Mirror Reader Product_Member rows into authorized_users in tests

Maffooch · claude · Maffooch · commit ccc265eed319 · 2026-05-18T10:02:35.000-06:00
Tests for `test_product_endpoint_report_scoping` and
`test_location_finding_reference_authz` set up authorization via
``Product_Member`` rows, but legacy authorization queries
(`get_authorized_*`) check the ``Product.authorized_users`` M2M directly
— ``Product_Member`` rows are inert at runtime. Reader-role rows are
also skipped by ``LegacyAuthMirrorMixin`` (which mirrors non-Reader
roles only, to preserve deny-path test coverage). The tests need the
restricted users to actually have access, so mirror their RBAC rows
into ``authorized_users`` explicitly.

Also rename ``test_finding_reset_duplicate_reader`` -&gt;
``..._reader_denied`` so it matches the ``_reader_`` suffix the
``TestRelatedObjectPermissions.setUp`` skip check looks for — the
prior name slipped past the skip and asserted a 403 that legacy auth
returns as a 404.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/unittests/test_location_finding_reference_authz.py b/unittests/test_location_finding_reference_authz.py
@@ -5,6 +5,7 @@
 from dojo.location.queries import get_authorized_location_finding_reference
 from dojo.location.status import FindingLocationStatus, ProductLocationStatus
 from dojo.models import (
+    Dojo_User,
     Engagement,
     Finding,
     Product,
@@ -61,6 +62,11 @@ def setUpTestData(cls):
         )
         Product_Member.objects.create(user=cls.alice, product=cls.product_a, role=reader_role)
         Product_Member.objects.create(user=cls.bob, product=cls.product_b, role=reader_role)
+        # Legacy authorization collapses Reader/Writer/Maintainer/Owner into
+        # a single ``authorized_users`` membership; mirror the RBAC rows so
+        # the users are visible to ``get_authorized_*`` queries.
+        cls.product_a.authorized_users.add(Dojo_User.objects.get(pk=cls.alice.pk))
+        cls.product_b.authorized_users.add(Dojo_User.objects.get(pk=cls.bob.pk))
 
         cls.finding_a = cls._make_finding(cls.product_a, test_type, title="Finding A")
         cls.finding_b = cls._make_finding(cls.product_b, test_type, title="Finding B")
diff --git a/unittests/test_permissions_audit.py b/unittests/test_permissions_audit.py
@@ -1645,7 +1645,7 @@ def test_finding_metadata_reader_allowed(self):
     # self.get_object() so DRF's object-level permission check runs via
     # UserHasFindingRelatedObjectPermission (POST -> Finding_Edit).
 
-    def test_finding_reset_duplicate_reader(self):
+    def test_finding_reset_duplicate_reader_denied(self):
         """Reader lacks Finding_Edit — POST must be denied before the helper runs."""
         client = self._client_for_user(self.reader_user)
         url = reverse("finding-reset-finding-duplicate-status", args=(self.finding.id,))
diff --git a/unittests/test_product_endpoint_report_scoping.py b/unittests/test_product_endpoint_report_scoping.py
@@ -3,6 +3,7 @@
 
 from dojo.authorization.roles_permissions import Roles
 from dojo.models import (
+    Dojo_User,
     Endpoint,
     Endpoint_Status,
     Engagement,
@@ -67,6 +68,10 @@ def setUpTestData(cls):
             product=cls.product_a,
             role=reader_role,
         )
+        # Legacy authorization collapses Reader/Writer/Maintainer/Owner into
+        # a single ``authorized_users`` membership; mirror the RBAC row so
+        # the user is visible to ``get_authorized_*`` queries.
+        cls.product_a.authorized_users.add(Dojo_User.objects.get(pk=cls.restricted_user.pk))
 
     @classmethod
     def _create_finding_with_endpoint(cls, product, title, description, *, host):
