wip

Author: fopinappb

dojo/api_v2/serializers.py

@@ -2976,6 +2976,11 @@ def validate(self, data):
         return data
 
 
+class FindingVerifySerializer(serializers.Serializer):
+    note = serializers.CharField(required=False, allow_blank=True)
+    note_type = serializers.PrimaryKeyRelatedField(required=False, allow_null=True, queryset=Note_Type.objects.all())
+
+
 class ReportGenerateOptionSerializer(serializers.Serializer):
     include_finding_notes = serializers.BooleanField(default=False)
     include_finding_images = serializers.BooleanField(default=False)

dojo/api_v2/views.py

@@ -1014,6 +1014,32 @@ def close(self, request, pk=None):
         serialized_finding = serializers.FindingCloseSerializer(finding, context={"request": request})
         return Response(serialized_finding.data)
 
+    @extend_schema(
+        methods=["POST"],
+        request=serializers.FindingVerifySerializer,
+        responses={status.HTTP_200_OK: serializers.FindingSerializer},
+    )
+    @action(detail=True, methods=["post"], permission_classes=(IsAuthenticated, permissions.UserHasFindingRelatedObjectPermission))
+    def verify(self, request, pk=None):
+        finding = self.get_object()
+
+        serializer = serializers.FindingVerifySerializer(data=request.data)
+        if not serializer.is_valid():
+            return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
+
+        # Remove prefetched tags to keep queryset state in sync
+        finding.tags._remove_prefetched_objects()
+
+        finding_helper.verify_finding(
+            finding=finding,
+            user=request.user,
+            note_entry=serializer.validated_data.get("note"),
+            note_type=serializer.validated_data.get("note_type"),
+        )
+
+        serialized_finding = serializers.FindingSerializer(finding, context={"request": request})
+        return Response(serialized_finding.data)
+
     @extend_schema(
         methods=["GET"],
         responses={status.HTTP_200_OK: serializers.TagSerializer},

dojo/finding/helper.py

@@ -1012,6 +1012,31 @@ def normalize_datetime(value):
     return value
 
 
+def _create_note_if_provided(
+    *,
+    finding,
+    note_entry,
+    user=None,
+    note_type=None,
+    note_date=None,
+):
+    """
+    Create a note for the finding when content is provided. Returns the note or None.
+    Note author defaults to finding.last_reviewed_by
+    """
+    if not note_entry:
+        return None
+    
+    new_note = Notes.objects.create(
+        entry=note_entry,
+        author=user or finding.last_reviewed_by,
+        note_type=note_type,
+        date=note_date,
+    )
+    finding.notes.add(new_note)
+    return new_note
+
+
 def close_finding(
     *,
     finding,
@@ -1046,15 +1071,12 @@ def close_finding(
     finding.last_reviewed_by = user
 
     # Create note if provided
-    new_note = None
-    if note_entry:
-        new_note = Notes.objects.create(
-            entry=note_entry,
-            author=user,
-            note_type=note_type,
-            date=mitigated_date,
-        )
-        finding.notes.add(new_note)
+    new_note = _create_note_if_provided(
+        finding,
+        note_entry,
+        note_type=note_type,
+        note_date=mitigated_date,
+    )
 
     if settings.V3_FEATURE_LOCATIONS:
         # Related locations
@@ -1105,3 +1127,29 @@ def close_finding(
         description=f'The finding "{finding.title}" was closed by {user}',
         url=reverse("view_finding", args=(finding.id,)),
     )
+
+
+def verify_finding(
+    *,
+    finding,
+    user,
+    note_entry=None,
+    note_type=None,
+) -> None:
+    """Shared verify logic used by UI and API."""
+
+    verification_time = now()
+
+    finding.verified = True
+    finding.last_reviewed = verification_time
+    finding.last_reviewed_by = user
+    finding.last_status_update = verification_time
+
+    _create_note_if_provided(
+        finding,
+        note_entry,
+        note_type=note_type,
+        note_date=verification_time,
+    )
+
+    finding.save(push_to_jira=False)

dojo/finding/views.py

@@ -1247,19 +1247,12 @@ def verify_finding(request, fid):
     form.fields["entry"].label = _("Comment (optional)")
 
     if request.method == "POST" and form.is_valid():
-        entry = form.cleaned_data.get("entry", "").strip()
-        if entry:
-            note = form.save(commit=False)
-            note.author = request.user
-            note.save()
-            finding.notes.add(note)
-
-        now_time = timezone.now()
-        finding.verified = True
-        finding.last_reviewed = now_time
-        finding.last_reviewed_by = request.user
-        finding.last_status_update = now_time
-        finding.save(push_to_jira=False)
+        entry = form.cleaned_data.get("entry", "")
+        finding_helper.verify_finding(
+            finding=finding,
+            user=request.user,
+            note_entry=entry,
+        )
 
         messages.add_message(
             request,

unittests/test_rest_framework.py

@@ -1011,7 +1011,39 @@ def test_close_finding_pushes_note_to_jira_when_configured(self):
             }
             response = self.client.post(self._close_url(finding.id), payload, format="json")
             self.assertEqual(200, response.status_code, response.content[:1000])
-            self.assertTrue(add_comment_mock.called)
+        self.assertTrue(add_comment_mock.called)
+
+
+@versioned_fixtures
+class FindingVerifyAPITest(DojoAPITestCase):
+    fixtures = ["dojo_testdata.json"]
+
+    def setUp(self):
+        testuser = User.objects.get(username="admin")
+        token = Token.objects.get(user=testuser)
+        self.client = APIClient()
+        self.client.credentials(HTTP_AUTHORIZATION=f"Token {token.key}")
+        self.admin = testuser
+
+    def _verify_url(self, finding_id: int) -> str:
+        return f"/api/v2/findings/{finding_id}/verify/"
+
+    def test_verify_finding_basic(self):
+        finding = Finding.objects.get(id=7)
+        response = self.client.post(self._verify_url(finding.id), {"note": "Marked verified"}, format="json")
+        self.assertEqual(200, response.status_code, response.content[:1000])
+
+        finding.refresh_from_db()
+        self.assertTrue(finding.verified)
+        self.assertEqual(finding.last_reviewed_by, self.admin)
+        self.assertTrue(finding.notes.filter(entry__icontains="Marked verified").exists())
+
+    def test_verify_finding_invalid_payload(self):
+        finding = Finding.objects.get(id=7)
+        # note_type specified but invalid id
+        response = self.client.post(self._verify_url(finding.id), {"note_type": 9999}, format="json")
+        self.assertEqual(400, response.status_code, response.content[:1000])
+
 
 
 @versioned_fixtures