refactor: consolidate RBAC into dojo/authorization package

Move every RBAC / authorization concern into a single dojo/authorization/
package. Before this change authorization code lived in seven different
places: dojo/models.py (RBAC models), 14 per-app queries.py files
(get_authorized_*), every view file (@user_is_authorized decorators),
dojo/api_v2/permissions.py, dojo/location/api/permissions.py, and
dojo/templatetags/authorization_tags.py.

Changes
- Move 7 RBAC models (Role, Global_Role, Dojo_Group_Member,
  Product_Member, Product_Group, Product_Type_Member,
  Product_Type_Group) from dojo/models.py to
  dojo/authorization/models.py. app_label='dojo' is preserved so no
  migrations are needed; ~47 import sites are updated.
- Merge dojo/api_v2/permissions.py and
  dojo/location/api/permissions.py into
  dojo/authorization/api_permissions.py.
- Extract template-tag logic from
  dojo/templatetags/authorization_tags.py into
  dojo/authorization/template_filters.py; the templatetags module
  becomes a thin registration proxy.
- Add dojo/authorization/query_filters.py (registry) and
  dojo/authorization/query_registrations.py (~1.9k lines of RBAC
  filter logic extracted from 14 per-app queries.py files). Each
  get_authorized_* becomes a thin wrapper that defers to the registry
  and falls back to unfiltered querysets when no RBAC backend is
  registered.
- Add dojo/authorization/url_permissions.py mapping ~198 URL names to
  permission checks plus dojo/authorization/middleware.py with
  AuthorizationMiddleware enforcing them via process_view. Removes
  @user_is_authorized, @user_has_global_permission, and
  @user_is_configuration_authorized from 26 view files.
- Update dojo/authorization/__init__.py exports and trigger
  query-filter registration at app startup.

Behavior is unchanged: authorization checks for the ~198 mapped URLs
now run in middleware (process_view) instead of view bodies, but
produce the same allow/deny outcome. Non-RBAC deployments keep working
because get_authorized_* falls back to unfiltered querysets.

Tests: unittests/test_permissions_audit.py exercises the URL-permission
map for completeness; existing API/UI suites pass.

Author: Maffooch

dojo/announcement/views.py

@@ -7,17 +7,13 @@
 from django.utils.translation import gettext
 from django.utils.translation import gettext_lazy as _
 
-from dojo.authorization.authorization_decorators import (
-    user_is_configuration_authorized,
-)
 from dojo.forms import AnnouncementCreateForm, AnnouncementRemoveForm
 from dojo.models import Announcement, UserAnnouncement
 from dojo.utils import add_breadcrumb
 
 logger = logging.getLogger(__name__)
 
 
-@user_is_configuration_authorized("dojo.change_announcement")
 def configure_announcement(request):
     remove = False
     if request.method == "GET":

dojo/api_v2/serializers.py

@@ -26,6 +26,15 @@
 import dojo.finding.helper as finding_helper
 import dojo.risk_acceptance.helper as ra_helper
 from dojo.authorization.authorization import user_has_permission
+from dojo.authorization.models import (
+    Dojo_Group_Member,
+    Global_Role,
+    Product_Group,
+    Product_Member,
+    Product_Type_Group,
+    Product_Type_Member,
+    Role,
+)
 from dojo.authorization.roles_permissions import Permissions
 from dojo.celery_dispatch import dojo_dispatch_task
 from dojo.endpoint.utils import endpoint_filter, endpoint_meta_import
@@ -61,7 +70,6 @@
     Cred_User,
     Development_Environment,
     Dojo_Group,
-    Dojo_Group_Member,
     Dojo_User,
     DojoMeta,
     Endpoint,
@@ -75,7 +83,6 @@
     Finding_Group,
     Finding_Template,
     General_Survey,
-    Global_Role,
     Language_Type,
     Languages,
     Network_Locations,
@@ -86,15 +93,10 @@
     Notifications,
     Product,
     Product_API_Scan_Configuration,
-    Product_Group,
-    Product_Member,
     Product_Type,
-    Product_Type_Group,
-    Product_Type_Member,
     Question,
     Regulation,
     Risk_Acceptance,
-    Role,
     SLA_Configuration,
     Sonarqube_Issue,
     Sonarqube_Issue_Transition,

