Hotfix/iam issues

backend/core/apps.py

@@ -1,18 +1,17 @@
 from django.apps import AppConfig
 from django.db.models.signals import post_migrate
 from ciso_assistant.settings import CISO_ASSISTANT_SUPERUSER_EMAIL
-
+import os
 
 def startup(**kwargs):
     """
         Implement CISO Assistant 1.0 default Roles and User Groups during migrate
         This makes sure root folder and global groups are defined before any other object is created
         Create superuser if CISO_ASSISTANT_SUPERUSER_EMAIL defined
     """
-
     from django.contrib.auth.models import Permission
     from iam.models import Folder, Role, RoleAssignment, User, UserGroup
-    print("post-migrate handler: initialize database")
+    print("startup handler: initialize database", kwargs)
 
     auditor_permissions = Permission.objects.filter(
         codename__in=[
@@ -328,4 +327,6 @@ class CoreConfig(AppConfig):
     verbose_name = "Core"
 
     def ready(self):
-        post_migrate.connect(startup, sender=self)
+        # avoid post_migrate handler if we are in the main, as it interferes with restore
+        if not os.environ.get('RUN_MAIN'):
+            post_migrate.connect(startup, sender=self)

backend/core/views.py

@@ -766,9 +766,10 @@ class UserFilter(df.FilterSet):
     is_approver = df.BooleanFilter(method="filter_approver", label="Approver")
 
     def filter_approver(self, queryset, name, value):
+        """ we don't know yet which folders will be used, so filter on any folder"""
         approvers_id = []
         for candidate in User.objects.all():
-            if RoleAssignment.has_permission(candidate, "approve_riskacceptance"):
+            if 'approve_riskacceptance' in candidate.permissions:
                 approvers_id.append(candidate.id)
         if value:
             return queryset.filter(id__in=approvers_id)

backend/iam/models.py

@@ -467,7 +467,11 @@ def get_user_groups(self):
 
     @property
     def has_backup_permission(self) -> bool:
-        return RoleAssignment.has_permission(self, "backup")
+        return RoleAssignment.is_access_allowed(
+            user=self, 
+            perm=Permission.objects.get(codename="backup"),
+            folder=Folder.get_root_folder(),
+        )
 
     @property
     def edit_url(self) -> str:

backend/serdes/urls.py

@@ -5,5 +5,5 @@
 
 urlpatterns = [
     path("dump-db/", login_required(views.dump_db_view), name="dump-db"),
-    path("load-backup/", views.LoadBackupView.as_view(), name="load-backup"),
+    path("load-backup/", login_required(views.LoadBackupView.as_view()), name="load-backup"),
 ]

backend/serdes/views.py

@@ -49,6 +49,8 @@ class LoadBackupView(APIView):
     serializer_class = LoadBackupSerializer
 
     def post(self, request, *args, **kwargs):
+        if not is_admin_check(request.user):
+            return Response(status=status.HTTP_403_FORBIDDEN)
         if request.data:
             sys.stdin = io.StringIO(json.dumps(request.data[1]))
             request.session.flush()