From 4f400acc9bc9be99a018468d11f5568b5315badf Mon Sep 17 00:00:00 2001
From: monsieurswag <mael.joumier@intuitem.com>
Date: Wed, 29 Oct 2025 15:42:31 +0100
Subject: [PATCH 1/4] feat: Choose the domain of applied controls created from
 an audit

---
 backend/core/models.py                        |  2 +-
 backend/core/views.py                         | 20 +++++++++++++++++++
 backend/iam/models.py                         | 11 +++++++---
 .../ModelForm/AppliedControlPolicyForm.svelte |  3 +--
 frontend/src/params/fields.ts                 |  4 +++-
 5 files changed, 33 insertions(+), 7 deletions(-)

diff --git a/backend/core/models.py b/backend/core/models.py
index 5e211b288f..372d23e86f 100644
--- a/backend/core/models.py
+++ b/backend/core/models.py
@@ -4789,7 +4789,7 @@ class Meta:
     #     risk_matrix = self.risk_assessment.risk_matrix.parse_json()
     #     return [(k, v) for k, v in risk_matrix.fields[field].items()]
 
-    def get_folder_full_path(self, include_root: bool = False) -> list[Folder]:
+    def get_folder_full_path(self, *, include_root: bool = False) -> list[Folder]:
         return self.risk_assessment.get_folder_full_path(include_root=include_root)
 
     @property
diff --git a/backend/core/views.py b/backend/core/views.py
index 74d0b17728..bf918fc06d 100644
--- a/backend/core/views.py
+++ b/backend/core/views.py
@@ -3625,6 +3625,26 @@ def list(self, request, *args, **kwargs):
     def retrieve(self, request, *args, **kwargs):
         return super().retrieve(request, *args, **kwargs)
 
+    @action(detail=True, methods=["get"])
+    def subdomains(self, request, pk):
+        """
+        Returns a list composed of the given domain and all its subdomains
+        """
+        instance = Folder.objects.filter(pk=pk).first()
+        if not instance:
+            return Response(status=status.HTTP_404_NOT_FOUND)
+
+        if not RoleAssignment.is_access_allowed(
+            user=request.user,
+            perm=Permission.objects.get(codename="view_folder"),
+            folder=instance,
+        ):
+            return Response(status=status.HTTP_403_FORBIDDEN)
+
+        subfolders = list(instance.get_sub_folders(include_self=True))
+        serializer = FolderReadSerializer(subfolders, many=True)
+        return Response(serializer.data)
+
     @action(detail=False, methods=["get"])
     def org_tree(self, request):
         """
diff --git a/backend/iam/models.py b/backend/iam/models.py
index 80e0f26181..cb1df0f879 100644
--- a/backend/iam/models.py
+++ b/backend/iam/models.py
@@ -122,9 +122,14 @@ class Meta:
     def __str__(self) -> str:
         return self.name.__str__()
 
-    def get_sub_folders(self) -> Generator[Self, None, None]:
+    def get_sub_folders(
+        self, *, include_self: bool = False
+    ) -> Generator[Self, None, None]:
         """Return the list of subfolders"""
 
+        if include_self:
+            yield self
+
         def sub_folders_in(folder):
             for sub_folder in folder.folder_set.all():
                 yield sub_folder
@@ -139,7 +144,7 @@ def get_parent_folders(self) -> Generator[Self, None, None]:
         while (current_folder := current_folder.parent_folder) is not None:
             yield current_folder
 
-    def get_folder_full_path(self, include_root: bool = False) -> list[Self]:
+    def get_folder_full_path(self, *, include_root: bool = False) -> list[Self]:
         """
         Get the full path of the folder including its parents.
         If include_root is True, the root folder is included in the path.
@@ -328,7 +333,7 @@ class FolderMixin(models.Model):
         default=Folder.get_root_folder_id,
     )
 
