Fix test assertions and serializer type hint

devGregA · claude · devGregA · commit 176725bca52f · 2026-02-27T17:10:54.000-07:00
Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/dojo/api_v2/serializers.py b/dojo/api_v2/serializers.py
@@ -1804,6 +1804,7 @@ def __init__(self, *args, **kwargs):
                 many=True, required=False, queryset=Endpoint.objects.all(),
             )
 
+    @extend_schema_field(RiskAcceptanceSerializer(many=True))
     def get_accepted_risks(self, obj):
         request = self.context.get("request")
         if request is None:
diff --git a/unittests/test_permissions_audit.py b/unittests/test_permissions_audit.py
@@ -72,12 +72,12 @@ def setUpTestData(cls):
         # Create users
         cls.reader_user = Dojo_User.objects.create_user(
             username="ra_test_reader",
-            password="testpass123",
+            password="testTEST1234!@#$",
             is_active=True,
         )
         cls.writer_user = Dojo_User.objects.create_user(
             username="ra_test_writer",
-            password="testpass123",
+            password="testTEST1234!@#$",
             is_active=True,
         )
 
@@ -170,7 +170,7 @@ def setUpTestData(cls):
         # User with Writer on accessible product, no role on inaccessible product
         cls.writer_user = Dojo_User.objects.create_user(
             username="meta_batch_writer",
-            password="testpass123",
+            password="testTEST1234!@#$",
             is_active=True,
         )
         Product_Member.objects.create(
@@ -182,7 +182,7 @@ def setUpTestData(cls):
         # User with Reader on accessible product (Reader lacks Product_Edit)
         cls.reader_user = Dojo_User.objects.create_user(
             username="meta_batch_reader",
-            password="testpass123",
+            password="testTEST1234!@#$",
             is_active=True,
         )
         Product_Member.objects.create(
@@ -250,7 +250,7 @@ def setUpTestData(cls):
 
         cls.user = Dojo_User.objects.create_user(
             username="note_test_owner",
-            password="testpass123",
+            password="testTEST1234!@#$",
             is_active=True,
         )
         Product_Member.objects.create(
@@ -356,7 +356,7 @@ def setUpTestData(cls):
         # User with Owner on both products
         cls.user = Dojo_User.objects.create_user(
             username="bench_idor_owner",
-            password="testpass123",
+            password="testTEST1234!@#$",
             is_active=True,
         )
         Product_Member.objects.create(
@@ -397,7 +397,7 @@ def setUpTestData(cls):
     def test_update_benchmark_cross_product_rejected(self):
         """POSTing a bench_id from product A via product B's URL must be denied."""
         client = Client()
-        client.login(username="bench_idor_owner", password="testpass123")
+        client.login(username="bench_idor_owner", password="testTEST1234!@#$")
 
         # Try to update product A's benchmark through product B's endpoint
         url = reverse(
@@ -416,7 +416,7 @@ def test_update_benchmark_cross_product_rejected(self):
     def test_update_benchmark_summary_cross_product_rejected(self):
         """POSTing a summary from product A via product B's URL must be denied."""
         client = Client()
-        client.login(username="bench_idor_owner", password="testpass123")
+        client.login(username="bench_idor_owner", password="testTEST1234!@#$")
 
         url = reverse(
             "update_product_benchmark_summary",
@@ -433,7 +433,7 @@ def test_update_benchmark_summary_cross_product_rejected(self):
     def test_update_benchmark_same_product_allowed(self):
         """POSTing a bench_id for the correct product should succeed."""
         client = Client()
-        client.login(username="bench_idor_owner", password="testpass123")
+        client.login(username="bench_idor_owner", password="testTEST1234!@#$")
 
         url = reverse(
             "update_product_benchmark",
@@ -468,7 +468,7 @@ def setUpTestData(cls):
 
         cls.user = Dojo_User.objects.create_user(
             username="object_parent_owner",
-            password="testpass123",
+            password="testTEST1234!@#$",
             is_active=True,
         )
         Product_Member.objects.create(
@@ -491,22 +491,22 @@ def setUpTestData(cls):
     def test_edit_object_cross_product_rejected(self):
         """Editing an object from product A via product B's URL must be denied."""
         client = Client()
-        client.login(username="object_parent_owner", password="testpass123")
+        client.login(username="object_parent_owner", password="testTEST1234!@#$")
 
         url = reverse("edit_object", args=(self.product_b.id, self.tracked_file.id))
         response = client.get(url)
         # PermissionDenied raised; custom handler403 returns 400 (DD bug)
-        self.assertEqual(response.status_code, 404)
+        self.assertIn(response.status_code, [400, 403])
 
     def test_delete_object_cross_product_rejected(self):
         """Deleting an object from product A via product B's URL must be denied."""
         client = Client()
-        client.login(username="object_parent_owner", password="testpass123")
+        client.login(username="object_parent_owner", password="testTEST1234!@#$")
 
         url = reverse("delete_object", args=(self.product_b.id, self.tracked_file.id))
         response = client.get(url)
         # PermissionDenied raised; custom handler403 returns 400 (DD bug)
-        self.assertEqual(response.status_code, 404)
+        self.assertIn(response.status_code, [400, 403])
 
 
 class TestToolProductParentCheck(DojoTestCase):
@@ -530,7 +530,7 @@ def setUpTestData(cls):
 
         cls.user = Dojo_User.objects.create_user(
             username="tool_parent_owner",
-            password="testpass123",
+            password="testTEST1234!@#$",
             is_active=True,
         )
         Product_Member.objects.create(
@@ -555,22 +555,22 @@ def setUpTestData(cls):
     def test_edit_tool_product_cross_product_rejected(self):
         """Editing a tool setting from product A via product B's URL must be denied."""
         client = Client()
-        client.login(username="tool_parent_owner", password="testpass123")
+        client.login(username="tool_parent_owner", password="testTEST1234!@#$")
 
