docs(2.58): expand legacy authorization rewrite notes

devGregA · devGregA · commit 12dde7571b9f · 2026-04-30T12:07:10.000-06:00
Update the OS 2.58 upgrade notes and the Pro changelog entry to cover
all changes since the original Authorized Users panel:

* Authorized Users panel on Product / Product Type detail (already in
  the prior pass; kept).
* New view_user product/product_type read-only listings driven by
  authorized_users + four new authorize_user_for_* / revoke_user_from_*
  endpoints, with the role dropdown gone.
* Stripped RBAC surfaces: Members/Groups panels, view_user RBAC panels,
  profile.html Global Role + Groups, add_user.html Global Role, the
  left-nav Groups link, and the three System Settings default_group
  fields — all replaced with named {% block %} hooks Pro overrides.
* V2 REST API: eight RBAC endpoints + four aliases removed from OS;
  Pro re-registers them (including the new pro/roles/api hook for
  /api/v2/roles/).
* Authorization helper: is_staff bypass restored for
  user_has_configuration_permission.
* User UI/API: is_staff field added to UserSerializer, AddDojoUserForm,
  EditDojoUserForm with superuser-only write enforcement.

Pro changelog entry restated to a single comprehensive bullet covering
all of the above.
diff --git a/docs/content/releases/os_upgrading/2.58.md b/docs/content/releases/os_upgrading/2.58.md
@@ -2,35 +2,184 @@
 title: 'Upgrading to DefectDojo Version 2.58.x'
 toc_hide: true
 weight: -20260504
-description: Authorized Users panel replaces Members/Groups under legacy authorization; Notification .tpl templates relocated under dojo/notifications/
+description: Legacy authorization UI / API rewrite (Open Source); Notification .tpl templates relocated under dojo/notifications/
 ---
 
-## Authorized Users panel replaces Members/Groups under legacy authorization
+## Legacy authorization rewrite — UI and API
 