-    def get_folder_full_path(self, include_root: bool = False) -> list[Folder]:
+    def get_folder_full_path(self, *, include_root: bool = False) -> list[Folder]:
         folders = ([self.folder] + [f for f in self.folder.get_parent_folders()])[::-1]
         if include_root:
             return folders
diff --git a/frontend/src/lib/components/Forms/ModelForm/AppliedControlPolicyForm.svelte b/frontend/src/lib/components/Forms/ModelForm/AppliedControlPolicyForm.svelte
index 87a875f231..89f1a30ea2 100644
--- a/frontend/src/lib/components/Forms/ModelForm/AppliedControlPolicyForm.svelte
+++ b/frontend/src/lib/components/Forms/ModelForm/AppliedControlPolicyForm.svelte
@@ -343,11 +343,10 @@
 
 <AutocompleteSelect
 	{form}
-	optionsEndpoint="folders?content_type=DO&content_type=GL"
+	optionsEndpoint={`folders/${initialData.folder}/subdomains/`}
 	field="folder"
 	pathField="path"
 	cacheLock={cacheLocks['folder']}
 	bind:cachedValue={formDataCache['folder']}
 	label={m.domain()}
-	hidden={initialData.folder}
 />
diff --git a/frontend/src/params/fields.ts b/frontend/src/params/fields.ts
index c36fa79f1e..66470c6cf3 100644
--- a/frontend/src/params/fields.ts
+++ b/frontend/src/params/fields.ts
@@ -12,7 +12,9 @@ import type { ParamMatcher } from '@sveltejs/kit';
  */
 
 export const match = ((param) => {
-	const fields = new Set<string>();
+	const fields = new Set<string>([
+		'subdomains' // For the /folders/{uuid}/subdomains/ endpoint.
+	]);
 
 	Object.values(listViewFields).forEach((field) => {
 		if ('body' in field && field.body) {

From e2329d96a0564b8c179f3044f9dd2807456f1f33 Mon Sep 17 00:00:00 2001
From: monsieurswag <mael.joumier@intuitem.com>
Date: Fri, 31 Oct 2025 10:18:26 +0100
Subject: [PATCH 2/4] Fix broken domain selection for applied control creation

---
 frontend/src/lib/components/Forms/ModelForm.svelte     |  3 +++
 .../Forms/ModelForm/AppliedControlPolicyForm.svelte    | 10 +++++++++-
 frontend/src/lib/components/Modals/CreateModal.svelte  |  3 +++
 .../[id=uuid]/edit/+page.svelte                        |  1 +
 4 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/frontend/src/lib/components/Forms/ModelForm.svelte b/frontend/src/lib/components/Forms/ModelForm.svelte
index 4ad50631a3..987f3b38af 100644
--- a/frontend/src/lib/components/Forms/ModelForm.svelte
+++ b/frontend/src/lib/components/Forms/ModelForm.svelte
@@ -93,6 +93,7 @@
 		taintedMessage?: string | boolean;
 		model: ModelInfo;
 		context?: string;
+		origin?: string | null;
 		caching?: boolean;
 		closeModal?: boolean;
 		parent?: any;
@@ -113,6 +114,7 @@
 		taintedMessage = m.taintedFormMessage(),
 		model,
 		context = 'default',
+		origin = null,
 		caching = false,
 		closeModal = false,
 		parent = {},
@@ -367,6 +369,7 @@
 				{cacheLocks}
 				{formDataCache}
 				{schema}
+				{origin}
 				{initialData}
 				{...rest}
 			/>
diff --git a/frontend/src/lib/components/Forms/ModelForm/AppliedControlPolicyForm.svelte b/frontend/src/lib/components/Forms/ModelForm/AppliedControlPolicyForm.svelte
index 89f1a30ea2..6ff6a99918 100644
--- a/frontend/src/lib/components/Forms/ModelForm/AppliedControlPolicyForm.svelte
+++ b/frontend/src/lib/components/Forms/ModelForm/AppliedControlPolicyForm.svelte
@@ -23,6 +23,7 @@
 		cacheLocks?: Record<string, CacheLock>;
 		formDataCache?: Record<string, any>;
 		schema?: any;
+		origin?: string | null;
 		initialData?: Record<string, any>;
 	}
 
@@ -33,6 +34,7 @@
 		cacheLocks = {},
 		formDataCache = $bindable({}),
 		schema = {},
+		origin = null,
 		initialData = {}
 	}: Props = $props();
 
