Refactor permission classes to use asset and organization-specific permissions, enhancing clarity and maintainability.

Maffooch · Maffooch · commit 9b77bd094b49 · 2026-01-12T14:33:22.000-07:00
diff --git a/dojo/api_v2/permissions.py b/dojo/api_v2/permissions.py
@@ -33,20 +33,10 @@
 
 def check_post_permission(request: Request, post_model: Model, post_pk: str | list[str], post_permission: int) -> bool:
     if request.method == "POST":
-        eligible_post_pk = None
-        # Support both single PK string and list of PK strings
-        searchable_post_pks = post_pk if isinstance(post_pk, list) else [post_pk]
-        # Iterate until we find a matching PK in the request data
-        for pk in searchable_post_pks:
-            if request.data.get(pk) is not None:
-                eligible_post_pk = pk
-                break
-        # Raise an error if we never find anything
-        if eligible_post_pk is None:
-            msg = f"Unable to check for permissions: No valid attribute in '{post_pk}' is required"
+        if request.data.get(post_pk) is None:
+            msg = f"Unable to check for permissions: Attribute '{post_pk}' is required"
             raise ParseError(msg)
-        # Attempt to get the object
-        obj = get_object_or_404(post_model, pk=request.data.get(eligible_post_pk))
+        obj = get_object_or_404(post_model, pk=request.data.get(post_pk))
         return user_has_permission(request.user, obj, post_permission)
     return True
 
@@ -73,7 +63,7 @@ def check_object_permission(
 class UserHasAppAnalysisPermission(permissions.BasePermission):
     def has_permission(self, request, view):
         return check_post_permission(
-            request, Product, ["product", "asset"], Permissions.Technology_Add,
+            request, Product, "product", Permissions.Technology_Add,
         )
 
     def has_object_permission(self, request, view, obj):
@@ -90,7 +80,7 @@ class UserHasCredentialPermission(permissions.BasePermission):
     def has_permission(self, request, view):
         if request.data.get("product") is not None:
             return check_post_permission(
-                request, Cred_Mapping, ["product", "asset"], Permissions.Credential_Add,
+                request, Cred_Mapping, "product", Permissions.Credential_Add,
             )
         if request.data.get("engagement") is not None:
             return check_post_permission(
@@ -105,7 +95,7 @@ def has_permission(self, request, view):
                 request, Cred_Mapping, "finding", Permissions.Credential_Add,
             )
         return check_post_permission(
-            request, Cred_Mapping, ["product", "asset"], Permissions.Credential_Add,
+            request, Cred_Mapping, "product", Permissions.Credential_Add,
         )
 
     def has_object_permission(self, request, view, obj):
@@ -243,7 +233,7 @@ def has_object_permission(self, request, view, obj):
 class UserHasToolProductSettingsPermission(permissions.BasePermission):
     def has_permission(self, request, view):
         return check_post_permission(
-            request, Product, ["product", "asset"], Permissions.Product_Edit,
+            request, Product, "product", Permissions.Product_Edit,
         )
 
     def has_object_permission(self, request, view, obj):
@@ -259,7 +249,7 @@ def has_object_permission(self, request, view, obj):
 class UserHasEndpointPermission(permissions.BasePermission):
     def has_permission(self, request, view):
         return check_post_permission(
-            request, Product, ["product", "asset"], Permissions.Endpoint_Add,
+            request, Product, "product", Permissions.Endpoint_Add,
         )
 
     def has_object_permission(self, request, view, obj):
@@ -299,7 +289,7 @@ def has_permission(self, request, view):
             request.path,
         ) or UserHasEngagementPermission.path_engagement.match(request.path):
             return check_post_permission(
-                request, Product, ["product", "asset"], Permissions.Engagement_Add,
+                request, Product, "product", Permissions.Engagement_Add,
             )
         # related object only need object permission
         return True
@@ -338,7 +328,7 @@ def has_permission(self, request, view):
             request.path,
         ):
             return check_post_permission(
-                request, Product, ["product", "asset"], Permissions.Risk_Acceptance,
+                request, Product, "product", Permissions.Risk_Acceptance,
             )
         # related object only need object permission
         return True
@@ -505,7 +495,26 @@ def has_permission(self, request, view):
         return check_post_permission(
             request,
             Product_Type,
-            ["prod_type", "organization"],
+            "prod_type",
+            Permissions.Product_Type_Add_Product,
+        )
+
+    def has_object_permission(self, request, view, obj):
+        return check_object_permission(
+            request,
+            obj,
+            Permissions.Product_View,
+            Permissions.Product_Edit,
+            Permissions.Product_Delete,
+        )
+
+
+class UserHasAssetPermission(permissions.BasePermission):
+    def has_permission(self, request, view):
+        return check_post_permission(
+            request,
+            Product_Type,
+            "organization",
             Permissions.Product_Type_Add_Product,
         )
 
@@ -522,7 +531,23 @@ def has_object_permission(self, request, view, obj):
 class UserHasProductMemberPermission(permissions.BasePermission):
     def has_permission(self, request, view):
         return check_post_permission(
-            request, Product, ["product", "asset"], Permissions.Product_Manage_Members,
+            request, Product, "product", Permissions.Product_Manage_Members,
+        )
+
+    def has_object_permission(self, request, view, obj):
+        return check_object_permission(
+            request,
+            obj,
+            Permissions.Product_View,
+            Permissions.Product_Manage_Members,
+            Permissions.Product_Member_Delete,
+        )
+
+
+class UserHasAssetMemberPermission(permissions.BasePermission):
+    def has_permission(self, request, view):
+        return check_post_permission(
+            request, Product, "asset", Permissions.Product_Manage_Members,
         )
 
     def has_object_permission(self, request, view, obj):
@@ -538,7 +563,23 @@ def has_object_permission(self, request, view, obj):
 class UserHasProductGroupPermission(permissions.BasePermission):
     def has_permission(self, request, view):
         return check_post_permission(
-            request, Product, ["product", "asset"], Permissions.Product_Group_Add,
+            request, Product, "product", Permissions.Product_Group_Add,
+        )
+
+    def has_object_permission(self, request, view, obj):
+        return check_object_permission(
+            request,
+            obj,
+            Permissions.Product_Group_View,
+            Permissions.Product_Group_Edit,
+            Permissions.Product_Group_Delete,
+        )
+
+
+class UserHasAssetGroupPermission(permissions.BasePermission):
+    def has_permission(self, request, view):
+        return check_post_permission(
+            request, Product, "asset", Permissions.Product_Group_Add,
         )
 
     def has_object_permission(self, request, view, obj):
@@ -569,12 +610,49 @@ def has_object_permission(self, request, view, obj):
         )
 
 
+class UserHasOrganizationPermission(permissions.BasePermission):
+    def has_permission(self, request, view):
+        if request.method == "POST":
+            return user_has_global_permission(
+                request.user, Permissions.Product_Type_Add,
+            )
+        return True
+
+    def has_object_permission(self, request, view, obj):
+        return check_object_permission(
+            request,
+            obj,
+            Permissions.Product_Type_View,
+            Permissions.Product_Type_Edit,
+            Permissions.Product_Type_Delete,
+        )
+
+
 class UserHasProductTypeMemberPermission(permissions.BasePermission):
     def has_permission(self, request, view):
         return check_post_permission(
             request,
             Product_Type,
-            ["product_type", "organization"],
+            "product_type",
+            Permissions.Product_Type_Manage_Members,
+        )
+
+    def has_object_permission(self, request, view, obj):
+        return check_object_permission(
+            request,
+            obj,
+            Permissions.Product_Type_View,
+            Permissions.Product_Type_Manage_Members,
+            Permissions.Product_Type_Member_Delete,
+        )
+
+
+class UserHasOrganizationMemberPermission(permissions.BasePermission):
+    def has_permission(self, request, view):
+        return check_post_permission(
+            request,
+            Product_Type,
+            "organization",
             Permissions.Product_Type_Manage_Members,
         )
 
@@ -593,7 +671,25 @@ def has_permission(self, request, view):
         return check_post_permission(
             request,
             Product_Type,
-            ["product_type", "organization"],
+            "product_type",
+            Permissions.Product_Type_Group_Add,
+        )
+
+    def has_object_permission(self, request, view, obj):
+        return check_object_permission(
+            request,
+            obj,
+            Permissions.Product_Type_Group_View,
+            Permissions.Product_Type_Group_Edit,
+            Permissions.Product_Type_Group_Delete,
+        )
+
+class UserHasOrganizationGroupPermission(permissions.BasePermission):
+    def has_permission(self, request, view):
+        return check_post_permission(
+            request,
+            Product_Type,
+            "organization",
             Permissions.Product_Type_Group_Add,
         )
 
