From 36336bba2447be17a246643d016ae7e7b8ddb39d Mon Sep 17 00:00:00 2001
From: Cody Maffucci <46459665+Maffooch@users.noreply.github.com>
Date: Thu, 12 Mar 2026 16:09:39 -0600
Subject: [PATCH] Add authorization check to link_engagement action

The link_engagement endpoint in QuestionnaireEngagementSurveyViewSet
was missing a permission check on the target engagement. Added
user_has_permission_or_403 with Engagement_Edit to ensure the
requesting user is authorized before linking.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 dojo/api_v2/views.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/dojo/api_v2/views.py b/dojo/api_v2/views.py
index c106d667e77..fd7a1dafad1 100644
--- a/dojo/api_v2/views.py
+++ b/dojo/api_v2/views.py
@@ -3387,6 +3387,8 @@ def link_engagement(self, request, pk, engagement_id):
         engagement_survey = self.get_object()
         # Safely get the engagement
         engagement = get_object_or_404(Engagement.objects, pk=engagement_id)
+        # Verify the user has permission to edit the engagement
+        user_has_permission_or_403(request.user, engagement, Permissions.Engagement_Edit)
         # Link the engagement
         answered_survey, _ = Answered_Survey.objects.get_or_create(engagement=engagement, survey=engagement_survey)
         # Send a favorable response