ISO-27001-Risk-Management/risks/admin.py

from django.contrib import admin
from django.contrib.auth.admin import UserAdmin as BaseUserAdmin
from django.utils.translation import gettext_lazy as _
from .models import Control, Incident, NotificationPreference , Risk, ResidualRisk, User

admin.site.site_header = _("Administration")
admin.site.site_title = _("Admin")
admin.site.index_title = _("Administration")

class NotificationPreferenceInline(admin.StackedInline):
    model = NotificationPreference
    can_delete = False
    extra = 0
    fieldsets = (
        (_("Risks"), {"fields": ("risk_created","risk_updated","risk_deleted")}),
        (_("Controls"), {"fields": ("control_created","control_updated","control_deleted")}),
        (_("Residual risks"), {"fields": ("residual_created","residual_updated","residual_deleted")}),
        (_("Reviews"), {"fields": ("review_required","review_completed")}),
        (_("Incidents"), {"fields": ("incident_created","incident_updated","incident_deleted")}),
        (_("Users"), {"fields": ("user_created","user_deleted")}),
    )

@admin.register(User)
class UserAdmin(BaseUserAdmin):
    fieldsets = BaseUserAdmin.fieldsets + (
        (_("SSO Information"), {"fields": ("is_sso_user",)}),
    )
    list_display = ("username", "email", "is_staff", "is_superuser", "is_sso_user",
                    "owned_risks_count", "responsible_controls_count")
    
    inlines = [NotificationPreferenceInline]

    def owned_risks_count(self, obj):
        return obj.risks_owned.count()
    owned_risks_count.short_description = _("Risks Owned")

    def responsible_controls_count(self, obj):
        return obj.controls_responsible.count()
    responsible_controls_count.short_description = _("Controls Responsible")

class ResidualRiskInline(admin.StackedInline):
    """
    Inline editor for ResidualRisk, linked one-to-one with Risk
    """
    model = ResidualRisk
    extra = 0
    can_delete = False
    readonly_fields = ("score", "level", "review_required")
    fields = ("likelihood", "impact", "score", "level", "review_required")

class ControlRisksInline(admin.TabularInline):
    model = Control.risks.through
    fk_name = "risk"
    extra = 1
    autocomplete_fields = ("control",)

@admin.register(Risk)
class RiskAdmin(admin.ModelAdmin):
    list_display = (
        "title",
        "owner_name",
        "status",
        "score",
        "level",
        "likelihood",
        "impact",
        "follow_up",
    )

    def owner_name(self, obj):
        if not obj.owner:
            return "-"
        return obj.owner.get_full_name() or obj.owner.username

    list_filter = ("status", "level", "likelihood", "impact", "owner")
    search_fields = ("title", "asset", "process", "category")
    inlines = [ResidualRiskInline, ControlRisksInline]

    def save_model(self, request, obj, form, change):
        obj._changed_by = request.user
        super().save_model(request, obj, form, change)

    def delete_model(self, request, obj):
        obj._changed_by = request.user
        super().delete_model(request, obj)

@admin.register(ResidualRisk)
class ResidualRiskAdmin(admin.ModelAdmin):
    list_display = (
        "risk",
        "score",
        "level",
        "likelihood",
        "impact",
        "review_required"
    )
    list_filter = ("level", "likelihood", "impact", "review_required")

    def save_model(self, request, obj, form, change):
        obj._changed_by = request.user
        super().save_model(request, obj, form, change)

    def delete_model(self, request, obj):
        obj._changed_by = request.user
        super().delete_model(request, obj)

@admin.register(Control)
class ControlAdmin(admin.ModelAdmin):
    list_display = ("title", "status", "due_date", "responsible")
    list_filter = ("status", "due_date")
    autocomplete_fields = ("risks", "responsible",)
    search_fields = ("title", "description")

    def save_model(self, request, obj, form, change):
        obj._changed_by = request.user
        super().save_model(request, obj, form, change)

    def delete_model(self, request, obj):
        obj._changed_by = request.user
        super().delete_model(request, obj)

@admin.register(Incident)
class IncidentAdmin(admin.ModelAdmin):
    list_display = ("title", "date_reported", "reported_by", "status")
    list_filter = ("status", "date_reported", "reported_by")
    filter_horizontal = ("related_risks",)
    search_fields = ("title", "description")
    autocomplete_fields = ("related_risks",)

    def save_model(self, request, obj, form, change):
        obj._changed_by = request.user
        super().save_model(request, obj, form, change)

    def delete_model(self, request, obj):
        obj._changed_by = request.user
        super().delete_model(request, obj)