Improve API endpoints for Risk Acceptances

dojo/api_v2/serializers.py

@@ -1527,6 +1527,16 @@ def get_engagement(self, obj):
             engagement
         )
 
+    def validate(self, data):
+        if self.context["request"].method == "POST":
+            findings = data['accepted_findings']
+            for finding in findings:
+                if not user_has_permission(self.context["request"].user, finding, Permissions.Finding_View):
+                    raise PermissionDenied(
+                        "You are not permitted to add one or more selected findings to this risk acceptance"
+                    )
+        return data
+
     class Meta:
         model = Risk_Acceptance
         fields = "__all__"

dojo/api_v2/views.py

@@ -743,12 +743,7 @@ def download_file(self, request, file_id, pk=None):
 
 
 class RiskAcceptanceViewSet(
-    prefetch.PrefetchListMixin,
-    prefetch.PrefetchRetrieveMixin,
-    mixins.DestroyModelMixin,
-    mixins.UpdateModelMixin,
-    viewsets.ReadOnlyModelViewSet,
-    dojo_mixins.DeletePreviewModelMixin,
+    PrefetchDojoModelViewSet
 ):
     serializer_class = serializers.RiskAcceptanceSerializer
     queryset = Risk_Acceptance.objects.none()

unittests/test_apiv2_methods_and_endpoints.py

@@ -45,7 +45,7 @@ def test_is_defined(self):
         exempt_list = [
             'import-scan', 'reimport-scan', 'notes', 'system_settings', 'roles',
             'import-languages', 'endpoint_meta_import', 'test_types',
-            'configuration_permissions', 'risk_acceptance', 'questionnaire_questions',
+            'configuration_permissions', 'questionnaire_questions',
             'questionnaire_answers', 'questionnaire_answered_questionnaires',
             'questionnaire_engagement_questionnaires', 'questionnaire_general_questionnaires',
             'dojo_group_members', 'product_members', 'product_groups', 'product_type_groups',

unittests/test_rest_framework.py

@@ -967,6 +967,12 @@ def __init__(self, *args, **kwargs):
         self.deleted_objects = 3
         BaseClass.RESTEndpointTest.__init__(self, *args, **kwargs)
 
+    def test_create_object_not_authorized(self):
+        self.setUp_not_authorized()
+
+        response = self.client.post(self.url, self.payload)
+        self.assertEqual(403, response.status_code, response.content[:1000])
+
 
 class FindingRequestResponseTest(DojoAPITestCase):
     fixtures = ['dojo_testdata.json']