         url = reverse("edit_tool_product", args=(self.product_b.id, self.tool_setting.id))
         response = client.get(url)
         # PermissionDenied raised; custom handler403 returns 400 (DD bug)
-        self.assertEqual(response.status_code, 404)
+        self.assertIn(response.status_code, [400, 403])
 
     def test_delete_tool_product_cross_product_rejected(self):
         """Deleting a tool setting from product A via product B's URL must be denied."""
         client = Client()
-        client.login(username="tool_parent_owner", password="testpass123")
+        client.login(username="tool_parent_owner", password="testTEST1234!@#$")
 
         url = reverse("delete_tool_product", args=(self.product_b.id, self.tool_setting.id))
         response = client.get(url)
         # PermissionDenied raised; custom handler403 returns 400 (DD bug)
-        self.assertEqual(response.status_code, 404)
+        self.assertIn(response.status_code, [400, 403])
 
 
 class TestRiskAcceptanceCrossEngagementIDOR(DojoTestCase):
@@ -588,7 +588,7 @@ def setUpTestData(cls):
         )
         cls.user = Dojo_User.objects.create_user(
             username="ra_idor_owner",
-            password="testpass123",
+            password="testTEST1234!@#$",
             is_active=True,
         )
         Product_Member.objects.create(
@@ -633,7 +633,7 @@ def setUpTestData(cls):
 
     def _login(self):
         client = Client()
-        client.login(username="ra_idor_owner", password="testpass123")
+        client.login(username="ra_idor_owner", password="testTEST1234!@#$")
         return client
 
     def test_view_risk_acceptance_cross_engagement(self):
@@ -713,7 +713,7 @@ def setUpTestData(cls):
 
         cls.user = Dojo_User.objects.create_user(
             username="preset_idor_owner",
-            password="testpass123",
+            password="testTEST1234!@#$",
             is_active=True,
         )
         Product_Member.objects.create(
@@ -732,7 +732,7 @@ def setUpTestData(cls):
 
     def _login(self):
         client = Client()
-        client.login(username="preset_idor_owner", password="testpass123")
+        client.login(username="preset_idor_owner", password="testTEST1234!@#$")
         return client
 
     def test_edit_preset_cross_product(self):
@@ -779,7 +779,7 @@ def setUpTestData(cls):
         )
         cls.user = Dojo_User.objects.create_user(
             username="survey_idor_owner",
-            password="testpass123",
+            password="testTEST1234!@#$",
             is_active=True,
         )
         Product_Member.objects.create(
@@ -814,7 +814,7 @@ def setUpTestData(cls):
 
     def _login(self):
         client = Client()
-        client.login(username="survey_idor_owner", password="testpass123")
+        client.login(username="survey_idor_owner", password="testTEST1234!@#$")
         return client
 
     def test_view_questionnaire_cross_engagement(self):
@@ -871,7 +871,7 @@ def setUpTestData(cls):
         # Product-level writer (no global permission)
         cls.product_writer = Dojo_User.objects.create_user(
             username="template_test_writer",
-            password="testpass123",
+            password="testTEST1234!@#$",
             is_active=True,
         )
         Product_Member.objects.create(
@@ -881,7 +881,7 @@ def setUpTestData(cls):
         # Superuser (has global permissions)
         cls.superuser = Dojo_User.objects.create_user(
             username="template_test_super",
-            password="testpass123",
+            password="testTEST1234!@#$",
             is_active=True,
             is_superuser=True,
         )
@@ -917,16 +917,16 @@ def setUpTestData(cls):
     def test_product_writer_cannot_access_find_template(self):
         """Product-level Writer without global permission should be denied."""
         client = Client()
-        client.login(username="template_test_writer", password="testpass123")
+        client.login(username="template_test_writer", password="testTEST1234!@#$")
         url = reverse("find_template_to_apply", args=(self.finding.id,))
         response = client.get(url)
         # PermissionDenied raised; custom handler403 returns 400 (DD bug)
-        self.assertEqual(response.status_code, 404)
+        self.assertIn(response.status_code, [400, 403])
 
     def test_superuser_can_access_find_template(self):
         """Superuser (implicit global permission) should be able to access."""
         client = Client()
-        client.login(username="template_test_super", password="testpass123")
+        client.login(username="template_test_super", password="testTEST1234!@#$")
         url = reverse("find_template_to_apply", args=(self.finding.id,))
         response = client.get(url)
         self.assertEqual(response.status_code, 200)
@@ -949,12 +949,12 @@ def setUpTestData(cls):
 
         cls.reader_user = Dojo_User.objects.create_user(
             username="jira_epic_reader",
-            password="testpass123",
+            password="testTEST1234!@#$",
             is_active=True,
         )
         cls.writer_user = Dojo_User.objects.create_user(
             username="jira_epic_writer",
-            password="testpass123",
+            password="testTEST1234!@#$",
             is_active=True,
         )
 

Original file line number	Diff line number	Diff line change
`@@ -1804,6 +1804,7 @@ def __init__(self, args, *kwargs):`
`1804`	`1804`	`many=True, required=False, queryset=Endpoint.objects.all(),`
`1805`	`1805`	`)`
`1806`	`1806`
	`1807`	`+ @extend_schema_field(RiskAcceptanceSerializer(many=True))`
`1807`	`1808`	`def get_accepted_risks(self, obj):`
`1808`	`1809`	`request = self.context.get("request")`
`1809`	`1810`	`if request is None:`