From 742f96fed651b17d57bd5a6edd76936dd88692fa Mon Sep 17 00:00:00 2001
From: Cody Maffucci <46459665+Maffooch@users.noreply.github.com>
Date: Wed, 31 Dec 2025 08:59:22 -0600
Subject: [PATCH] Add permission classes and refine queryset in
 BurpRawRequestResponseViewSet

---
 dojo/api_v2/views.py | 21 +++++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

diff --git a/dojo/api_v2/views.py b/dojo/api_v2/views.py
index b321c35d558..e18a2ceeb26 100644
--- a/dojo/api_v2/views.py
+++ b/dojo/api_v2/views.py
@@ -2695,15 +2695,24 @@ class BurpRawRequestResponseViewSet(
     queryset = BurpRawRequestResponse.objects.none()
     filter_backends = (DjangoFilterBackend,)
     filterset_fields = ["finding"]
+    permission_classes = (
+        IsAuthenticated,
+        permissions.UserHasFindingPermission,
+    )
 
     def get_queryset(self):
-        results = BurpRawRequestResponse.objects.all()
-        empty_value = b""
-        results = results.exclude(
-            burpRequestBase64__exact=empty_value,
-            burpResponseBase64__exact=empty_value,
+        return (
+            BurpRawRequestResponse.objects.filter(
+                finding__in=get_authorized_findings(
+                    Permissions.Finding_View,
+                ),
+            )
+            .exclude(
+                burpRequestBase64__exact=b"",
+                burpResponseBase64__exact=b"",
+            )
+            .order_by("id")
         )
-        return results.order_by("id")
 
 
 # Authorization: superuser