fix internal acls during serializer update (#805)

This PR changes `ACLMixinSerializer` in order to support other ACLs other than embargoed and public. Closes OSIDB-3578.
RedHatProductSecurity · Oct 29, 2024 · 78b1e6f · 78b1e6f
2 parents 68d9d27 + 78e7b5b
commit 78b1e6f
Show file tree

Hide file tree

Showing 3 changed files with 53 additions and 1 deletion.
diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
@@ -7,6 +7,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## Unreleased
 ### Changed
 - Add upstream references to Jira trackers on creation (OSIDB-3148)
+- Change ACL mixin serializer to support internal ACLs (OSIDB-3578)
 
 ## [4.5.2] - 2024-10-24
 ### Changed

diff --git a/osidb/serializer.py b/osidb/serializer.py
@@ -435,7 +435,14 @@ def create(self, validated_data):
         return super().create(validated_data)
 
     def update(self, instance, validated_data):
-        validated_data = self.embargoed2acls(validated_data)
+        # defaults to keep current ACLs
+        validated_data["acl_read"] = instance.acl_read
+        validated_data["acl_write"] = instance.acl_write
+
+        if instance.is_public or instance.is_embargoed:
+            # only allow manual ACL changes between embargoed and public
+            validated_data = self.embargoed2acls(validated_data)
+
         return super().update(instance, validated_data)
 
 

diff --git a/osidb/tests/endpoints/test_endpoints.py b/osidb/tests/endpoints/test_endpoints.py
@@ -162,6 +162,50 @@ def test_flaw_update(
         assert flaw.acl_read == self.hash_acl(acl_read)
         assert flaw.acl_write == self.hash_acl(acl_write)
 
+    def test_internal_flaw_update(
+        self,
+        auth_client,
+        test_api_uri,
+    ):
+        """
+        test serializer does not change ACLs from internal flaws
+        """
+        internal_read = [
+            uuid.UUID(acl) for acl in generate_acls([settings.INTERNAL_READ_GROUP])
+        ]
+        internal_write = [
+            uuid.UUID(acl) for acl in generate_acls([settings.INTERNAL_WRITE_GROUP])
+        ]
+        flaw = FlawFactory(
+            embargoed=False,
+            acl_read=internal_read,
+            acl_write=internal_write,
+        )
+        AffectFactory(flaw=flaw)
+        assert flaw.is_internal
+
+        response = auth_client().get(f"{test_api_uri}/flaws/{flaw.uuid}")
+        assert response.status_code == 200
+        original_body = response.json()
+        assert not original_body["embargoed"]
+
+        response = auth_client().put(
+            f"{test_api_uri}/flaws/{flaw.uuid}",
+            {
+                "title": f"{flaw.title} appended test title",
+                "comment_zero": flaw.comment_zero,
+                "owner": "[email protected]",
+                "embargoed": False,
+                "updated_dt": flaw.updated_dt,
+            },
+            format="json",
+            HTTP_BUGZILLA_API_KEY="SECRET",
+            HTTP_JIRA_API_KEY="SECRET",
+        )
+        assert response.status_code == 200
+        flaw = Flaw.objects.get(uuid=flaw.uuid)
+        assert flaw.is_internal
+
     @freeze_time(datetime(2021, 11, 23, tzinfo=timezone.get_current_timezone()))
     def test_flaw_unembargo(self, auth_client, test_api_uri):
         """