Propagate async_user via crum.impersonate in DojoAsyncTask base class by valentijnscholten · Pull Request #14308 · DefectDojo/django-DefectDojo
and others added 30 commits
December 29, 2025 17:13
…4 (.github/workflows/validate_docs_build.yml) (DefectDojo#13985) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…x/2.53.5-2.54.0-dev Release: Merge back 2.53.5 into bugfix from: master-into-bugfix/2.53.5-2.54.0-dev
….53.5-2.54.0-dev Release: Merge back 2.53.5 into dev from: master-into-dev/2.53.5-2.54.0-dev
…file.nginx-alpine) (DefectDojo#13995) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Updated weight for version 2.54.x and modified description.
…3.11 to v (dockerfile.integration-tests-debian) (DefectDojo#14003) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
* dedupe reopen: add test cases that prove the bug * remove obsolete method * dedupe reopen: proceed with next candidate if candidate is mitigated * rename methods
…Dojo#14017) * added code to remove unwanted vulnerability ids * Update dojo/finding/helper.py --------- Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com>
…thub/workflows/renovate.yaml) (DefectDojo#14025) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…efectDojo#14026) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…json) (DefectDojo#14023) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…ckerfile.integration-tests-debian) (DefectDojo#14008) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…efectDojo#14280) * Fix response status codes in DojoMetaViewSet for POST and PATCH methods * Refactor UserHasDojoMetaPermission to use a permission map for cleaner permission checks
* Add configuration permission check for authorized groups retrieval * Add case where user has add_group, but not view_group
Previously, async_user was passed through kwargs and each consumer had to manually extract it. This was fragile and caused user context to be lost in nested Celery task dispatches (e.g. sub-tasks spawned from within a worker had no HTTP request context, so get_current_user() returned None and block_execution was silently ignored). DojoAsyncTask.__call__ now pops async_user from kwargs and wraps the task execution in crum.impersonate(user), making get_current_user() return the correct user transparently for all downstream code. When a task is called directly (not via apply_async), async_user is absent from kwargs. In that case the existing crum context is preserved so that callers who set a user via impersonate() are not disrupted. Consumer-side cleanup: - we_want_async() uses get_current_user() directly - add_findings_to_auto_group() drops async_user fallback - do_false_positive_history() drops async_user pop from kwargs - Delete task docstrings updated
Add blank lines before class docstrings (D203) and move method docstring summary to second line (D213) to satisfy upstream Ruff config.
dojo_dispatch_task was popping sync from kwargs before running the task, preventing tasks from knowing they should run their own sub-tasks synchronously. Remove the pop so sync flows through to task functions. Add explicit sync parameter to post_process_findings_batch and forward it to calculate_grade so product grading also runs inline when the caller requests sync execution.
Maffooch
marked this pull request as ready for review
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters