,
       "tmodel_path": "none",
-      "risk_acceptance": [],
       "lead": 1,
       "version": null,
       "progress": "threat_model",