dojo/api_v2/views.py

@@ -41,12 +41,21 @@
     mixins as dojo_mixins,
 )
 from dojo.api_v2 import (
-    permissions,
     prefetch,
     serializers,
 )
 from dojo.api_v2.prefetch.prefetcher import _Prefetcher
+from dojo.authorization import api_permissions as permissions
 from dojo.authorization.authorization import user_has_permission_or_403
+from dojo.authorization.models import (
+    Dojo_Group_Member,
+    Global_Role,
+    Product_Group,
+    Product_Member,
+    Product_Type_Group,
+    Product_Type_Member,
+    Role,
+)
 from dojo.authorization.roles_permissions import Permissions
 from dojo.celery_dispatch import dojo_dispatch_task
 from dojo.cred.queries import get_authorized_cred_mappings
@@ -100,7 +109,6 @@
     Cred_User,
     Development_Environment,
     Dojo_Group,
-    Dojo_Group_Member,
     Dojo_User,
     DojoMeta,
     Endpoint,
@@ -112,7 +120,6 @@
     Finding,
     Finding_Template,
     General_Survey,
-    Global_Role,
     Language_Type,
     Languages,
     Network_Locations,
@@ -123,15 +130,10 @@
     Notifications,
     Product,
     Product_API_Scan_Configuration,
-    Product_Group,
-    Product_Member,
     Product_Type,
-    Product_Type_Group,
-    Product_Type_Member,
     Question,
     Regulation,
     Risk_Acceptance,
-    Role,
     SLA_Configuration,
     Sonarqube_Issue,
     Sonarqube_Issue_Transition,

dojo/asset/api/filters.py

@@ -3,6 +3,10 @@
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import extend_schema_field
 
+from dojo.authorization.models import (
+    Product_Group,
+    Product_Member,
+)
 from dojo.filters import (
     CharFieldFilterANDExpression,
     CharFieldInFilter,
@@ -16,8 +20,6 @@
 from dojo.models import (
     Product,
     Product_API_Scan_Configuration,
-    Product_Group,
-    Product_Member,
 )
 
 labels = get_labels()

dojo/asset/api/serializers.py

@@ -3,13 +3,15 @@
 
 from dojo.api_v2.serializers import ProductMetaSerializer, TagListSerializerField
 from dojo.authorization.authorization import user_has_permission
+from dojo.authorization.models import (
+    Product_Group,
+    Product_Member,
+)
 from dojo.authorization.roles_permissions import Permissions
 from dojo.models import (
     Dojo_User,
     Product,
     Product_API_Scan_Configuration,
-    Product_Group,
-    Product_Member,
 )
 from dojo.organization.api.serializers import RelatedOrganizationField
 from dojo.product.queries import get_authorized_products

dojo/asset/api/views.py

@@ -6,7 +6,7 @@
 from rest_framework.response import Response
 
 import dojo.api_v2.mixins as dojo_mixins
-from dojo.api_v2 import permissions, prefetch
+from dojo.api_v2 import prefetch
 from dojo.api_v2.serializers import ReportGenerateOptionSerializer, ReportGenerateSerializer
 from dojo.api_v2.views import PrefetchDojoModelViewSet, report_generate, schema_with_prefetch
 from dojo.asset.api import serializers
@@ -16,12 +16,15 @@
     AssetGroupFilterSet,
     AssetMemberFilterSet,
 )
+from dojo.authorization import api_permissions as permissions
+from dojo.authorization.models import (
+    Product_Group,
+    Product_Member,
+)
 from dojo.authorization.roles_permissions import Permissions
 from dojo.models import (
     Product,
     Product_API_Scan_Configuration,
-    Product_Group,
-    Product_Member,
 )
 from dojo.product.queries import (
     get_authorized_product_api_scan_configurations,

dojo/authorization/__init__.py

@@ -0,0 +1,11 @@
+# Import query_registrations to trigger RBAC filter registration at startup
+from dojo.authorization import query_registrations  # noqa: F401
+from dojo.authorization.authorization import (  # noqa: F401
+    user_has_configuration_permission,
+    user_has_global_permission,
+    user_has_global_permission_or_403,
+    user_has_permission,
+    user_has_permission_or_403,
+    user_is_superuser_or_global_owner,
+)
+from dojo.authorization.roles_permissions import Permissions, Roles  # noqa: F401

dojo/api_v2/permissions.py dojo/authorization/api_permissions.pydojo/api_v2/permissions.py renamed to dojo/authorization/api_permissions.py

