Remove member group checks and check for permission instead #1275
Conversation
…checks-onboarding
rocky/onboarding/view_helpers.py
Outdated
| @@ -3,6 +3,8 @@ | |||
| from django.utils.translation import gettext_lazy as _ | |||
| from tools.view_helpers import StepsMixin | |||
|
|
|||
| ONBOARIDNG_PERMS = ["tools.can_scan_organization", "tools.can_set_clearance_level", "tools.can_enable_disable_boefje"] | |||
There was a problem hiding this comment.
| ONBOARIDNG_PERMS = ["tools.can_scan_organization", "tools.can_set_clearance_level", "tools.can_enable_disable_boefje"] | |
| ONBOARIDNG_PERMISSIONS = ["tools.can_scan_organization", "tools.can_set_clearance_level", "tools.can_enable_disable_boefje"] |
There was a problem hiding this comment.
You're also better of with a tuple instead of a list
There was a problem hiding this comment.
I see there is a typo also in ONBOARDING...fix it in c82ccb9
Checklist for QA:
What doesn't work:
|
|
I noticed that when going through the onboarding as a superuser the "create report" steps are skipped. Is this intentional? I can understand that it could be, but for me personally its a bit undesirable because I liked the option to create the report in the onboarding flow to populate KAT with some basic objects and tasks. And of course you could skip this if you wanted. So I feel it's less flexible now than it was before, and am wondering if that's really what we want. |
|
@Rieven I verified and it was intentional for superusers to follow the whole onboarding flow, so it's regression when a part of it gets skipped. |
…invws/nl-kat-coordination into feature/remove-group-checks-onboarding
Checklist for QA:
What works:
|
| @@ -159,7 +159,7 @@ def save(self, **kwargs): | |||
| status=OrganizationMember.STATUSES.ACTIVE, | |||
| ) | |||
| member.groups.add(selected_group.id) | |||
| if member.is_admin or self.user.is_superuser: | |||
| if member.has_perm("change_organizationmember") or self.user.is_superuser: | |||
There was a problem hiding this comment.
Why does a new member that can change organization members automatically get scan level 4? Wouldn't it be better to have the user set this explicitly? And if we want to have this way, shouldn't we document this and probably make this also clear in the user interface?
This is something we can change in a later PR.
There was a problem hiding this comment.
Here admins have by default trusted and acknowledged clearance levels by L4 so they can start scans but do not have clearance permission on objects, so redteamers are the only ones that can increase clearance levels on objects.
We can refactor this part to put defaults at member creation when member is an admin.
* main: Fix robot test (#1420) Use the correct clearance level variable in organization member list template (#1427) Fix translation in Debian package (#1432) Reschedule tasks when no results in bytes are found after grace period (#1410) Don't scan hostname nmap in nmap boefje (#1415) Add and use our own CVE API (#1383) Add `task_id` as a query parameter to the `GET /origins` endpoint (#1414) Remove member group checks and check for permission instead (#1275) Bump cryptography from 41.0.0 to 41.0.2 in /boefjes/boefjes/plugins/kat_ssl_certificates (#1396) Bump cryptography from 41.0.1 to 41.0.2 in /bytes (#1397) Build the Debian build image on the main branch (#1387) Add explicit `black` config to all modules (#1395) Fix <no title> in the user guide docs (#1391) Add configurable octpoes request timeout (#1382) Remove hardcoded clearance level in member list for superusers (#1390) Add Debian build depends for CVE API package (#1384) Add buttons to manual rerun tasks, both boefjes or normalizers (#1339) Use fix multiprocessing bug on macOS where `qsize()` is not implemented (#1374)
* main: (95 commits) Translations for release 1.11 - EN -> NL, PAP (#1439) Add Question ooi model and create the first bit that generates a question (#1407) make port classification configurable (#1418) KATalogus API filtering and pagination (#1405) Fix robot test (#1420) Use the correct clearance level variable in organization member list template (#1427) Fix translation in Debian package (#1432) Reschedule tasks when no results in bytes are found after grace period (#1410) Don't scan hostname nmap in nmap boefje (#1415) Add and use our own CVE API (#1383) Add `task_id` as a query parameter to the `GET /origins` endpoint (#1414) Remove member group checks and check for permission instead (#1275) Bump cryptography from 41.0.0 to 41.0.2 in /boefjes/boefjes/plugins/kat_ssl_certificates (#1396) Bump cryptography from 41.0.1 to 41.0.2 in /bytes (#1397) Build the Debian build image on the main branch (#1387) Add explicit `black` config to all modules (#1395) Fix <no title> in the user guide docs (#1391) Add configurable octpoes request timeout (#1382) Remove hardcoded clearance level in member list for superusers (#1390) Add Debian build depends for CVE API package (#1384) ...
Changes
Remove group checks in especially onboarding and general checks for groups at certain place in the code base.
Issue link
#1050
Closes #1050
Proof
Please add some proof of your working change here, unless this is not required (e.g. this PR is trivial).
Code Checklist
Communication
.envchanges files if required and changed the.env-distaccordingly.Checklist for code reviewers:
Copy-paste the checklist from the docs/source/templates folder into your comment.
Checklist for QA:
Copy-paste the checklist from the docs/source/templates folder into your comment.