@@ -719,7 +815,7 @@ def has_object_permission(self, request, view, obj):
 class UserHasLanguagePermission(permissions.BasePermission):
     def has_permission(self, request, view):
         return check_post_permission(
-            request, Product, ["product", "asset"], Permissions.Language_Add,
+            request, Product, "product", Permissions.Language_Add,
         )
 
     def has_object_permission(self, request, view, obj):
@@ -737,7 +833,26 @@ def has_permission(self, request, view):
         return check_post_permission(
             request,
             Product,
-            ["product", "asset"],
+            "product",
+            Permissions.Product_API_Scan_Configuration_Add,
+        )
+
+    def has_object_permission(self, request, view, obj):
+        return check_object_permission(
+            request,
+            obj,
+            Permissions.Product_API_Scan_Configuration_View,
+            Permissions.Product_API_Scan_Configuration_Edit,
+            Permissions.Product_API_Scan_Configuration_Delete,
+        )
+
+
+class UserHasAssetAPIScanConfigurationPermission(permissions.BasePermission):
+    def has_permission(self, request, view):
+        return check_post_permission(
+            request,
+            Product,
+            "asset",
             Permissions.Product_API_Scan_Configuration_Add,
         )
 
@@ -893,7 +1008,7 @@ def has_permission(self, request, view):
 class UserHasEngagementPresetPermission(permissions.BasePermission):
     def has_permission(self, request, view):
         return check_post_permission(
-            request, Product, ["product", "asset"], Permissions.Product_Edit,
+            request, Product, "product", Permissions.Product_Edit,
         )
 
     def has_object_permission(self, request, view, obj):
diff --git a/dojo/asset/api/views.py b/dojo/asset/api/views.py
@@ -43,7 +43,7 @@ class AssetAPIScanConfigurationViewSet(
     filterset_class = AssetAPIScanConfigurationFilterSet
     permission_classes = (
         IsAuthenticated,
-        permissions.UserHasProductAPIScanConfigurationPermission,
+        permissions.UserHasAssetAPIScanConfigurationPermission,
     )
 
     def get_queryset(self):
@@ -68,7 +68,7 @@ class AssetViewSet(
     filterset_class = ApiAssetFilter
     permission_classes = (
         IsAuthenticated,
-        permissions.UserHasProductPermission,
+        permissions.UserHasAssetPermission,
     )
 
     def get_queryset(self):
@@ -138,7 +138,7 @@ class AssetMemberViewSet(
     filterset_class = AssetMemberFilterSet
     permission_classes = (
         IsAuthenticated,
-        permissions.UserHasProductMemberPermission,
+        permissions.UserHasAssetMemberPermission,
     )
 
     def get_queryset(self):
@@ -166,7 +166,7 @@ class AssetGroupViewSet(
     filterset_class = AssetGroupFilterSet
     permission_classes = (
         IsAuthenticated,
-        permissions.UserHasProductGroupPermission,
+        permissions.UserHasAssetGroupPermission,
     )
 
     def get_queryset(self):
diff --git a/dojo/organization/api/views.py b/dojo/organization/api/views.py
@@ -40,7 +40,7 @@ class OrganizationViewSet(
     filterset_class = OrganizationFilterSet
     permission_classes = (
         IsAuthenticated,
-        permissions.UserHasProductTypePermission,
+        permissions.UserHasOrganizationPermission,
     )
 
     def get_queryset(self):
@@ -121,7 +121,7 @@ class OrganizationMemberViewSet(
     filterset_class = OrganizationMemberFilterSet
     permission_classes = (
         IsAuthenticated,
-        permissions.UserHasProductTypeMemberPermission,
+        permissions.UserHasOrganizationMemberPermission,
     )
 
     def get_queryset(self):
@@ -163,7 +163,7 @@ class OrganizationGroupViewSet(
     filterset_class = OrganizationGroupFilterSet
     permission_classes = (
         IsAuthenticated,
-        permissions.UserHasProductTypeGroupPermission,
+        permissions.UserHasOrganizationGroupPermission,
     )
 
     def get_queryset(self):
