Allow deleting scanner query rules (by allowing deletion of scanner query results) (#19802)

This is necessary now that query results are directly tied to query rules: deleting a query rule will delete the query results associated with it, so Django ensures you have delete permission for both.
2022-10-19 15:35:11 +02:00 · 2022-10-19 15:35:11 +02:00 · fb64c837c8
--- a/src/olympia/constants/permissions.py
+++ b/src/olympia/constants/permissions.py
@ -188,6 +188,7 @@ DJANGO_PERMISSIONS_MAPPING.update(
        'scanners.change_scannerqueryrule': ADMIN_SCANNERS_QUERY_EDIT,
        'scanners.delete_scannerqueryrule': ADMIN_SCANNERS_QUERY_EDIT,
        'scanners.change_scannerqueryresult': ADMIN_SCANNERS_QUERY_EDIT,
+        'scanners.delete_scannerqueryresult': ADMIN_SCANNERS_QUERY_EDIT,
        'scanners.view_scannerqueryrule': ADMIN_SCANNERS_QUERY_VIEW,
        'scanners.view_scannerqueryresult': ADMIN_SCANNERS_QUERY_VIEW,
        'tags.add_tag': DISCOVERY_EDIT,
--- a/src/olympia/scanners/admin.py
+++ b/src/olympia/scanners/admin.py
@ -315,10 +315,6 @@ class AbstractScannerResultAdminMixin(admin.ModelAdmin):
    def has_add_permission(self, request):
        return False

-    # Remove the "delete" button
-    def has_delete_permission(self, request, obj=None):
-        return False
-
    # Read-only mode
    def has_change_permission(self, request, obj=None):
        return False
@ -765,6 +761,10 @@ class ScannerResultAdmin(AbstractScannerResultAdminMixin, admin.ModelAdmin):
    result_actions.short_description = 'Actions'
    result_actions.allow_tags = True

+    # Remove the "delete" button
+    def has_delete_permission(self, request, obj=None):
+        return False
+

@admin.register(ScannerQueryResult)
 class ScannerQueryResultAdmin(AbstractScannerResultAdminMixin, admin.ModelAdmin):
--- a/src/olympia/scanners/tests/test_admin.py
+++ b/src/olympia/scanners/tests/test_admin.py
@ -1418,6 +1418,46 @@ class TestScannerQueryRuleAdmin(TestCase):
        doc = pq(response.content)
        assert doc('.field-formatted_definition .readonly')

+    def test_delete_rule_that_has_results(self):
+        rule = ScannerQueryRule.objects.create(name='bar', scanner=YARA)
+        result = ScannerQueryResult(scanner=YARA)
+        result.add_yara_result(rule=rule.name)
+        result.save()
+
+        url = reverse('admin:scanners_scannerqueryrule_delete', args=(rule.pk,))
+        response = self.client.get(url)
+        assert response.status_code == 200
+        doc = pq(response.content)
+        assert doc('#content h1').text() == 'Are you sure?'
+
+        url = reverse('admin:scanners_scannerqueryrule_delete', args=(rule.pk,))
+        response = self.client.post(url, {'post': 'yes'})
+        self.assert3xx(response, self.list_url)
+
+        assert not ScannerQueryRule.objects.filter(pk=rule.pk).exists()
+        assert not ScannerQueryResult.objects.filter(pk=result.pk).exists()
+
+    def test_cant_delete_rule_if_insufficient_permissions(self):
+        rule = ScannerQueryRule.objects.create(name='bar', scanner=YARA)
+        result = ScannerQueryResult(scanner=YARA)
+        result.add_yara_result(rule=rule.name)
+        result.save()
+
+        url = reverse('admin:scanners_scannerqueryrule_delete', args=(rule.pk,))
+
+        user = user_factory(email='somebodyelse@mozilla.com')
+        self.client.force_login(user)
+        response = self.client.get(url)
+        assert response.status_code == 403
+        response = self.client.post(url, {'post': 'yes'})
+        assert response.status_code == 403
+
+        self.grant_permission(user, 'Admin:ScannersQueryView')
+        response = self.client.get(url)
+        assert response.status_code == 403
+        response = self.client.post(url, {'post': 'yes'})
+        assert response.status_code == 403
+

 class TestScannerQueryResultAdmin(TestCase):
    def setUp(self):