No authorization implemented for class Risk_Acceptance #13468
Description
Bug description
HTTP 500 errors when operating with a risk acceptance by ID via API with a non-superuser user, due the lack of authorization implementation for Risk_Acceptance entity. When the user is a superuser, the error doesn't happen because superusers are allowed by default to perform any action, and the permissions are not checked.
The affected API endpoints are:
- GET /api/v2/risk_acceptance/{id}/
- PATCH /api/v2/risk_acceptance/{id}/
- PUT /api/v2/risk_acceptance/{id}/
- DELETE /api/v2/risk_acceptance/{id}/
- GET /api/v2/risk_acceptance/{id}/delete_preview/
- GET /api/v2/risk_acceptance/{id}/download_proof/
Steps to reproduce
Steps to reproduce the behavior:
- Create a risk acceptance for a finding
- Login with a non-superuser user, who has Maintainer access to the product where the risk-accepted finding is
- GET /api/v2/risk_acceptance/{id}/. You can try with any of the other affected endpoints.
- See the HTTP 500 error received on the client, and the exception stack trace on the logs
Expected behavior
The risk acceptance API authorization is verified correctly, and the action is executed if the user has Risk_Acceptance permission on the product where the accepted findings are. If the user doesn't have access, the API must return 404 or 403 errors depending on the case.
Deployment method (select with an X)
- Docker Compose
- Kubernetes
- GoDojo
Environment information
- Operating System: MacOS Sequoia 15.7.1
- Docker Compose version: 2.36.2
- DefectDojo version (see footer) or commit message: [2025-10-14 11:16:34 -0500] cba7d81: Merge pull request Release: Merge release into master from: release/2.51.1 #13421 from DefectDojo/release/2.51.1 [ (HEAD -> master, tag: 2.51.1, origin/master, origin/HEAD)]
Screenshots