-Open Source DefectDojo uses the legacy (pre-2020) authorization model: access to a Product is granted by `Product.authorized_users` (with cascade via `Product_Type.authorized_users`), and `is_staff` / `is_superuser` bypass everything. The classic Django-template UI previously rendered "Members" and "Groups" panels driven by the RBAC tables (`Product_Member`, `Product_Type_Member`, `Product_Group`, `Product_Type_Group`), which legacy authorization does not consult — making those panels read-only and the "Add Users" / "Add Groups" actions a silent failure. They wrote rows to the RBAC tables but did not grant any access.
-
-In 2.58 the classic UI replaces both panels with a single **"Authorized Users"** panel on the Product and Product Type detail pages. The panel reads from and writes to `Product.authorized_users` / `Product_Type.authorized_users` directly, so adding a user actually grants them the access the UI suggests it does. The "Groups" entry has also been removed from the **Users** dropdown in the left navigation, since `Dojo_Group` is inert under legacy authorization.
-
-This applies to both the Bootstrap (Classic) and Tailwind opt-in UI trees.
-
-### New endpoints
-
-- `GET/POST /product/<pid>/authorized_users/add` — list / add users to `Product.authorized_users`
-- `POST /product/<pid>/authorized_users/<user_id>/delete` — remove a user
-- `GET/POST /product/type/<ptid>/authorized_users/add` — same for `Product_Type.authorized_users`
-- `POST /product/type/<ptid>/authorized_users/<user_id>/delete`
-
-Both endpoints are gated on `Permissions.Product_Manage_Members` / `Permissions.Product_Type_Manage_Members`, which under legacy authorization map to `Action.StaffOnly` — so only `is_staff` / `is_superuser` users can add or remove. Non-staff users see the panel but no management actions.
+DefectDojo Open Source uses the legacy (pre-2020) authorization model:
+access to a Product is granted by `Product.authorized_users` (with cascade
+via `Product_Type.authorized_users`), and `is_staff` / `is_superuser` bypass
+everything. The RBAC tables (`Product_Member`, `Product_Type_Member`,
+`Product_Group`, `Product_Type_Group`, `Dojo_Group_Member`, `Global_Role`)
+remain in the schema for forward-compatibility with DefectDojo Pro but are
+inert in OS deployments.
+
+Prior to 2.58, the classic Django-template UI and the v2 REST API still
+surfaced these inert RBAC tables — Members/Groups panels that always
+returned "No members found", "Add Users" hamburgers that wrote `Product_Member`
+rows nobody consulted, role dropdowns, etc. The 2.58 rewrite aligns the UI
+and API with the legacy contract: surfaces that drive `authorized_users`
+stay (or get added), surfaces that drive RBAC tables are stripped from OS
+and exposed as `{% block %}` hooks for Pro to override. All template
+changes apply to **both** the Bootstrap (Classic) and Tailwind opt-in UI
+trees.
+
+### Authorized Users panel on Product and Product Type detail
+
+Replaces the inert Members/Groups panels on `view_product_details.html` and
+`view_product_type.html`. The new panel reads from and writes to
+`Product.authorized_users` / `Product_Type.authorized_users` directly.
+
+New endpoints (gated on `Permissions.Product_Manage_Members` /
+`Permissions.Product_Type_Manage_Members`, which under legacy map to
+`Action.StaffOnly`):
+
+| Method   | Path                                                              | Action                                              |
+| ---      | ---                                                               | ---                                                 |
+| GET/POST | `/product/<pid>/authorized_users/add`                             | List form / add users to `authorized_users`         |
+| POST     | `/product/<pid>/authorized_users/<user_id>/delete`                | Remove user                                         |
+| GET/POST | `/product/type/<ptid>/authorized_users/add`                       | Same for `Product_Type.authorized_users`            |
+| POST     | `/product/type/<ptid>/authorized_users/<user_id>/delete`          | Remove user                                         |
+
+The old `add_product_member` / `add_product_type_member` URLs and views
+still exist (Pro uses them) but no longer have an OS UI entry.
+
+### View User read-only access listing + legacy authorize/revoke
+
+The "Product Types this User can access" and "Products this User can
+access" panels on `/user/<id>/` now iterate `authorized_users`-backed data
+under OS:
+
+* Listing: `Product_Type.objects.filter(authorized_users=user)` and the
+  product cascade (direct membership *or* product_type membership).
+* Add hamburger (staff only) → multi-select form, **no role dropdown**.
+* Per-row trash button (staff only) → revokes the user from the row's
+  `authorized_users` (no `Product_Member` writes).
+
+New endpoints (all gated on `is_staff`):
+
+| Method   | Path                                                  | Action                                                      |
+| ---      | ---                                                   | ---                                                         |
+| GET/POST | `/user/<uid>/authorize_products`                      | Add user to one or more `Product.authorized_users`          |
