GhostManager · chrismaddalena · Sep 25, 2024 · Aug 2, 2024 · Sep 24, 2024 · Sep 24, 2024
diff --git a/ghostwriter/reporting/forms.py b/ghostwriter/reporting/forms.py
@@ -25,7 +25,7 @@
 )
 
 # Ghostwriter Libraries
-from ghostwriter.api.utils import get_client_list, get_project_list
+from ghostwriter.api.utils import get_client_list, get_project_list, verify_user_is_privileged
 from ghostwriter.commandcenter.forms import ExtraFieldsField
 from ghostwriter.commandcenter.models import ReportConfiguration
 from ghostwriter.modules.custom_layout_object import SwitchToggle
@@ -286,19 +286,26 @@ class Meta:
 
     def __init__(self, user=None, project=None, *args, **kwargs):
         super().__init__(*args, **kwargs)
-        # If this is an update, mark the project field as read-only
+        # Don't allow non-manager users to move a report's project
         instance = getattr(self, "instance", None)
+        user_is_privileged = verify_user_is_privileged(user)
         if instance and instance.pk:
-            self.fields["project"].disabled = True
+            if user is None or not user_is_privileged:
+                self.fields["project"].disabled = True
 
-        # Limit the list to the pre-selected project and disable the field
-        if project:
+        # If there is a project and user is not privileged,
+        # limit the list to the pre-selected project and disable the field
+        if project and not user_is_privileged:
             self.fields["project"].queryset = Project.objects.filter(pk=project.pk)
             self.fields["project"].disabled = True
 
-        if not project:
+        # If no project is selected, limit the list to what the user can access
+        # Checks for privilege so that privileged users get a list with only active projects
+        if not project or user_is_privileged:
             projects = get_project_list(user)
-            active_projects = projects.filter(complete=False).order_by("-start_date", "client", "project_type").defer("extra_fields")
+            active_projects = (
+                projects.filter(complete=False).order_by("-start_date", "client", "project_type").defer("extra_fields")
+            )
             if active_projects:
                 self.fields["project"].empty_label = "-- Select an Active Project --"
             else:

diff --git a/ghostwriter/reporting/views.py b/ghostwriter/reporting/views.py
@@ -1133,9 +1133,9 @@ def get_queryset(self):
                 "Displaying search results for: {}".format(search_term),
                 extra_tags="alert-success",
             )
-            findings = findings.filter(Q(title__icontains=search_term) | Q(description__icontains=search_term)).order_by(
-                "severity__weight", "-cvss_score", "finding_type", "title"
-            )
+            findings = findings.filter(
+                Q(title__icontains=search_term) | Q(description__icontains=search_term)
+            ).order_by("severity__weight", "-cvss_score", "finding_type", "title")
         return findings
 
     def get(self, request, *args, **kwarg):
@@ -1612,7 +1612,12 @@ def handle_no_permission(self):
 
     def get_form_kwargs(self):
         kwargs = super().get_form_kwargs()
-        kwargs.update({"project": self.get_object().project, "user": self.request.user})
+        kwargs.update(
+            {
+                "project": self.get_object().project,
+                "user": self.request.user,
+            }
+        )
         return kwargs
 
     def get_context_data(self, **kwargs):