@@ -67,6 +69,12 @@
 			});
 		}
 	});
+
+	let domainOptionEndpoint = $derived(
+		origin === 'requirement-assessments'
+			? `folders/${initialData.folder}/subdomains/`
+			: 'folders?content_type=DO&content_type=GL'
+	);
 </script>
 
 {#if !duplicate}
@@ -343,7 +351,7 @@
 
 <AutocompleteSelect
 	{form}
-	optionsEndpoint={`folders/${initialData.folder}/subdomains/`}
+	optionsEndpoint={domainOptionEndpoint}
 	field="folder"
 	pathField="path"
 	cacheLock={cacheLocks['folder']}
diff --git a/frontend/src/lib/components/Modals/CreateModal.svelte b/frontend/src/lib/components/Modals/CreateModal.svelte
index 5ac14c0075..8d5a1d6664 100644
--- a/frontend/src/lib/components/Modals/CreateModal.svelte
+++ b/frontend/src/lib/components/Modals/CreateModal.svelte
@@ -26,6 +26,7 @@
 		invalidateAll?: boolean; // set to false to keep form data using muliple forms on a page
 		formAction?: string;
 		context?: string;
+		origin?: string | null;
 		additionalInitialData?: any;
 		suggestions?: { [key: string]: any };
 		taintedMessage?: string | boolean;
@@ -43,6 +44,7 @@
 		invalidateAll = true,
 		formAction = '?/create',
 		context = 'create',
+		origin = null,
 		additionalInitialData = {},
 		suggestions = {},
 		taintedMessage = false,
@@ -87,6 +89,7 @@
 			{model}
 			{closeModal}
 			{context}
+			{origin}
 			{duplicate}
 			{taintedMessage}
 			caching={true}
diff --git a/frontend/src/routes/(app)/(third-party)/requirement-assessments/[id=uuid]/edit/+page.svelte b/frontend/src/routes/(app)/(third-party)/requirement-assessments/[id=uuid]/edit/+page.svelte
index ee616b412f..07efa14ec3 100644
--- a/frontend/src/routes/(app)/(third-party)/requirement-assessments/[id=uuid]/edit/+page.svelte
+++ b/frontend/src/routes/(app)/(third-party)/requirement-assessments/[id=uuid]/edit/+page.svelte
@@ -76,6 +76,7 @@
 				model: data.measureModel,
 				debug: false,
 				invalidateAll: false,
+				origin: 'requirement-assessments'
 				suggestions: { reference_control: reference_controls }
 			}
 		};

From 95550dcfb9c4208f53b65c1af0768b2cac35f58e Mon Sep 17 00:00:00 2001
From: monsieurswag <mael.joumier@intuitem.com>
Date: Fri, 31 Oct 2025 11:04:14 +0100
Subject: [PATCH 3/4] fix syntax

---
 .../requirement-assessments/[id=uuid]/edit/+page.svelte         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frontend/src/routes/(app)/(third-party)/requirement-assessments/[id=uuid]/edit/+page.svelte b/frontend/src/routes/(app)/(third-party)/requirement-assessments/[id=uuid]/edit/+page.svelte
index 07efa14ec3..f76644b447 100644
--- a/frontend/src/routes/(app)/(third-party)/requirement-assessments/[id=uuid]/edit/+page.svelte
+++ b/frontend/src/routes/(app)/(third-party)/requirement-assessments/[id=uuid]/edit/+page.svelte
@@ -76,7 +76,7 @@
 				model: data.measureModel,
 				debug: false,
 				invalidateAll: false,
-				origin: 'requirement-assessments'
+				origin: 'requirement-assessments',
 				suggestions: { reference_control: reference_controls }
 			}
 		};

From b9e081faf9aa534bd723fda11f1f9bce9ef038fd Mon Sep 17 00:00:00 2001
From: monsieurswag <mael.joumier@intuitem.com>
Date: Tue, 11 Nov 2025 06:31:59 +0100
Subject: [PATCH 4/4] Use scope_folder_id for subdomain filtering