+| GET/POST | `/user/<uid>/authorize_product_types`                 | Add user to one or more `Product_Type.authorized_users`     |
+| POST     | `/user/<uid>/revoke_product/<pid>`                    | Remove user from `product.authorized_users`                 |
+| POST     | `/user/<uid>/revoke_product_type/<ptid>`              | Remove user from `product_type.authorized_users`            |
+
+The OS forms have no role field. Under legacy, access is binary
+membership; "role" is RBAC-only.
+
+### Stripped RBAC surfaces (now `{% block %}` hooks)
+
+The following RBAC-only UI is removed from OS templates and replaced with
+empty `{% block %}` placeholders that Pro overrides via
+`pro/templates/dojo/...`:
+
+| Template                                            | Block(s)                                                                |
+| ---                                                 | ---                                                                     |
+| `view_product_details.html`                         | `rbac_members_panel`, `rbac_groups_panel`                               |
+| `view_product_type.html`                            | `rbac_members_panel`, `rbac_groups_panel`                               |
+| `base.html` (left nav, "Users" dropdown)            | `groups_submenu_link`                                                   |
+| `view_user.html` (RBAC view)                        | `user_product_types_panel`, `user_products_panel`, `user_groups_panel`  |
+| `profile.html` (Global Role fieldset + Groups)      | `global_role_form`, `profile_groups_panel`                              |
+| `add_user.html` (Global Role fieldset)              | `global_role_form`                                                      |
+
+Re-apply any in-tree patch / Docker mount overrides against the new block
+structure.
+
+### System Settings — RBAC defaults removed
+
+`SystemSettingsForm` and `SystemSettingsSerializer` now `Meta.exclude` the
+three RBAC-only auto-assignment fields:
+
+* `default_group`
+* `default_group_role`
+* `default_group_email_pattern`
+
+These auto-add new users to a `Dojo_Group` at login — `Dojo_Group_Member`
+is inert under legacy, so the fields drove nothing. The model fields
+remain so Pro can subclass the form/serializer to re-add them.
+
+### V2 REST API — RBAC endpoints removed from OS
+
+Eight RBAC `v2_api.register(...)` calls in `dojo/urls.py` and four alias
+registrations in `dojo/asset/api/urls.py` / `dojo/organization/api/urls.py`
+are removed. ViewSets and serializers stay in `dojo/api_v2/{views,serializers}.py`
+so Pro can keep subclassing them.
+
+| Removed prefix              | Pro replacement                              |
+| ---                         | ---                                          |
+| `/api/v2/dojo_groups/`      | `pro/groups`                                 |
+| `/api/v2/dojo_group_members/` | `pro/group_members`                        |
+| `/api/v2/global_roles/`     | `pro/global_roles`                           |
+| `/api/v2/product_groups/`   | `pro/product_groups`                         |
+| `/api/v2/product_members/`  | `pro/product_members`                        |
+| `/api/v2/product_type_groups/` | `pro/product_type_groups`                 |
+| `/api/v2/product_type_members/` | `pro/product_type_members`               |
+| `/api/v2/roles/`            | `pro/roles`                                  |
+| `/api/v2/asset_groups/`, `/api/v2/asset_members/` | (Removed; aliases for `product_groups` / `product_members`)  |
+| `/api/v2/organization_groups/`, `/api/v2/organization_members/` | (Removed; aliases for `product_type_groups` / `product_type_members`) |
+
+The corresponding test classes were removed from
+`unittests/test_rest_framework.py`; equivalent coverage lives in
+`dojo-pro/dojo-pro/unit_tests/api/<endpoint>/`.
+
+**Required action for OS API consumers:** if you call any of the removed
+endpoints, you have three options: (1) install Pro, which re-registers
+all eight, (2) drive access exclusively through
+`/api/v2/users/` writes to `is_staff` plus the new
+`Product.authorized_users` / `Product_Type.authorized_users` endpoints
+above, or (3) maintain a local fork that keeps the registrations.
+
+### Authorization helper — `is_staff` bypass for configuration permissions
+
+`dojo.authorization.authorization.user_has_configuration_permission` now
+honors the `is_superuser` / `is_staff` bypass at the top of the function,
+matching the rest of the legacy authorization contract (`user_has_permission`
+and `user_has_global_permission` already had it). Django's
+`user.has_perm(permission)` is consulted as a fallback so explicit grants
+on non-staff users keep working.
+
+This means a non-superuser staff user no longer needs explicit `auth.X`
+grants to reach UI/API surfaces gated on configuration permissions
+(`/user`, `/group`, `/api/v2/users/`, etc.).
+
+### `is_staff` is now editable through the UI and API
+
+* `UserSerializer.Meta.fields` adds `is_staff`. `/api/v2/users/` is already
+  superuser-only (via `UserHasConfigurationPermissionSuperuser`), so the
+  field doesn't open a privilege-escalation hole.
+* `AddDojoUserForm` and `EditDojoUserForm` add `is_staff`. The widget is
+  `disabled` for non-superusers; the views `add_user` / `edit_user` reject
+  the save with an error message if a non-superuser tries to grant or
+  revoke staff.
 
