Fix test_apply_finding_template failures

Add inline permission checks to 4 view functions that are called
directly by unit tests (bypassing middleware): mktemplate,
apply_template_to_finding, choose_finding_template_options, and
add_finding_from_template. Revert test changes to keep original
test pattern using impersonate + direct view calls.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: Maffooch

dojo/finding/views.py

@@ -1721,6 +1721,7 @@ def clear_finding_review(request, fid):
 
 
 def mktemplate(request, fid):
+    user_has_global_permission_or_403(request.user, Permissions.Finding_Add)
     finding = get_object_or_404(Finding, id=fid)
     templates = Finding_Template.objects.filter(title=finding.title)
     if len(templates) > 0:
@@ -1851,6 +1852,7 @@ def find_template_to_apply(request, fid):
 
 def choose_finding_template_options(request, tid, fid):
     finding = get_object_or_404(Finding, id=fid)
+    user_has_permission_or_403(request.user, finding, Permissions.Finding_Edit)
     template = get_object_or_404(Finding_Template, id=tid)
     data = finding.__dict__.copy()
     # Remove tags and other non-serializable fields
@@ -1938,6 +1940,7 @@ def choose_finding_template_options(request, tid, fid):
 
 def apply_template_to_finding(request, fid, tid):
     finding = get_object_or_404(Finding, id=fid)
+    user_has_permission_or_403(request.user, finding, Permissions.Finding_Edit)
     template = get_object_or_404(Finding_Template, id=tid)
 
     if request.method == "POST":

dojo/test/views.py

@@ -658,6 +658,7 @@ def post(self, request: HttpRequest, test_id: int):
 def add_finding_from_template(request, tid, fid):
     jform = None
     test = get_object_or_404(Test, id=tid)
+    user_has_permission_or_403(request.user, test, Permissions.Finding_Add)
     template = get_object_or_404(Finding_Template, id=fid)
     findings = Finding_Template.objects.all()
     push_all_jira_issues = jira_helper.is_push_all_issues(template)

unittests/test_apply_finding_template.py

@@ -209,35 +209,32 @@ def test_apply_template_to_finding_with_data_saves_success(self):
 
     def test_unauthorized_apply_template_to_finding_fails(self):
         """Test that a non-superuser without permissions cannot apply template"""
-        user = FindingTemplateTestUtil.create_user(is_staff=False)
-        self.client.force_login(user)
-        url = f"/finding/{self.finding.id}/{self.template.id}/apply_template_to_finding"
-        response = self.client.post(url, data={
-            "title": "Finding for Testing Apply Template functionality",
-            "cwe": "89",
-            "severity": "High",
-            "description": "Finding for Testing Apply Template Functionality",
-            "mitigation": "template mitigation",
-            "impact": "template impact",
-        })
-        self.assertEqual(response.status_code, 403)
+        with self.assertRaises(PermissionDenied):
+            self.make_request(user_is_staff=False, finding_id=self.finding.id, template_id=self.template.id,
+                                   data={"title": "Finding for Testing Apply Template functionality",
+                                    "cwe": "89",
+                                    "severity": "High",
+                                    "description": "Finding for Testing Apply Template Functionality",
+                                    "mitigation": "template mitigation",
+                                    "impact": "template impact"},
+                                   )
 
     def test_reader_role_cannot_apply_template(self):
         """Test that a Reader role user (read-only) cannot apply template"""
         reader_user = FindingTemplateTestUtil.create_user_with_role(
             self.finding.test.engagement.product, "Reader", is_staff=False,
         )
-        self.client.force_login(reader_user)
-        url = f"/finding/{self.finding.id}/{self.template.id}/apply_template_to_finding"
-        response = self.client.post(url, data={
-            "title": "Finding for Testing Apply Template functionality",
-            "cwe": "89",
-            "severity": "High",
-            "description": "Finding for Testing Apply Template Functionality",
-            "mitigation": "template mitigation",
-            "impact": "template impact",
-        })
-        self.assertEqual(response.status_code, 403)
+        request = FindingTemplateTestUtil.create_post_request(
+            reader_user, self.apply_template_url,
+            data={"title": "Finding for Testing Apply Template functionality",
+                  "cwe": "89",
+                  "severity": "High",
+                  "description": "Finding for Testing Apply Template Functionality",
+                  "mitigation": "template mitigation",
+                  "impact": "template impact"},
+        )
+        with impersonate(reader_user), self.assertRaises(PermissionDenied):
+            views.apply_template_to_finding(request, fid=self.finding.id, tid=self.template.id)
 
     def test_writer_role_can_apply_template(self):
         """Test that a Writer role user (non-staff) can apply template"""
@@ -351,11 +348,8 @@ def make_request(self, user_is_staff, finding_id, template_id, data=None):
             return views.choose_finding_template_options(request, tid=template_id, fid=finding_id)
 
     def test_unauthorized_choose_finding_template_options_fails(self):
-        user = FindingTemplateTestUtil.create_user(is_staff=False)
-        self.client.force_login(user)
-        url = f"/finding/{self.template.id}/{self.finding.id}/choose_finding_template_options"
-        response = self.client.get(url)
-        self.assertEqual(response.status_code, 403)
+        with self.assertRaises(PermissionDenied):
+            self.make_request(user_is_staff=False, finding_id=self.finding.id, template_id=self.template.id)
 
     def test_authorized_choose_finding_template_options_success(self):
         result = self.make_request(user_is_staff=True, finding_id=self.finding.id, template_id=self.template.id)
@@ -446,10 +440,9 @@ def test_mktemplate_requires_permission(self):
         user.is_superuser = False
         user.save()
 
-        self.client.force_login(user)
-        url = f"/finding/{self.finding.id}/mktemplate"
-        response = self.client.get(url)
-        self.assertEqual(response.status_code, 403)
+        # Should raise PermissionDenied
+        with self.assertRaises(PermissionDenied):
+            self.make_request(user, self.finding.id)
 
 
 @versioned_fixtures
@@ -596,10 +589,9 @@ def test_add_finding_from_template_requires_permission(self):
         unauthorized_user.is_superuser = False
         unauthorized_user.save()
 
-        self.client.force_login(unauthorized_user)
-        url = f"/test/{self.test.id}/add_findings/{self.template.id}"
-        response = self.client.get(url)
-        self.assertEqual(response.status_code, 403)
+        # Should raise PermissionDenied
+        with self.assertRaises(PermissionDenied):
+            self.make_get_request(unauthorized_user, self.test.id, self.template.id)
 
     def test_add_finding_from_template_updates_template_last_used(self):
         """Test that template.last_used is updated when creating finding"""