---
 backend/core/views.py                         | 20 -------------------
 backend/iam/models.py                         |  7 +------
 .../ModelForm/AppliedControlPolicyForm.svelte | 11 ++++------
 frontend/src/params/fields.ts                 |  4 +---
 4 files changed, 6 insertions(+), 36 deletions(-)

diff --git a/backend/core/views.py b/backend/core/views.py
index beb29c9c01..4891dccbbf 100644
--- a/backend/core/views.py
+++ b/backend/core/views.py
@@ -4113,26 +4113,6 @@ def list(self, request, *args, **kwargs):
     def retrieve(self, request, *args, **kwargs):
         return super().retrieve(request, *args, **kwargs)
 
-    @action(detail=True, methods=["get"])
-    def subdomains(self, request, pk):
-        """
-        Returns a list composed of the given domain and all its subdomains
-        """
-        instance = Folder.objects.filter(pk=pk).first()
-        if not instance:
-            return Response(status=status.HTTP_404_NOT_FOUND)
-
-        if not RoleAssignment.is_access_allowed(
-            user=request.user,
-            perm=Permission.objects.get(codename="view_folder"),
-            folder=instance,
-        ):
-            return Response(status=status.HTTP_403_FORBIDDEN)
-
-        subfolders = list(instance.get_sub_folders(include_self=True))
-        serializer = FolderReadSerializer(subfolders, many=True)
-        return Response(serializer.data)
-
     @action(detail=False, methods=["get"])
     def org_tree(self, request):
         """
diff --git a/backend/iam/models.py b/backend/iam/models.py
index cb1df0f879..d41105dffe 100644
--- a/backend/iam/models.py
+++ b/backend/iam/models.py
@@ -122,14 +122,9 @@ class Meta:
     def __str__(self) -> str:
         return self.name.__str__()
 
-    def get_sub_folders(
-        self, *, include_self: bool = False
-    ) -> Generator[Self, None, None]:
+    def get_sub_folders(self) -> Generator[Self, None, None]:
         """Return the list of subfolders"""
 
-        if include_self:
-            yield self
-
         def sub_folders_in(folder):
             for sub_folder in folder.folder_set.all():
                 yield sub_folder
diff --git a/frontend/src/lib/components/Forms/ModelForm/AppliedControlPolicyForm.svelte b/frontend/src/lib/components/Forms/ModelForm/AppliedControlPolicyForm.svelte
index 9359bdfea3..7de8258f8e 100644
--- a/frontend/src/lib/components/Forms/ModelForm/AppliedControlPolicyForm.svelte
+++ b/frontend/src/lib/components/Forms/ModelForm/AppliedControlPolicyForm.svelte
@@ -76,12 +76,6 @@
 			});
 		}
 	});
-
-	let domainOptionEndpoint = $derived(
-		origin === 'requirement-assessments'
-			? `folders/${initialData.folder}/subdomains/`
-			: 'folders?content_type=DO&content_type=GL'
-	);
 </script>
 
 {#if !duplicate}
@@ -445,7 +439,10 @@
 
 <AutocompleteSelect
 	{form}
-	optionsEndpoint={domainOptionEndpoint}
+	optionsEndpoint="folders?content_type=DO&content_type=GL"
+	optionsDetailedUrlParameters={origin === 'requirement-assessments'
+		? [['scope_folder_id', initialData.folder]]
+		: []}
 	field="folder"
 	pathField="path"
 	cacheLock={cacheLocks['folder']}
diff --git a/frontend/src/params/fields.ts b/frontend/src/params/fields.ts
index 66470c6cf3..c36fa79f1e 100644
--- a/frontend/src/params/fields.ts
+++ b/frontend/src/params/fields.ts
@@ -12,9 +12,7 @@ import type { ParamMatcher } from '@sveltejs/kit';
  */
 
 export const match = ((param) => {
-	const fields = new Set<string>([
-		'subdomains' // For the /folders/{uuid}/subdomains/ endpoint.
-	]);
+	const fields = new Set<string>();
 
 	Object.values(listViewFields).forEach((field) => {
 		if ('body' in field && field.body) {