-
Notifications
You must be signed in to change notification settings - Fork 55
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove member group checks and check for permission instead #1275
Conversation
…checks-onboarding
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few minor remarks, looks good otherwise
rocky/onboarding/view_helpers.py
Outdated
@@ -3,6 +3,8 @@ | |||
from django.utils.translation import gettext_lazy as _ | |||
from tools.view_helpers import StepsMixin | |||
|
|||
ONBOARIDNG_PERMS = ["tools.can_scan_organization", "tools.can_set_clearance_level", "tools.can_enable_disable_boefje"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ONBOARIDNG_PERMS = ["tools.can_scan_organization", "tools.can_set_clearance_level", "tools.can_enable_disable_boefje"] | |
ONBOARIDNG_PERMISSIONS = ["tools.can_scan_organization", "tools.can_set_clearance_level", "tools.can_enable_disable_boefje"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You're also better of with a tuple instead of a list
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see there is a typo also in ONBOARDING...fix it in c82ccb9
Checklist for QA:
What doesn't work:
|
I noticed that when going through the onboarding as a superuser the "create report" steps are skipped. Is this intentional? I can understand that it could be, but for me personally its a bit undesirable because I liked the option to create the report in the onboarding flow to populate KAT with some basic objects and tasks. And of course you could skip this if you wanted. So I feel it's less flexible now than it was before, and am wondering if that's really what we want. |
@Rieven I verified and it was intentional for superusers to follow the whole onboarding flow, so it's regression when a part of it gets skipped. |
…invws/nl-kat-coordination into feature/remove-group-checks-onboarding
Checklist for QA:
What works:
|
@@ -159,7 +159,7 @@ def save(self, **kwargs): | |||
status=OrganizationMember.STATUSES.ACTIVE, | |||
) | |||
member.groups.add(selected_group.id) | |||
if member.is_admin or self.user.is_superuser: | |||
if member.has_perm("change_organizationmember") or self.user.is_superuser: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why does a new member that can change organization members automatically get scan level 4? Wouldn't it be better to have the user set this explicitly? And if we want to have this way, shouldn't we document this and probably make this also clear in the user interface?
This is something we can change in a later PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here admins have by default trusted and acknowledged clearance levels by L4 so they can start scans but do not have clearance permission on objects, so redteamers are the only ones that can increase clearance levels on objects.
We can refactor this part to put defaults at member creation when member is an admin.
* main: Fix robot test (#1420) Use the correct clearance level variable in organization member list template (#1427) Fix translation in Debian package (#1432) Reschedule tasks when no results in bytes are found after grace period (#1410) Don't scan hostname nmap in nmap boefje (#1415) Add and use our own CVE API (#1383) Add `task_id` as a query parameter to the `GET /origins` endpoint (#1414) Remove member group checks and check for permission instead (#1275) Bump cryptography from 41.0.0 to 41.0.2 in /boefjes/boefjes/plugins/kat_ssl_certificates (#1396) Bump cryptography from 41.0.1 to 41.0.2 in /bytes (#1397) Build the Debian build image on the main branch (#1387) Add explicit `black` config to all modules (#1395) Fix <no title> in the user guide docs (#1391) Add configurable octpoes request timeout (#1382) Remove hardcoded clearance level in member list for superusers (#1390) Add Debian build depends for CVE API package (#1384) Add buttons to manual rerun tasks, both boefjes or normalizers (#1339) Use fix multiprocessing bug on macOS where `qsize()` is not implemented (#1374)
* main: (95 commits) Translations for release 1.11 - EN -> NL, PAP (#1439) Add Question ooi model and create the first bit that generates a question (#1407) make port classification configurable (#1418) KATalogus API filtering and pagination (#1405) Fix robot test (#1420) Use the correct clearance level variable in organization member list template (#1427) Fix translation in Debian package (#1432) Reschedule tasks when no results in bytes are found after grace period (#1410) Don't scan hostname nmap in nmap boefje (#1415) Add and use our own CVE API (#1383) Add `task_id` as a query parameter to the `GET /origins` endpoint (#1414) Remove member group checks and check for permission instead (#1275) Bump cryptography from 41.0.0 to 41.0.2 in /boefjes/boefjes/plugins/kat_ssl_certificates (#1396) Bump cryptography from 41.0.1 to 41.0.2 in /bytes (#1397) Build the Debian build image on the main branch (#1387) Add explicit `black` config to all modules (#1395) Fix <no title> in the user guide docs (#1391) Add configurable octpoes request timeout (#1382) Remove hardcoded clearance level in member list for superusers (#1390) Add Debian build depends for CVE API package (#1384) ...
Changes
Remove group checks in especially onboarding and general checks for groups at certain place in the code base.
Issue link
#1050
Closes #1050
Proof
Please add some proof of your working change here, unless this is not required (e.g. this PR is trivial).
Code Checklist
Communication
.env
changes files if required and changed the.env-dist
accordingly.Checklist for code reviewers:
Copy-paste the checklist from the docs/source/templates folder into your comment.
Checklist for QA:
Copy-paste the checklist from the docs/source/templates folder into your comment.