feat(authorization): reintroduce authorized_users M2M on Product / Product_Type

devGregA · claude · devGregA · commit 535b1bcdc8e8 · 2026-04-29T19:00:19.000-06:00
Forward-only schema migration adding authorized_users = M2M(Dojo_User) back to Product and Product_Type. This is the foundation field for the legacy permission model rewrite that replaces the RBAC role hierarchy with simple membership checks (is_superuser, is_staff, or in authorized_users). The field was originally on these models pre-DefectDojo#3757 (AuthZv2.0, late 2020) and was removed in 0138_remove_authorized_users.py once auth-v2 became the canonical authorization system. Reintroducing it now is the first step toward unwinding auth-v2 from the upstream codebase while preserving backward compatibility for installations that still want the RBAC tier (those will continue to be served by the dojo-pro plugin). This is a pure additive migration. The auth_role / dojo_global_role / dojo_product_member / dojo_product_group / dojo_product_type_member / dojo_product_type_group / dojo_dojo_group_member tables remain in the database; they will be released from dojo's app state by a follow-up SeparateDatabaseAndState migration so dojo-pro can adopt them. Subsequent commits will: - rewrite dojo/authorization/ contents to the legacy model - add a data migration backfilling authorized_users from RBAC tables - simplify ~117 callers and ~47 templates to the legacy action vocabulary Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/dojo/db_migrations/0266_reintroduce_authorized_users.py b/dojo/db_migrations/0266_reintroduce_authorized_users.py
@@ -0,0 +1,23 @@
+# Generated by Django 5.2.13 on 2026-04-30 00:59
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('dojo', '0265_usercontactinfo_ui_use_tailwind'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='product',
+            name='authorized_users',
+            field=models.ManyToManyField(blank=True, related_name='authorized_products', to='dojo.dojo_user'),
+        ),
+        migrations.AddField(
+            model_name='product_type',
+            name='authorized_users',
+            field=models.ManyToManyField(blank=True, related_name='authorized_product_types', to='dojo.dojo_user'),
+        ),
+    ]
diff --git a/dojo/models.py b/dojo/models.py
@@ -833,6 +833,7 @@ class Product_Type(BaseModel):
     key_product = models.BooleanField(default=False)
     members = models.ManyToManyField(Dojo_User, through="Product_Type_Member", related_name="prod_type_members", blank=True)
     authorization_groups = models.ManyToManyField(Dojo_Group, through="Product_Type_Group", related_name="product_type_groups", blank=True)
+    authorized_users = models.ManyToManyField(Dojo_User, related_name="authorized_product_types", blank=True)
 
     class Meta:
         ordering = ("name",)
@@ -1169,6 +1170,7 @@ class Product(BaseModel):
     tid = models.IntegerField(default=0, editable=False)
     members = models.ManyToManyField(Dojo_User, through="Product_Member", related_name="product_members", blank=True)
     authorization_groups = models.ManyToManyField(Dojo_Group, through="Product_Group", related_name="product_groups", blank=True)
+    authorized_users = models.ManyToManyField(Dojo_User, related_name="authorized_products", blank=True)
     prod_numeric_grade = models.IntegerField(null=True, blank=True)
 
     # Metadata
