Skip to content

ValueError in VendorDependencyRequest submit endpoint: queryset filters user as Product instance #15258

Description

@dyadav-r7

Summary

Calling POST /api/v2/vendor_dependency_requests/{id}/submit/ raises a ValueError in the queryset filter because self.request.user (a User/email string) is passed where Django expects a Product model instance.

Environment

  • DefectDojo version: 2.52.1
  • Python: 3.13
  • Django REST Framework (latest bundled)

Steps to Reproduce

  1. Authenticate via API token (token owner: user@mycompany.com)
  2. Create a Vendor Dependency request via POST /api/v2/vendor_dependency_requests/ (succeeds)
  3. Submit the draft via POST /api/v2/vendor_dependency_requests/{id}/submit/
  4. Server returns 500 Internal Server Error

Error Traceback

[15/Jul/2026 16:02:54] ERROR [dojo.api_v2.exception_handler:49] Cannot query "user@mycompany.com": Must be "Product" instance.
Traceback (most recent call last):
  File "/usr/local/lib/python3.13/site-packages/rest_framework/views.py", line 512, in dispatch
    response = handler(request, *args, **kwargs)
  File "/app/dojo/api_v2/views.py", line 3976, in submit
    instance = self.get_object()
  File "/usr/local/lib/python3.13/site-packages/rest_framework/generics.py", line 87, in get_object
    queryset = self.filter_queryset(self.get_queryset())
  File "/app/dojo/api_v2/views.py", line 3909, in get_queryset
    VendorDependencyRequest.objects.filter(
        findings__test__engagement__product__authorized_users=self.request.user
    )
  File "/usr/local/lib/python3.13/site-packages/django/db/models/query.py", line 1478, in filter
    return self._filter_or_exclude(False, args, kwargs)
  File "/usr/local/lib/python3.13/site-packages/django/db/models/query.py", line 1506, in _filter_or_exclude_inplace
    self._query.add_q(Q(*args, **kwargs))
  File "/usr/local/lib/python3.13/site-packages/django/db/models/sql/query.py", line 1319, in check_query_object_type
    raise ValueError(
        ...
    )
ValueError: Cannot query "user@mycompany.com": Must be "Product" instance.

Expected Behavior

The /submit/ endpoint should either:

  • Correctly filter VD requests by the authenticated user's product authorization, or
  • Return a 403 if the user lacks permission (not a 500 ValueError)

Actual Behavior

{"message":"Internal server error, check logs for details"}
500 Internal Server Error with ValueError: Cannot query "user@mycompany.com": Must be "Product" instance.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions