Skip to content

Use RBAC for accept_risks API endpoints #14632

Open
Jino-T wants to merge 2 commits intoDefectDojo:bugfixfrom
Jino-T:accept-risk-api-fix
Open

Use RBAC for accept_risks API endpoints #14632
Jino-T wants to merge 2 commits intoDefectDojo:bugfixfrom
Jino-T:accept-risk-api-fix

Conversation

@Jino-T
Copy link
Copy Markdown
Contributor

@Jino-T Jino-T commented Apr 3, 2026
edited by Maffooch
Loading

  • Replace IsAdminUser with DefectDojo's own RBAC permission system (Permissions.Risk_Acceptance) on all
    accept_risks API endpoints, aligning them with how risk acceptance is authorized everywhere else in the
    application
  • Enforce the product-level enable_full_risk_acceptance setting on all accept_risks endpoints, matching
    the behavior of the UI views
  • Update the bulk POST /api/v2/findings/accept_risks/ endpoint to query engagements using
    Permissions.Risk_Acceptance instead of Permissions.Engagement_View

@github-actions github-actions bot added the apiv2 label Apr 3, 2026
@Maffooch @claude
Fix accept_risks API endpoints to use RBAC instead of IsAdminUser
fe64ee1 
Replace DRF's IsAdminUser permission with DefectDojo's RBAC system
on all accept_risks endpoints. IsAdminUser only checked is_staff,
bypassing role-based access control entirely.

- Use UserHasRiskAcceptanceRelatedObjectPermission for detail endpoints
  (engagement/test accept_risks) to enforce Permissions.Risk_Acceptance
- Change mass endpoint to query engagements with Risk_Acceptance
  permission instead of Engagement_View
- Enforce product-level enable_full_risk_acceptance setting on all
  accept_risks endpoints
- Add 9 RBAC unit tests covering writer/reader roles and the
  enable_full_risk_acceptance product setting

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@Maffooch Maffooch force-pushed the accept-risk-api-fix branch from d359802 to fe64ee1 Compare April 14, 2026 22:18
@Maffooch Maffooch changed the base branch from dev to bugfix April 14, 2026 22:18
@github-actions github-actions bot added unittests and removed apiv2 labels Apr 14, 2026
@Maffooch @claude
Fix ruff lint: add blank line before class docstring
476e929 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@Maffooch Maffooch changed the title Added functionality to risk acceptance Use RBAC for accept_risks API endpoints Apr 14, 2026
@Maffooch Maffooch added this to the 2.57.2 milestone Apr 14, 2026
@Maffooch Maffooch marked this pull request as ready for review April 14, 2026 22:43
@Maffooch Maffooch requested a review from mtesauro as a code owner April 14, 2026 22:43
@Maffooch Maffooch requested review from blakeaowens, mtesauro, paulOsinski and valentijnscholten and removed request for mtesauro April 14, 2026 22:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Maffooch Maffooch Maffooch approved these changes

@valentijnscholten valentijnscholten Awaiting requested review from valentijnscholten

@paulOsinski paulOsinski Awaiting requested review from paulOsinski

@blakeaowens blakeaowens Awaiting requested review from blakeaowens

@mtesauro mtesauro Awaiting requested review from mtesauro mtesauro is a code owner

At least 4 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

unittests

Projects

None yet

Milestone

2.57.2

Development

Successfully merging this pull request may close these issues.

2 participants

@Jino-T @Maffooch