Restrict creation of incidents without BLs to global handlers

An user with only ACLs should not be able to create events/incidents without BLs
security-geeks · Nov 20, 2024 · 8695a31 · 8695a31
1 parent 8d5e7b3
commit 8695a31
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 14 deletions.
diff --git a/fir_api/views.py b/fir_api/views.py
@@ -12,6 +12,7 @@
 
 from rest_framework.renderers import JSONRenderer
 from rest_framework.permissions import IsAuthenticated, IsAdminUser
+from rest_framework.exceptions import PermissionDenied
 from rest_framework.authtoken.models import Token
 from rest_framework.mixins import (
     ListModelMixin,
@@ -132,13 +133,25 @@ def get_businesslines(self, businesslines):
     def perform_create(self, serializer):
         opened_by = self.request.user
         serializer.is_valid(raise_exception=True)
-        if type(self.request.data).__name__ == 'dict':
+        if type(self.request.data).__name__ == "dict":
             bls = self.request.data.get("concerned_business_lines", [])
         else:
             bls = self.request.data.getlist("concerned_business_lines", [])
         concerned_business_lines = []
         if bls:
             concerned_business_lines = self.get_businesslines(businesslines=bls)
+        if bls and not concerned_business_lines:
+            raise PermissionDenied(
+                {
+                    "message": "You don't have write permission on the business lines associated with this incident."
+                }
+            )
+        if not (bls or opened_by.has_perm("incidents.handle_incidents")):
+            raise PermissionDenied(
+                {
+                    "message": "Incidents without business line can only be created by global incident handlers."
+                }
+            )
         serializer.is_valid(raise_exception=True)
         instance = serializer.save(
             opened_by=opened_by,
@@ -153,7 +166,7 @@ def perform_update(self, serializer):
         Comments.create_diff_comment(
             self.get_object(), serializer.validated_data, self.request.user
         )
-        if type(self.request.data).__name__ == 'dict':
+        if type(self.request.data).__name__ == "dict":
             bls = self.request.data.get("concerned_business_lines", [])
         else:
             bls = self.request.data.getlist("concerned_business_lines", [])
@@ -162,6 +175,19 @@ def perform_update(self, serializer):
             extra_dataset["concerned_business_lines"] = self.get_businesslines(
                 businesslines=bls
             )
+        if bls and not extra_dataset["concerned_business_lines"]:
+            raise PermissionDenied(
+                {
+                    "message": "You don't have write permission on the business lines associated with this incident."
+                }
+            )
+        if not (bls or self.request.user.has_perm("incidents.handle_incidents")):
+            raise PermissionDenied(
+                {
+                    "message": "Incidents without business line can only be created by global incident handlers."
+                }
+            )
+
         instance = serializer.save(**extra_dataset)
         instance.refresh_main_business_lines()
         if "description" in serializer.validated_data:
@@ -287,12 +313,12 @@ def upload(self, request, pk):
             pk=pk,
         )
         files_added = []
-        if type(self.request.data).__name__ == 'dict':
+        if type(self.request.data).__name__ == "dict":
             uploaded_files = request.FILES.get("file", [])
         else:
             uploaded_files = request.FILES.getlist("file", [])
 
-        if type(self.request.data).__name__ == 'dict':
+        if type(self.request.data).__name__ == "dict":
             descriptions = request.data.get("description", [])
         else:
             descriptions = request.data.getlist("description", [])
@@ -303,9 +329,7 @@ def upload(self, request, pk):
                 status=status.HTTP_400_BAD_REQUEST,
             )
 
-        for uploaded_file, description in zip(
-            uploaded_files, descriptions
-        ):
+        for uploaded_file, description in zip(uploaded_files, descriptions):
             file_wrapper = FileWrapper(uploaded_file.file)
             file_wrapper.name = uploaded_file.name
             file = handle_uploaded_file(file_wrapper, description, incident)

diff --git a/incidents/forms.py b/incidents/forms.py
@@ -56,13 +56,10 @@ def clean(self):
         if self.user is not None:
             business_lines = cleaned_data.get("concerned_business_lines")
             is_incident = cleaned_data.get("is_incident")
-            if is_incident:
-                bl_ids = business_lines.values_list('id', flat=True)
-                handling_bls = BusinessLine.authorization.for_user(self.user, 'incidents.handle_incidents').filter(
-                    pk__in=bl_ids).count()
-                if len(bl_ids) != handling_bls:
-                    self.add_error('is_incident',
-                                   forms.ValidationError(_('You cannot create incidents for these business lines')))
+            if not (business_lines or self.user.has_perm("incidents.handle_incidents")):
+                self.add_error('concerned_business_lines',
+                                forms.ValidationError("Incidents without business line can only be created by global incident handlers."))
+
         return cleaned_data
 
     class Meta: