Merge pull request #3791 from DefectDojo/release/1.12.1

Release: Merge release into master from: release/1.12.1

Author: madchap

components/package.json

@@ -1,6 +1,6 @@
 {
   "name": "DefectDojo",
-  "version": "1.12.0",
+  "version": "1.12.1",
   "dependencies": {
     "JUMFlot": "jumjum123/JUMFlot#*",
     "bootstrap": "^3.4.0",

dojo/__init__.py

@@ -6,6 +6,6 @@
 
 default_app_config = 'dojo.apps.DojoAppConfig'
 
-__version__ = '1.12.0'
+__version__ = '1.12.1'
 __url__ = 'https://github.com/DefectDojo/django-DefectDojo'
 __docs__ = 'http://defectdojo.readthedocs.io/'

dojo/api_v2/permissions.py

@@ -1,40 +1,6 @@
 from rest_framework import permissions
 
 
-class UserHasProductPermission(permissions.BasePermission):
-    """
-    @brief      To ensure that one user can only access authorized project
-    """
-    def has_object_permission(self, request, view, obj):
-        return request.user in \
-            (obj.authorized_users.all() | obj.prod_type.authorized_users.all()) or \
-            request.user.is_staff
-
-
-class UserHasReportGeneratePermission(permissions.BasePermission):
-    """
-    @brief      To ensure that one user can only access authorized project
-    """
-    def has_object_permission(self, request, view, obj):
-        return request.user in \
-            (obj.product.authorized_users.all() | obj.product.prod_type.authorized_users.all()) or \
-            request.user.is_staff
-
-
-class UserHasScanSettingsPermission(permissions.BasePermission):
-    def has_object_permission(self, request, view, obj):
-        return request.user in \
-            (obj.product.authorized_users.all() | obj.product.prod_type.authorized_users.all()) or \
-            request.user.is_staff
-
-
-class UserHasScanPermission(permissions.BasePermission):
-    def has_object_permission(self, request, view, obj):
-        return request.user in \
-            (obj.scan_settings.product.authorized_users.all() | obj.scan_settings.product.prod_type.authorized_users.all()) or \
-            request.user.is_staff
-
-
 class IsSuperUser(permissions.BasePermission):
     def has_permission(self, request, view):
         return request.user and request.user.is_superuser

dojo/api_v2/serializers.py

@@ -313,18 +313,24 @@ class Meta:
         fields = ('id', 'username', 'first_name', 'last_name', 'email', 'last_login', 'is_active', 'is_staff', 'is_superuser')
 
 
+class UserStubSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = User
+        fields = ('id', 'username', 'first_name', 'last_name')
+
+
 class NoteHistorySerializer(serializers.ModelSerializer):
-    current_editor = UserSerializer(read_only=True)
+    current_editor = UserStubSerializer(read_only=True)
 
     class Meta:
         model = NoteHistory
         fields = '__all__'
 
 
 class NoteSerializer(serializers.ModelSerializer):
-    author = UserSerializer(
+    author = UserStubSerializer(
         many=False, read_only=True)
-    editor = UserSerializer(
+    editor = UserStubSerializer(
         read_only=True, many=False, allow_null=True)
 
     history = NoteHistorySerializer(read_only=True, many=True)
@@ -1603,7 +1609,7 @@ class ReportGenerateSerializer(serializers.Serializer):
     endpoint = EndpointSerializer(many=False, read_only=True)
     endpoints = EndpointSerializer(many=True, read_only=True)
     findings = FindingSerializer(many=True, read_only=True)
-    user = UserSerializer(many=False, read_only=True)
+    user = UserStubSerializer(many=False, read_only=True)
     team_name = serializers.CharField(max_length=200)
     title = serializers.CharField(max_length=200)
     user_id = serializers.IntegerField()