Refactor get_object_or_404 calls for Engagement and Engagement_Presets (#14375)

* refactor: optimize get_object_or_404 calls for Engagement and Engagement_Presets

* refactor: optimize get_object_or_404 calls for Answered_Survey by filtering with engagement

* refactor: optimize get_object_or_404 calls in update_benchmark and update_benchmark_summary functions

Author: Maffooch

dojo/benchmark/views.py

@@ -46,6 +46,8 @@ def update_benchmark(request, pid, _type):
         field = request.POST.get("field")
         value = request.POST.get("value")
         value = {"true": True, "false": False}.get(value, value)
+        product = get_object_or_404(Product, id=pid)
+        bench = get_object_or_404(Benchmark_Product.objects.filter(product=product), id=bench_id)
 
         if field in {
             "enabled",
@@ -54,7 +56,6 @@ def update_benchmark(request, pid, _type):
             "get_notes",
             "delete_notes",
         }:
-            bench = Benchmark_Product.objects.get(id=bench_id)
             if field == "enabled":
                 bench.enabled = value
             elif field == "pass_fail":
@@ -90,21 +91,22 @@ def update_benchmark(request, pid, _type):
 @user_is_authorized(Product, Permissions.Benchmark_Edit, "pid")
 def update_benchmark_summary(request, pid, _type, summary):
     if request.method == "POST":
+        product = get_object_or_404(Product, id=pid)
+        benchmark_summary = get_object_or_404(Benchmark_Product_Summary.objects.filter(product=product), id=summary)
         field = request.POST.get("field")
         value = request.POST.get("value")
         value = {"true": True, "false": False}.get(value, value)
 
         if field in {"publish", "desired_level"}:
-            summary = Benchmark_Product_Summary.objects.get(id=summary)
             data = {}
             if field == "publish":
-                summary.publish = value
+                benchmark_summary.publish = value
                 data = {"publish": value}
             elif field == "desired_level":
-                summary.desired_level = value
-                data = {"desired_level": value, "text": asvs_level(summary)}
+                benchmark_summary.desired_level = value
+                data = {"desired_level": value, "text": asvs_level(benchmark_summary)}
 
-            summary.save()
+            benchmark_summary.save()
             return JsonResponse(data)
 
     return redirect_to_return_url_or_else(
@@ -290,9 +292,9 @@ def benchmark_view(request, pid, benchmark_type, cat=None):
 @user_is_authorized(Product, Permissions.Benchmark_Delete, "pid")
 def delete(request, pid, benchmark_type):
     product = get_object_or_404(Product, id=pid)
-    benchmark_product_summary = Benchmark_Product_Summary.objects.filter(
-        product=product, benchmark_type=benchmark_type,
-    ).first()
+    benchmark_product_summary = get_object_or_404(
+        Benchmark_Product_Summary.objects.filter(product=product), benchmark_type=benchmark_type,
+    )
     form = DeleteBenchmarkForm(instance=benchmark_product_summary)
 
     if request.method == "POST":

dojo/engagement/views.py

@@ -1377,7 +1377,7 @@ def edit_risk_acceptance(request, eid, raid):
 # will only be called by view_risk_acceptance and edit_risk_acceptance
 def view_edit_risk_acceptance(request, eid, raid, *, edit_mode=False):
     risk_acceptance = get_object_or_404(Risk_Acceptance, pk=raid)
-    eng = get_object_or_404(Engagement, pk=eid)
+    eng = get_object_or_404(Engagement.objects.filter(risk_acceptance=risk_acceptance), pk=eid)
 
     if edit_mode and not eng.product.enable_full_risk_acceptance:
         raise PermissionDenied
@@ -1538,7 +1538,7 @@ def view_edit_risk_acceptance(request, eid, raid, *, edit_mode=False):
 def expire_risk_acceptance(request, eid, raid):
     risk_acceptance = get_object_or_404(prefetch_for_expiration(Risk_Acceptance.objects.all()), pk=raid)
     # Validate the engagement ID exists before moving forward
-    get_object_or_404(Engagement, pk=eid)
+    get_object_or_404(Engagement.objects.filter(risk_acceptance=risk_acceptance), pk=eid)
 
     ra_helper.expire_now(risk_acceptance)
 
