Add authorization check to link_engagement action (#14504)

Maffooch · claude · web-flow · commit 0b9004bef3f8 · 2026-03-15T19:56:29.000-06:00
The link_engagement endpoint in QuestionnaireEngagementSurveyViewSet
was missing a permission check on the target engagement. Added
user_has_permission_or_403 with Engagement_Edit to ensure the
requesting user is authorized before linking.

Co-authored-by: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/dojo/api_v2/views.py b/dojo/api_v2/views.py
@@ -3451,6 +3451,8 @@ def link_engagement(self, request, pk, engagement_id):
         engagement_survey = self.get_object()
         # Safely get the engagement
         engagement = get_object_or_404(Engagement.objects, pk=engagement_id)
+        # Verify the user has permission to edit the engagement
+        user_has_permission_or_403(request.user, engagement, Permissions.Engagement_Edit)
         # Link the engagement
         answered_survey, _ = Answered_Survey.objects.get_or_create(engagement=engagement, survey=engagement_survey)
         # Send a favorable response