@@ -1285,3 +1285,41 @@ class UserHasConfigurationPermissionSuperuser(
 
     def has_permission(self, request, view):
         return super().has_permission(request, view)
+
+
+class LocationFindingReferencePermission(permissions.BasePermission):
+    def has_permission(self, request, view):
+        return check_post_permission(
+            request,
+            Finding,
+            "finding",
+            Permissions.Finding_Edit,
+        )
+
+    def has_object_permission(self, request, view, obj):
+        return check_object_permission(
+            request,
+            obj.finding,
+            Permissions.Finding_View,
+            Permissions.Finding_Edit,
+            Permissions.Finding_Edit,
+        )
+
+
+class LocationProductReferencePermission(permissions.BasePermission):
+    def has_permission(self, request, view):
+        return check_post_permission(
+            request,
+            Product,
+            "product",
+            Permissions.Product_Edit,
+        )
+
+    def has_object_permission(self, request, view, obj):
+        return check_object_permission(
+            request,
+            obj.product,
+            Permissions.Product_View,
+            Permissions.Product_Edit,
+            Permissions.Product_Edit,
+        )

dojo/authorization/authorization.py

@@ -1,6 +1,13 @@
 from django.core.exceptions import PermissionDenied
 from django.db.models import Model, QuerySet
 
+from dojo.authorization.models import (
+    Dojo_Group_Member,
+    Product_Group,
+    Product_Member,
+    Product_Type_Group,
+    Product_Type_Member,
+)
 from dojo.authorization.roles_permissions import (
     Permissions,
     Roles,
@@ -12,7 +19,6 @@
     App_Analysis,
     Cred_Mapping,
     Dojo_Group,
-    Dojo_Group_Member,
     Dojo_User,
     Endpoint,
     Engagement,
@@ -21,11 +27,7 @@
     Languages,
     Product,
     Product_API_Scan_Configuration,
-    Product_Group,
-    Product_Member,
     Product_Type,
-    Product_Type_Group,
-    Product_Type_Member,
     Risk_Acceptance,
     Stub_Finding,
     Test,

dojo/authorization/middleware.py

@@ -0,0 +1,50 @@
+from django.core.exceptions import PermissionDenied
+from django.shortcuts import get_object_or_404
+
+from dojo.authorization.authorization import (
+    user_has_configuration_permission,
+    user_has_global_permission_or_403,
+    user_has_permission_or_403,
+)
+from dojo.authorization.url_permissions import URL_PERMISSIONS
+
+
+class AuthorizationMiddleware:
+    def __init__(self, get_response):
+        self.get_response = get_response
+
+    def __call__(self, request):
+        return self.get_response(request)
+
+    def process_view(self, request, view_func, view_args, view_kwargs):
+        # Skip API paths -- DRF has its own permission classes
+        if request.path.startswith("/api/"):
+            return
+
+        resolver_match = request.resolver_match
+        if resolver_match is None:
+            return
+
+        url_name = resolver_match.url_name
+        checks = URL_PERMISSIONS.get(url_name)
+        if not checks:
+            return
+
+        for check in checks:
+            check_type = check[0]
+            if check_type == "global":
+                _, permission = check
+                user_has_global_permission_or_403(request.user, permission)
+            elif check_type == "config":
+                _, permission = check
+                if not user_has_configuration_permission(request.user, permission):
+                    raise PermissionDenied
+            elif check_type == "object":
+                _, model, permission, arg_name = check
+                lookup_value = view_kwargs.get(arg_name)
+                if lookup_value is None:
+                    continue  # kwarg not present, skip this check
+                obj = get_object_or_404(model, pk=lookup_value)
+                user_has_permission_or_403(request.user, obj, permission)
+
+        return