remove orphaned OrganizationMember V3 API ViewSet, serializer, filter, and permission

devGregA · devGregA · commit 3faf5e15bb74 · 2026-05-07T16:57:06.000-06:00
Same shape as the AssetMember removal: organization_members was never
registered with v2_api. The OrganizationMemberViewSet (with its
destroy() owner-count guard), OrganizationMemberSerializer (with the
last-owner check + Owner-add gate), OrganizationMemberFilterSet, and
UserHasOrganizationMemberPermission classes have lived on as dead code
that touches the Product_Type_Member RBAC model. Drop them and the
get_authorized_product_type_members import that was their last consumer
in this module.
diff --git a/dojo/authorization/api_permissions.py b/dojo/authorization/api_permissions.py
@@ -571,25 +571,6 @@ def has_object_permission(self, request, view, obj):
         )
 
 
-class UserHasOrganizationMemberPermission(permissions.BasePermission):
-    def has_permission(self, request, view):
-        return check_post_permission(
-            request,
-            Product_Type,
-            "organization",
-            "staff_only",
-        )
-
-    def has_object_permission(self, request, view, obj):
-        return check_object_permission(
-            request,
-            obj,
-            "view",
-            "staff_only",
-            "delete",
-        )
-
-
 class UserHasOrganizationGroupPermission(permissions.BasePermission):
     def has_permission(self, request, view):
         return check_post_permission(
diff --git a/dojo/organization/api/filters.py b/dojo/organization/api/filters.py
@@ -3,7 +3,6 @@
 
 from dojo.authorization.models import (
     Product_Type_Group,
-    Product_Type_Member,
 )
 from dojo.labels import get_labels
 from dojo.models import Product_Type
@@ -20,14 +19,6 @@ class Meta:
         fields = ("id", "name", "created", "updated")
 
 
-class OrganizationMemberFilterSet(FilterSet):
-    organization_id = NumberFilter(field_name="product_type_id")
-
-    class Meta:
-        model = Product_Type_Member
-        fields = ("id", "user_id")
-
-
 class OrganizationGroupFilterSet(FilterSet):
     asset_type_id = NumberFilter(field_name="product_type_id")
 
diff --git a/dojo/organization/api/serializers.py b/dojo/organization/api/serializers.py
@@ -4,7 +4,6 @@
 from dojo.authorization.authorization import user_has_permission
 from dojo.authorization.models import (
     Product_Type_Group,
-    Product_Type_Member,
 )
 from dojo.models import Product_Type
 from dojo.product_type.queries import get_authorized_product_types
@@ -15,61 +14,6 @@ def get_queryset(self):
         return get_authorized_product_types("view")
 
 
-class OrganizationMemberSerializer(serializers.ModelSerializer):
-    organization = RelatedOrganizationField(source="product_type")
-
-    class Meta:
-        model = Product_Type_Member
-        exclude = ("product_type",)
-
-    def validate(self, data):
-        if (
-            self.instance is not None
-            and data.get("organization") != self.instance.product_type
-            and not user_has_permission(
-                self.context["request"].user,
-                data.get("organization"),
-                "staff_only",
-            )
-        ):
-            msg = "You are not permitted to add a member to this Organization"
-            raise PermissionDenied(msg)
-
-        if (
-            self.instance is None
-            or data.get("organization") != self.instance.product_type
-            or data.get("user") != self.instance.user
-        ):
-            members = Product_Type_Member.objects.filter(
-                product_type=data.get("organization"), user=data.get("user"),
-            )
-            if members.count() > 0:
-                msg = "Organization Member already exists"
-                raise ValidationError(msg)
-
-        if self.instance is not None and not data.get("role").is_owner:
-            owners = (
-                Product_Type_Member.objects.filter(
-                    product_type=data.get("organization", data.get("product_type")), role__is_owner=True,
-                )
-                .exclude(id=self.instance.id)
-                .count()
-            )
-            if owners < 1:
-                msg = "There must be at least one owner"
-                raise ValidationError(msg)
-
-        if data.get("role").is_owner and not user_has_permission(
-            self.context["request"].user,
-            data.get("organization"),
-            "staff_only",
-        ):
-            msg = "You are not permitted to add a member as Owner to this Organization"
-            raise PermissionDenied(msg)
-
-        return data
-
-
 class OrganizationGroupSerializer(serializers.ModelSerializer):
     organization = RelatedOrganizationField(source="product_type")
 
diff --git a/dojo/organization/api/views.py b/dojo/organization/api/views.py
@@ -10,18 +10,15 @@
 from dojo.authorization import api_permissions as permissions
 from dojo.authorization.models import (
     Product_Type_Group,
-    Product_Type_Member,
 )
 from dojo.models import Product_Type
 from dojo.organization.api import serializers
 from dojo.organization.api.filters import (
     OrganizationFilterSet,
     OrganizationGroupFilterSet,
-    OrganizationMemberFilterSet,
 )
 from dojo.product_type.queries import (
     get_authorized_product_type_groups,
-    get_authorized_product_type_members,
     get_authorized_product_types,
 )
 from dojo.utils import async_delete, get_setting
@@ -93,48 +90,6 @@ def generate_report(self, request, pk=None):
         return Response(report.data)
 
 
-# Authorization: object-based
-@extend_schema_view(**schema_with_prefetch())
-class OrganizationMemberViewSet(
-    PrefetchDojoModelViewSet,
-):
-    serializer_class = serializers.OrganizationMemberSerializer
-    queryset = Product_Type_Member.objects.none()
-    filter_backends = (DjangoFilterBackend,)
-    filterset_class = OrganizationMemberFilterSet
-    permission_classes = (
-        IsAuthenticated,
-        permissions.UserHasOrganizationMemberPermission,
-    )
-
-    def get_queryset(self):
-        return get_authorized_product_type_members(
-            "view",
-        ).distinct()
-
-    def destroy(self, request, *args, **kwargs):
-        instance = self.get_object()
-        if instance.role.is_owner:
-            owners = Product_Type_Member.objects.filter(
-                product_type=instance.product_type, role__is_owner=True,
-            ).count()
-            if owners <= 1:
-                return Response(
-                    "There must be at least one owner",
-                    status=status.HTTP_400_BAD_REQUEST,
-                )
-        self.perform_destroy(instance)
-        return Response(status=status.HTTP_204_NO_CONTENT)
-
-    @extend_schema(
-        exclude=True,
-    )
-    def partial_update(self, request, pk=None):
-        # Object authorization won't work if not all data is provided
-        response = {"message": "Patch function is not offered in this path."}
-        return Response(response, status=status.HTTP_405_METHOD_NOT_ALLOWED)
-
-
 # Authorization: object-based
 @extend_schema_view(**schema_with_prefetch())
 class OrganizationGroupViewSet(
