Merge branch 'bugfix' into add-scheduled-engagement-status

Author: Maffooch

docs/content/releases/os_upgrading/2.56.md

@@ -0,0 +1,27 @@
+---
+title: 'Upgrading to DefectDojo Version 2.56.x'
+toc_hide: true
+weight: -20260215
+description: Deprecation of Questionnaire API Endpoints
+---
+
+## Deprecation: Questionnaire API Endpoints
+
+The following Questionnaire API endpoints are being deprecated and will be removed in DefectDojo 2.59.0 on June 1st, 2026:
+
+- `/api/v2/questionnaire_answered_questionnaires/`
+- `/api/v2/questionnaire_answers/`
+- `/api/v2/questionnaire_engagement_questionnaires/`
+- `/api/v2/questionnaire_general_questionnaires/`
+- `/api/v2/questionnaire_questions`
+
+### Required Actions
+
+Support for these endpoints will be fully removed in DefectDojo 2.59.0 (scheduled for June 1st, 2026). After this date, any requests to these endpoints will return a 404 Not Found error.
+
+### Timeline
+
+- **DefectDojo 2.56.x onwards**: Endpoints are deprecated with deprecation headers
+- **DefectDojo 2.59.0 (June 1st, 2026)**: Endpoints will be removed entirely
+
+For more information, check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.56.0).

docs/content/releases/os_upgrading/2.59.md

@@ -0,0 +1,22 @@
+---
+title: 'Upgrading to DefectDojo Version 2.59.x'
+toc_hide: true
+weight: -20260602
+description: Removal of Questionnaire API Endpoints
+---
+
+## Removal: Questionnaire API Endpoints
+
+As announced in DefectDojo 2.56.0, the following Questionnaire API endpoints have been removed:
+
+- `/api/v2/questionnaire_answered_questionnaires/`
+- `/api/v2/questionnaire_answers/`
+- `/api/v2/questionnaire_engagement_questionnaires/`
+- `/api/v2/questionnaire_general_questionnaires/`
+- `/api/v2/questionnaire_questions`
+
+### Required Actions
+
+Any requests to these endpoints will now return a 404 Not Found error.
+
+For more information, check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.59.0).

dojo/api_v2/permissions.py

@@ -385,6 +385,15 @@ class UserHasEngagementRelatedObjectPermission(BaseRelatedObjectPermission):
     }
 
 
+class UserHasEngagementNotePermission(BaseRelatedObjectPermission):
+    permission_map = {
+        "get_permission": Permissions.Engagement_View,
+        "put_permission": Permissions.Engagement_Edit,
+        "delete_permission": Permissions.Engagement_Edit,
+        "post_permission": Permissions.Engagement_View,
+    }
+
+
 class UserHasRiskAcceptancePermission(permissions.BasePermission):
     def has_permission(self, request, view):
         # The previous implementation only checked for the object permission if the path was
@@ -437,6 +446,15 @@ class UserHasFindingRelatedObjectPermission(BaseRelatedObjectPermission):
     }
 
 
+class UserHasFindingNotePermission(BaseRelatedObjectPermission):
+    permission_map = {
+        "get_permission": Permissions.Finding_View,
+        "put_permission": Permissions.Finding_Edit,
+        "delete_permission": Permissions.Finding_Edit,
+        "post_permission": Permissions.Finding_View,
+    }
+
+
 class UserHasImportPermission(permissions.BasePermission):
     def has_permission(self, request, view):
         # permission check takes place before validation, so we don't have access to serializer.validated_data()
@@ -817,6 +835,15 @@ class UserHasTestRelatedObjectPermission(BaseRelatedObjectPermission):
     }
 
 
+class UserHasTestNotePermission(BaseRelatedObjectPermission):
+    permission_map = {
+        "get_permission": Permissions.Test_View,
+        "put_permission": Permissions.Test_Edit,
+        "delete_permission": Permissions.Test_Edit,
+        "post_permission": Permissions.Test_View,
+    }
+
+
 class UserHasTestImportPermission(permissions.BasePermission):
     def has_permission(self, request, view):
         return check_post_permission(

dojo/api_v2/views.py

@@ -121,6 +121,7 @@
     Languages,
     Network_Locations,
     Note_Type,
+    NoteHistory,
     Notes,
     Notification_Webhooks,
     Notifications,
@@ -242,6 +243,19 @@ class PrefetchDojoModelViewSet(
     pass
 