 ### Required actions
 
-- **No data migration required.** Migration `dojo.0267_backfill_authorized_users` (shipped in 2.57) already populated `authorized_users` from the prior RBAC tables, so existing access is preserved.
-- **If you have a Docker volume mount or in-tree patch overriding `dojo/templates_classic/dojo/view_product_details.html`, `view_product_type.html`, or `base.html`:** the Members/Groups panel HTML and the Groups submenu link were removed from these files and replaced with `{% block rbac_members_panel %}{% endblock %}`, `{% block rbac_groups_panel %}{% endblock %}`, `{% block authorized_users_panel %}{% endblock %}`, and `{% block groups_submenu_link %}{% endblock %}` placeholders. Re-apply your override against the new structure, or override the relevant blocks.
-- **If you customized `add_product_member` / `add_product_type_member` URL views:** those URLs still exist and are unchanged; they just no longer have a corresponding entry in the classic UI.
+* **No data migration required.** Migration `dojo.0267_backfill_authorized_users`
+  (shipped in 2.57) already populated `authorized_users` from the prior RBAC
+  tables, so existing access is preserved.
+* **If you have a Docker volume mount or in-tree patch overriding any of
+  the listed templates** (`view_product_details.html`,
+  `view_product_type.html`, `base.html`, `view_user.html`, `profile.html`,
+  `add_user.html`): re-apply against the new `{% block %}` structure, or
+  override the relevant blocks from a parent template.
+* **If you call removed v2 API endpoints**: see the table above.
+* **If you customized `SystemSettingsForm` / `SystemSettingsSerializer`**:
+  the three default-group fields are gone; re-add via subclass.
+* **If you depend on `auth.X` configuration grants on non-staff users**:
+  no change. `user.has_perm(permission)` is still consulted.
 
 ### Pro customers are not impacted
 
-DefectDojo Pro deployments retain full RBAC. The Pro app overrides the new template blocks (`rbac_members_panel`, `rbac_groups_panel`, `groups_submenu_link`) to re-render the Members and Groups panels and the Groups link, and overrides `authorized_users_panel` to empty so the new panel does not appear. The Pro UX is unchanged — same Members/Groups management surface as before.
+DefectDojo Pro retains full RBAC. Pro overrides every new `{% block %}`
+hook to re-render the RBAC-driven panels, restores the Groups left-nav
+link, re-registers all eight RBAC v2 API endpoints (plus a new
+`pro/roles/api` for `/api/v2/roles/`), and runtime-shadows
+`user_has_permission` / `user_has_global_permission` /
+`user_has_configuration_permission` so configuration permissions follow Pro
+RBAC rather than the OS `is_staff` bypass. The Pro UX and API are
+unchanged.
 
 ## Notification `.tpl` templates relocated
 
diff --git a/docs/content/releases/pro/changelog.md b/docs/content/releases/pro/changelog.md
@@ -14,7 +14,7 @@ For Open Source release notes, please see the [Releases page on GitHub](https://
 
 ### May 4, 2026: v2.58.0
 
-* **(Authorization)** Pro deployments are **not impacted** by the OS UI rework that replaces the Product/Product Type Members/Groups panels with an Authorized Users panel. Pro retains full RBAC: the Members and Groups management panels and the Groups left-nav link continue to render unchanged, driven by Pro's RBAC tables via Pro template overrides.
+* **(Authorization)** Pro deployments are **not impacted** by the OS legacy authorization rewrite. Pro retains full RBAC: the Members / Groups panels on Product and Product Type detail, the Groups panel + Global Role fieldset on the user view / profile / add user pages, the Group Members panel on the user view, the Groups link in the left-nav, and the System Settings default-group fields all continue to render unchanged, driven by Pro RBAC via template overrides at `pro/templates/dojo/`. The eight RBAC v2 API endpoints (`/api/v2/dojo_groups/`, `/api/v2/dojo_group_members/`, `/api/v2/global_roles/`, `/api/v2/product_groups/`, `/api/v2/product_members/`, `/api/v2/product_type_groups/`, `/api/v2/product_type_members/`, `/api/v2/roles/`) are re-registered by Pro's `add_*_urls` hooks. Pro's runtime authorization shadowing in `pro/apps.py:DojoProConfig.ready()` continues to govern object, global, and configuration permissions, so the OS-side `is_staff` bypass for configuration permissions does not affect Pro semantics.
 
 ## Apr 2026: v2.57
 
