fix(authorization): restore is_staff bypass for configuration permissions

Under legacy authorization, is_staff is the catch-all bypass for object
and global permissions (see dojo/authorization/authorization.py
docstring + the existing user_has_global_permission code path). The
configuration-permission helper was the odd one out — it delegated
straight to Django's user.has_perm() and ignored is_staff, so a staff
user without explicit auth.* grants was 403'd by views and viewsets
gated on user_is_configuration_authorized / user_has_configuration_-
permission_or_403 (e.g. /user, /group, /api/v2/users/, etc.).

Add the is_staff (and is_superuser) bypass so configuration permissions
match the rest of the legacy contract. Django's user.has_perm() stays
as the fallback so explicit grants on non-staff users continue to work.

Pro overrides this function at runtime via
pro/apps.py:_shadow_authorization_symbols, so the OS bypass does not
leak into Pro deployments where RBAC governs configuration access.

Author: devGregA

dojo/authorization/authorization.py

@@ -59,10 +59,21 @@
 
 
 def user_has_configuration_permission(user: Dojo_User, permission: str):
+    """
+    Legacy: configuration permissions reduce to is_superuser / is_staff,
+    matching the rest of the legacy auth model. ``user.has_perm`` is
+    still consulted as a fallback so explicit Django permission grants
+    (e.g. ``auth.add_user`` granted via Django Admin) keep working for
+    non-staff users. Pro overrides this function at runtime via
+    pro/apps.py:_shadow_authorization_symbols, so this OS bypass does
+    not affect Pro deployments.
+    """
     if not user:
         return False
     if user.is_anonymous:
         return False
+    if user.is_superuser or user.is_staff:
+        return True
     return user.has_perm(permission)
 
 

unittests/authorization/test_authorization.py

@@ -291,7 +291,11 @@ def test_dojo_add_product_type_carveout(self):
 
 class TestUserHasConfigurationPermission(LegacyAuthorizationBaseTestCase):
 
-    """Configuration permissions delegate to Django's user.has_perm()."""
+    """
+    Configuration permissions reduce to is_superuser / is_staff under
+    legacy authorization, with Django's ``user.has_perm`` consulted as
+    a fallback for explicit grants on non-staff users.
+    """
 
     def test_anonymous_denied(self):
         self.assertFalse(user_has_configuration_permission(None, "dojo.add_product_type"))
@@ -304,6 +308,21 @@ def test_user_without_perm(self):
         self.member.has_perm = Mock(return_value=False)
         self.assertFalse(user_has_configuration_permission(self.member, "dojo.add_product_type"))
 
+    def test_staff_bypasses_without_django_perm(self):
+        # is_staff is the legacy bypass for configuration permissions —
+        # mirrors the pre-2020 behavior where staff was an absolute
+        # bypass on every perm_type. has_perm is not consulted here.
+        self.staff.has_perm = Mock(return_value=False)
+        self.assertTrue(user_has_configuration_permission(self.staff, "auth.view_user"))
+        self.assertTrue(user_has_configuration_permission(self.staff, "auth.delete_user"))
+        self.assertTrue(user_has_configuration_permission(self.staff, "auth.view_group"))
+        self.staff.has_perm.assert_not_called()
+
+    def test_superuser_bypasses_without_django_perm(self):
+        self.superuser.has_perm = Mock(return_value=False)
+        self.assertTrue(user_has_configuration_permission(self.superuser, "auth.view_user"))
+        self.superuser.has_perm.assert_not_called()
+
 
 class TestRoleHelpersAreInertUnderLegacy(DojoTestCase):