 
+class DeprecationNoticeMixin:
+
+    deprecated: bool | None = None
+    end_of_life_date: datetime | None = None
+
+    def finalize_response(self, request, response, *args, **kwargs):
+        if self.deprecated is not None:
+            response["X-Deprecated"] = self.deprecated
+        if self.end_of_life_date is not None:
+            response["X-End-Of-Life-Date"] = self.end_of_life_date.isoformat()
+        return super().finalize_response(request, response, *args, **kwargs)
+
+
 # Authorization: authenticated users
 class RoleViewSet(viewsets.ReadOnlyModelViewSet):
     serializer_class = serializers.RoleSerializer
@@ -504,7 +518,7 @@ def generate_report(self, request, pk=None):
         request=serializers.AddNewNoteOptionSerializer,
         responses={status.HTTP_201_CREATED: serializers.NoteSerializer},
     )
-    @action(detail=True, methods=["get", "post"], permission_classes=[IsAuthenticated, permissions.UserHasEngagementRelatedObjectPermission])
+    @action(detail=True, methods=["get", "post"], permission_classes=[IsAuthenticated, permissions.UserHasEngagementNotePermission])
     def notes(self, request, pk=None):
         engagement = self.get_object()
         if request.method == "POST":
@@ -532,6 +546,10 @@ def notes(self, request, pk=None):
                 note_type=note_type,
             )
             note.save()
+            # Add an entry to the note history
+            history = NoteHistory.objects.create(data=note.entry, time=note.date, current_editor=note.author)
+            note.history.add(history)
+            # Now add the note to the object
             engagement.notes.add(note)
             # Determine if we need to send any notifications for user mentioned
             process_tag_notifications(
@@ -1096,7 +1114,7 @@ def request_response(self, request, pk=None):
         request=serializers.AddNewNoteOptionSerializer,
         responses={status.HTTP_201_CREATED: serializers.NoteSerializer},
     )
-    @action(detail=True, methods=["get", "post"], permission_classes=(IsAuthenticated, permissions.UserHasFindingRelatedObjectPermission))
+    @action(detail=True, methods=["get", "post"], permission_classes=(IsAuthenticated, permissions.UserHasFindingNotePermission))
     def notes(self, request, pk=None):
         finding = self.get_object()
         if request.method == "POST":
@@ -1125,6 +1143,10 @@ def notes(self, request, pk=None):
                 note_type=note_type,
             )
             note.save()
+            # Add an entry to the note history
+            history = NoteHistory.objects.create(data=note.entry, time=note.date, current_editor=note.author)
+            note.history.add(history)
+            # Now add the note to the object
             finding.last_reviewed = note.date
             finding.last_reviewed_by = author
             finding.save(update_fields=["last_reviewed", "last_reviewed_by", "updated"])
@@ -1226,7 +1248,7 @@ def download_file(self, request, file_id, pk=None):
         request=serializers.FindingNoteSerializer,
         responses={status.HTTP_204_NO_CONTENT: ""},
     )
-    @action(detail=True, methods=["patch"], permission_classes=(IsAuthenticated, permissions.UserHasFindingRelatedObjectPermission))
+    @action(detail=True, methods=["patch"], permission_classes=(IsAuthenticated, permissions.UserHasFindingNotePermission))
     def remove_note(self, request, pk=None):
         """Remove Note From Finding Note"""
         finding = self.get_object()
@@ -2162,7 +2184,7 @@ def generate_report(self, request, pk=None):
         request=serializers.AddNewNoteOptionSerializer,
         responses={status.HTTP_201_CREATED: serializers.NoteSerializer},
     )
-    @action(detail=True, methods=["get", "post"], permission_classes=(IsAuthenticated, permissions.UserHasTestRelatedObjectPermission))
+    @action(detail=True, methods=["get", "post"], permission_classes=(IsAuthenticated, permissions.UserHasTestNotePermission))
     def notes(self, request, pk=None):
         test = self.get_object()
         if request.method == "POST":
@@ -2190,6 +2212,10 @@ def notes(self, request, pk=None):
                 note_type=note_type,
             )
             note.save()
+            # Add an entry to the note history
+            history = NoteHistory.objects.create(data=note.entry, time=note.date, current_editor=note.author)
+            note.history.add(history)
+            # Now add the note to the object
             test.notes.add(note)
             # Determine if we need to send any notifications for user mentioned
             process_tag_notifications(
@@ -3173,7 +3199,10 @@ def get_queryset(self):
 class QuestionnaireQuestionViewSet(
     viewsets.ReadOnlyModelViewSet,
     dojo_mixins.QuestionSubClassFieldsMixin,
+    DeprecationNoticeMixin,
 ):
+    deprecated = True
+    end_of_life_date = datetime(2026, 6, 1)
     serializer_class = serializers.QuestionnaireQuestionSerializer
     queryset = Question.objects.none()
     filter_backends = (DjangoFilterBackend,)
@@ -3185,11 +3214,28 @@ class QuestionnaireQuestionViewSet(
     def get_queryset(self):
         return Question.objects.all().order_by("id")
 
+    @extend_schema(
+        deprecated=True,
+        description="This endpoint is deprecated and will be removed on 2026-06-01.",
+    )
+    def list(self, request, *args, **kwargs):
+        return super().list(request, *args, **kwargs)
+
+    @extend_schema(
+        deprecated=True,
+        description="This endpoint is deprecated and will be removed on 2026-06-01.",
+    )
+    def retrieve(self, request, *args, **kwargs):
+        return super().retrieve(request, *args, **kwargs)
+
 
 class QuestionnaireAnswerViewSet(
     viewsets.ReadOnlyModelViewSet,
     dojo_mixins.AnswerSubClassFieldsMixin,
+    DeprecationNoticeMixin,
 ):
+    deprecated = True
+    end_of_life_date = datetime(2026, 6, 1)
     serializer_class = serializers.QuestionnaireAnswerSerializer
     queryset = Answer.objects.none()
     filter_backends = (DjangoFilterBackend,)
@@ -3201,10 +3247,27 @@ class QuestionnaireAnswerViewSet(
     def get_queryset(self):
         return Answer.objects.all().order_by("id")
 