@@ -1548,8 +1548,7 @@ def expire_risk_acceptance(request, eid, raid):
 @user_is_authorized(Engagement, Permissions.Risk_Acceptance, "eid")
 def reinstate_risk_acceptance(request, eid, raid):
     risk_acceptance = get_object_or_404(prefetch_for_expiration(Risk_Acceptance.objects.all()), pk=raid)
-    eng = get_object_or_404(Engagement, pk=eid)
-
+    eng = get_object_or_404(Engagement.objects.filter(risk_acceptance=risk_acceptance), pk=eid)
     if not eng.product.enable_full_risk_acceptance:
         raise PermissionDenied
 
@@ -1561,8 +1560,7 @@ def reinstate_risk_acceptance(request, eid, raid):
 @user_is_authorized(Engagement, Permissions.Risk_Acceptance, "eid")
 def delete_risk_acceptance(request, eid, raid):
     risk_acceptance = get_object_or_404(Risk_Acceptance, pk=raid)
-    eng = get_object_or_404(Engagement, pk=eid)
-
+    eng = get_object_or_404(Engagement.objects.filter(risk_acceptance=risk_acceptance), pk=eid)
     ra_helper.delete(eng, risk_acceptance)
 
     messages.add_message(

dojo/product/views.py

@@ -1597,7 +1597,7 @@ def engagement_presets(request, pid):
 @user_is_authorized(Product, Permissions.Product_Edit, "pid")
 def edit_engagement_presets(request, pid, eid):
     prod = get_object_or_404(Product, id=pid)
-    preset = get_object_or_404(Engagement_Presets, id=eid)
+    preset = get_object_or_404(Engagement_Presets.objects.filter(product=prod), id=eid)
 
     product_tab = Product_Tab(prod, title=_("Edit Engagement Preset"), tab="settings")
 
@@ -1646,7 +1646,7 @@ def add_engagement_presets(request, pid):
 @user_is_authorized(Product, Permissions.Product_Edit, "pid")
 def delete_engagement_presets(request, pid, eid):
     prod = get_object_or_404(Product, id=pid)
-    preset = get_object_or_404(Engagement_Presets, id=eid)
+    preset = get_object_or_404(Engagement_Presets.objects.filter(product=prod), id=eid)
     form = DeleteEngagementPresetsForm(instance=preset)
 
     if request.method == "POST":

dojo/survey/views.py

@@ -57,7 +57,7 @@
 @user_is_authorized(Engagement, Permissions.Engagement_Edit, "eid")
 def delete_engagement_survey(request, eid, sid):
     engagement = get_object_or_404(Engagement, id=eid)
-    survey = get_object_or_404(Answered_Survey, id=sid)
+    survey = get_object_or_404(Answered_Survey.objects.filter(engagement=engagement), id=sid)
     questions = get_answered_questions(survey=survey, read_only=True)
     form = Delete_Questionnaire_Form(instance=survey)
 
@@ -96,8 +96,8 @@ def delete_engagement_survey(request, eid, sid):
 
 
 def answer_questionnaire(request, eid, sid):
-    survey = get_object_or_404(Answered_Survey, id=sid)
     engagement = get_object_or_404(Engagement, id=eid)
+    survey = get_object_or_404(Answered_Survey.objects.filter(engagement=engagement), id=sid)
     system_settings = System_Settings.objects.all()[0]
 
     if not system_settings.allow_anonymous_survey_repsonse:
@@ -162,8 +162,8 @@ def answer_questionnaire(request, eid, sid):
 
 @user_is_authorized(Engagement, Permissions.Engagement_Edit, "eid")
 def assign_questionnaire(request, eid, sid):
-    survey = get_object_or_404(Answered_Survey, id=sid)
     engagement = get_object_or_404(Engagement, id=eid)
+    survey = get_object_or_404(Answered_Survey.objects.filter(engagement=engagement), id=sid)
 
     form = AssignUserForm(instance=survey)
     if request.method == "POST":
@@ -183,8 +183,8 @@ def assign_questionnaire(request, eid, sid):
 
 @user_is_authorized(Engagement, Permissions.Engagement_View, "eid")
 def view_questionnaire(request, eid, sid):
-    survey = get_object_or_404(Answered_Survey, id=sid)
     engagement = get_object_or_404(Engagement, id=eid)
+    survey = get_object_or_404(Answered_Survey.objects.filter(engagement=engagement), id=sid)
     questions = get_answered_questions(survey=survey, read_only=True)
 
     add_breadcrumb(