Skip to content

creds-notes-fixes Some updates to creds/cred-related notes#10644

Merged
mtesauro merged 2 commits intoDefectDojo:bugfixfrom
dogboat:creds-notes-fixes
Jul 29, 2024
Merged

creds-notes-fixes Some updates to creds/cred-related notes#10644
mtesauro merged 2 commits intoDefectDojo:bugfixfrom
dogboat:creds-notes-fixes

Conversation

@dogboat
Copy link
Copy Markdown
Contributor

@dogboat dogboat commented Jul 29, 2024

Description

Some updates to things I noticed while doing the 'cascading notes deletes' patch.

Changes included:

  • Display the "Add Note" button on the credentials view page; it's there, but was invisible.
  • Show the 'delete note' button for note creator and fix note deletion.
  • Update the "Associated Products" header to have less spacing around it;
  • Fix credential deletion to work

Test results

Things delete and show up differently now. Some before/after pictures:

"Add Note" before:
add_note_before
"Add Note" after:
add_note_after

"Delete Note" before:
delete_before
"Delete Note" after:
delete_note_after

"Associated Products Header" before:
header_before

"Associated Products Header" after:
haeder_after

@dogboat
creds-notes-fixes Some updates to creds/cred-related notes: Show "Add…
2147113 
… Note" button on cred notes page; show delete note button for note creator and fix note deletion; fix "Associated Products" header to have less spacing around it; fix credential deletion
@github-actions github-actions Bot added the ui label Jul 29, 2024
@dryrunsecurity
Copy link
Copy Markdown

dryrunsecurity Bot commented Jul 29, 2024
edited
Loading

DryRun Security Summary

The pull request focuses on improving the credential management functionality in the Django web application, including updates to the view_cred_details function, enhancements to the delete_cred_controller function, and improvements to the note management system, with a security-conscious approach and a focus on ensuring the security and usability of the credential management functionality.

Expand for full summary

Summary:

The code changes in this pull request are focused on improving the credential management functionality in the Django web application. The changes include updates to the view_cred_details function to display the username of the logged-in user, enhancements to the delete_cred_controller function to prevent the accidental deletion of credentials that are still in use, and improvements to the note management system for credentials.

The changes to the note management system, specifically in the dojo/templates/dojo/view_cred_details.html and dojo/notes/views.py files, demonstrate a security-conscious approach. The code now includes a form-based approach for adding and deleting notes, which ensures the inclusion of CSRF tokens and proper access control. Additionally, the changes to the delete_note function in dojo/notes/views.py show that the application is checking user permissions before allowing the deletion of notes.

Overall, the code changes in this pull request appear to be focused on improving the security and usability of the credential management functionality within the Dojo application. While there are no obvious security vulnerabilities introduced, it's important to continue reviewing the application's security posture, including authentication, authorization, input validation, and other security-related aspects, to ensure a comprehensive security approach.

Files Changed:

  1. dojo/cred/views.py:

    • The view_cred_details function now includes the logged-in user's username in the context dictionary.
    • The delete_cred_controller function has been modified to handle the deletion of credentials more carefully, ensuring that credentials are not accidentally deleted if they are still in use.

  2. dojo/templates/dojo/view_cred_details.html:

    • The duplicate <div class="panel-heading"> element for the "Associated Products" section has been removed.
    • The "Notes" section has been improved, allowing users to add new notes and delete existing ones using a form-based approach.
    • Accessibility improvements have been made, such as adding aria-label attributes to the delete button and the "Add Note" button.

  3. dojo/notes/views.py:

    • The delete_note function has been updated to handle notes associated with Cred_User objects, in addition to existing support for notes related to "Engagement", "Finding", and "Test" objects.
    • The code ensures that users have the necessary permissions to delete notes, checking the user's role and the Permissions.Note_Delete permission for the associated object.

Code Analysis

We ran 9 analyzers against 3 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer Findings
Authn/Authz Analyzer 4 findings

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Jul 29, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

mtesauro
mtesauro approved these changes Jul 29, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@mtesauro mtesauro merged commit bb24b6f into DefectDojo:bugfix Jul 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtesauro mtesauro mtesauro approved these changes

@Maffooch Maffooch Maffooch approved these changes

+2 more reviewers

@cneill cneill cneill approved these changes

@hblankenship hblankenship hblankenship approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

ui

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@dogboat @cneill @mtesauro @hblankenship @Maffooch