+    @extend_schema(
+        deprecated=True,
+        description="This endpoint is deprecated and will be removed on 2026-06-01.",
+    )
+    def list(self, request, *args, **kwargs):
+        return super().list(request, *args, **kwargs)
+
+    @extend_schema(
+        deprecated=True,
+        description="This endpoint is deprecated and will be removed on 2026-06-01.",
+    )
+    def retrieve(self, request, *args, **kwargs):
+        return super().retrieve(request, *args, **kwargs)
+
 
 class QuestionnaireGeneralSurveyViewSet(
     viewsets.ReadOnlyModelViewSet,
+    DeprecationNoticeMixin,
 ):
+    deprecated = True
+    end_of_life_date = datetime(2026, 6, 1)
     serializer_class = serializers.QuestionnaireGeneralSurveySerializer
     queryset = General_Survey.objects.none()
     filter_backends = (DjangoFilterBackend,)
@@ -3216,10 +3279,27 @@ class QuestionnaireGeneralSurveyViewSet(
     def get_queryset(self):
         return General_Survey.objects.all().order_by("id")
 
+    @extend_schema(
+        deprecated=True,
+        description="This endpoint is deprecated and will be removed on 2026-06-01.",
+    )
+    def list(self, request, *args, **kwargs):
+        return super().list(request, *args, **kwargs)
+
+    @extend_schema(
+        deprecated=True,
+        description="This endpoint is deprecated and will be removed on 2026-06-01.",
+    )
+    def retrieve(self, request, *args, **kwargs):
+        return super().retrieve(request, *args, **kwargs)
+
 
 class QuestionnaireEngagementSurveyViewSet(
     viewsets.ReadOnlyModelViewSet,
+    DeprecationNoticeMixin,
 ):
+    deprecated = True
+    end_of_life_date = datetime(2026, 6, 1)
     serializer_class = serializers.QuestionnaireEngagementSurveySerializer
     queryset = Engagement_Survey.objects.none()
     filter_backends = (DjangoFilterBackend,)
@@ -3232,13 +3312,29 @@ def get_queryset(self):
         return Engagement_Survey.objects.all().order_by("id")
 
     @extend_schema(
-    request=OpenApiTypes.NONE,
-    parameters=[
-        OpenApiParameter(
-            "engagement_id", OpenApiTypes.INT, OpenApiParameter.PATH,
-        ),
-    ],
-    responses={status.HTTP_200_OK: serializers.QuestionnaireAnsweredSurveySerializer},
+        deprecated=True,
+        description="This endpoint is deprecated and will be removed on 2026-06-01.",
+    )
+    def list(self, request, *args, **kwargs):
+        return super().list(request, *args, **kwargs)
+
+    @extend_schema(
+        deprecated=True,
+        description="This endpoint is deprecated and will be removed on 2026-06-01.",
+    )
+    def retrieve(self, request, *args, **kwargs):
+        return super().retrieve(request, *args, **kwargs)
+
+    @extend_schema(
+        deprecated=True,
+        description="This endpoint is deprecated and will be removed on 2026-06-01.",
+        request=OpenApiTypes.NONE,
+        parameters=[
+            OpenApiParameter(
+                "engagement_id", OpenApiTypes.INT, OpenApiParameter.PATH,
+            ),
+        ],
+        responses={status.HTTP_200_OK: serializers.QuestionnaireAnsweredSurveySerializer},
     )
     @action(
         detail=True, methods=["post"], url_path=r"link_engagement/(?P<engagement_id>\d+)",
@@ -3260,7 +3356,10 @@ class QuestionnaireAnsweredSurveyViewSet(
     prefetch.PrefetchListMixin,
     prefetch.PrefetchRetrieveMixin,
     viewsets.ReadOnlyModelViewSet,
+    DeprecationNoticeMixin,
 ):
+    deprecated = True
+    end_of_life_date = datetime(2026, 6, 1)
     serializer_class = serializers.QuestionnaireAnsweredSurveySerializer
     queryset = Answered_Survey.objects.none()
     filter_backends = (DjangoFilterBackend,)
@@ -3272,6 +3371,20 @@ class QuestionnaireAnsweredSurveyViewSet(
     def get_queryset(self):
         return Answered_Survey.objects.all().order_by("id")
 
+    @extend_schema(
+        deprecated=True,
+        description="This endpoint is deprecated and will be removed on 2026-06-01.",
+    )
+    def list(self, request, *args, **kwargs):
+        return super().list(request, *args, **kwargs)
+
+    @extend_schema(
+        deprecated=True,
+        description="This endpoint is deprecated and will be removed on 2026-06-01.",
+    )
+    def retrieve(self, request, *args, **kwargs):
+        return super().retrieve(request, *args, **kwargs)
+
 
 # Authorization: configuration
 class AnnouncementViewSet(