Hotfix: Fixed evidence for admins

[chrismaddalena]

CHANGELOG

[7.0.2] - 10 June 2026

Fixed

• Fixed evidence listings inside the collab editor for privileged users
  • The list of evidence could appear empty for admins and managers if they were not assigned to the related project
  • Permissions checked for project data access via invites and assignments, but missed access from the privileged roles

[Copilot]

Pull request overview

This hotfix targets the collaborative editor’s evidence picker behavior by adjusting Hasura row-level permissions so privileged users (e.g., admins/managers) can see evidence even when they aren’t explicitly assigned/invited on the underlying project.

Changes:

• Updated Hasura collab select permissions for reporting_evidence to allow privileged users (admin/manager/staff) to pass the project-access gate.
• Simplified the evidence GraphQL query usage in the collab frontend (no longer constructing page-specific where filters) and removed the now-unused finding ID template marker.
• Bumped version metadata (VERSION + Django settings) and documented the fix in the changelog; updated Hasura metadata tests accordingly.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
VERSION	Bumps release version to v7.0.2.
config/settings/base.py	Updates application __version__ constant to 7.0.2.
CHANGELOG.md	Adds 7.0.2 entry describing the privileged-user evidence fix.
hasura-docker/metadata/databases/default/tables/public_reporting_evidence.yaml	Adjusts collab role evidence select permissions to include privileged users and modifies report/finding scoping logic.
ghostwriter/api/tests/test_hasura_metadata.py	Updates expected Hasura metadata filters and adds a helper for privileged-user checks.
javascript/src/frontend/graphql/evidence.tsx	Removes report/finding-derived where filters and queries evidence with an empty bool-exp.
ghostwriter/reporting/templates/reporting/report_finding_link_update.html	Removes the graphql-evidence-finding-id marker from the finding edit page.

[augmentcode]

🤖 Augment PR Summary

Summary: Hotfix release bump to 7.0.2 to restore evidence listings in the collaborative editor for privileged users.

Changes:

• Updated Hasura collab-role permissions for reporting_evidence to recognize privileged users (admin/manager/staff) via an _exists check against users_user.
• Adjusted the collab evidence scope to key off the collab report id (including evidence attached via a finding’s report relationship), removing the need for a separate collab finding id constraint.
• Removed the collab finding-id DOM hook from the finding-link update template and simplified the frontend evidence query to rely on Hasura scoping.
• Updated Hasura metadata tests to match the new permission filter expectations.
• Bumped version metadata (VERSION + settings) and added a 7.0.2 changelog entry.

Technical Notes: Evidence visibility in the collab editor is now enforced primarily through Hasura row-level permissions driven by collab JWT/session variables.

_{🤖 Was this summary useful? React with 👍 or 👎}

[augmentcode]

Review completed. No suggestions at this time.

Comment augment review to trigger a new review at any time.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.61%. Comparing base (aef70b7) to head (d885f4d).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #902   +/-   ##
=======================================
  Coverage   93.61%   93.61%           
=======================================
  Files         404      404           
  Lines       27679    27687    +8     
=======================================
+ Hits        25912    25920    +8     
  Misses       1767     1767           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull request overview

Copilot reviewed 11 out of 11 changed files in this pull request and generated 1 comment.