remove OS UI for product members

Drop the classic /asset/<pid>/add_member, /asset/member/<mid>/{edit,delete}
(and matching /product/* aliases) routes, the three view functions in
dojo/product/views.py, and the Add_Product_MemberForm,
Edit_Product_MemberForm, and Delete_Product_MemberForm classes. Both the
Tailwind and Bootstrap (templates_classic) copies of the corresponding
templates are removed. Pro takes ownership of these classic screens via
pro/product_members/* (committed separately in dojo-pro).

Drive-by fix in delete_technology: swap the misplaced Delete_Product_MemberForm
for DeleteAppAnalysisForm. The existing line bound a Product_Member form to
an App_Analysis instance, which only worked because the view never read the
form's cleaned_data — it just deletes the instance. With Delete_Product_MemberForm
removed, the form has to be the right one anyway.

Author: devGregA

dojo/asset/urls.py

@@ -123,21 +123,6 @@
             views.delete_engagement_presets,
             name="delete_engagement_presets",
         ),
-        re_path(
-            r"^asset/(?P<pid>\d+)/add_member$",
-            views.add_product_member,
-            name="add_product_member",
-        ),
-        re_path(
-            r"^asset/member/(?P<memberid>\d+)/edit$",
-            views.edit_product_member,
-            name="edit_product_member",
-        ),
-        re_path(
-            r"^asset/member/(?P<memberid>\d+)/delete$",
-            views.delete_product_member,
-            name="delete_product_member",
-        ),
         re_path(
             r"^asset/(?P<pid>\d+)/add_api_scan_configuration$",
             views.add_api_scan_configuration,
@@ -180,9 +165,6 @@
         re_path(r"^product/(?P<pid>\d+)/engagement_presets/(?P<eid>\d+)/edit$", redirect_view("edit_engagement_presets")),
         re_path(r"^product/(?P<pid>\d+)/engagement_presets/add$", redirect_view("add_engagement_presets")),
         re_path(r"^product/(?P<pid>\d+)/engagement_presets/(?P<eid>\d+)/delete$", redirect_view("delete_engagement_presets")),
-        re_path(r"^product/(?P<pid>\d+)/add_member$", redirect_view("add_product_member")),
-        re_path(r"^product/member/(?P<memberid>\d+)/edit$", redirect_view("edit_product_member")),
-        re_path(r"^product/member/(?P<memberid>\d+)/delete$", redirect_view("delete_product_member")),
         re_path(r"^product/(?P<pid>\d+)/add_api_scan_configuration$", redirect_view("add_api_scan_configuration")),
         re_path(r"^product/(?P<pid>\d+)/view_api_scan_configurations$", redirect_view("view_api_scan_configurations")),
         re_path(r"^product/(?P<pid>\d+)/edit_api_scan_configuration/(?P<pascid>\d+)$", redirect_view("edit_api_scan_configuration")),
@@ -239,12 +221,6 @@
                 name="add_engagement_presets"),
         re_path(r"^product/(?P<pid>\d+)/engagement_presets/(?P<eid>\d+)/delete$", views.delete_engagement_presets,
                 name="delete_engagement_presets"),
-        re_path(r"^product/(?P<pid>\d+)/add_member$", views.add_product_member,
-                name="add_product_member"),
-        re_path(r"^product/member/(?P<memberid>\d+)/edit$", views.edit_product_member,
-                name="edit_product_member"),
-        re_path(r"^product/member/(?P<memberid>\d+)/delete$", views.delete_product_member,
-                name="delete_product_member"),
         re_path(r"^product/(?P<pid>\d+)/authorized_users/add$",
                 views.add_product_authorized_users,
                 name="add_product_authorized_users"),
@@ -284,9 +260,6 @@
         re_path(r"^asset/(?P<pid>\d+)/engagement_presets/add$", redirect_view("add_engagement_presets")),
         re_path(r"^asset/(?P<pid>\d+)/engagement_presets/(?P<eid>\d+)/delete$",
                 redirect_view("delete_engagement_presets")),
-        re_path(r"^asset/(?P<pid>\d+)/add_member$", redirect_view("add_product_member")),
-        re_path(r"^asset/member/(?P<memberid>\d+)/edit$", redirect_view("edit_product_member")),
-        re_path(r"^asset/member/(?P<memberid>\d+)/delete$", redirect_view("delete_product_member")),
         re_path(r"^asset/(?P<pid>\d+)/add_api_scan_configuration$", redirect_view("add_api_scan_configuration")),
         re_path(r"^asset/(?P<pid>\d+)/view_api_scan_configurations$", redirect_view("view_api_scan_configurations")),
         re_path(r"^asset/(?P<pid>\d+)/edit_api_scan_configuration/(?P<pascid>\d+)$",

dojo/forms.py

@@ -446,37 +446,6 @@ class Meta:
         fields = ["id"]
 
 
-class Edit_Product_MemberForm(forms.ModelForm):
-
-    def __init__(self, *args, **kwargs):
-        super().__init__(*args, **kwargs)
-        self.fields["product"].disabled = True
-        self.fields["product"].label = labels.ASSET_LABEL
-        self.fields["user"].queryset = Dojo_User.objects.order_by("first_name", "last_name")
-        self.fields["user"].disabled = True
-
-    class Meta:
-        model = Product_Member
-        fields = ["product", "user", "role"]
-
-
-class Add_Product_MemberForm(forms.ModelForm):
-    users = forms.ModelMultipleChoiceField(queryset=Dojo_User.objects.none(), required=True, label="Users")
-
-    def __init__(self, *args, **kwargs):
-        super().__init__(*args, **kwargs)
-        self.fields["product"].disabled = True
-        self.fields["product"].label = labels.ASSET_LABEL
-        current_members = Product_Member.objects.filter(product=self.initial["product"]).values_list("user", flat=True)
-        self.fields["users"].queryset = Dojo_User.objects.exclude(
-            Q(is_superuser=True)
-            | Q(id__in=current_members)).exclude(is_active=False).order_by("first_name", "last_name")
-
-    class Meta:
-        model = Product_Member
-        fields = ["product", "users", "role"]
-
-
 class Add_Product_AuthorizedUsersForm(forms.Form):
     users = forms.ModelMultipleChoiceField(
         queryset=Dojo_User.objects.none(), required=True, label="Users",
@@ -521,12 +490,6 @@ def __init__(self, *args, user=None, **kwargs):
         )
 
 
-class Delete_Product_MemberForm(Edit_Product_MemberForm):
-    def __init__(self, *args, **kwargs):
-        super().__init__(*args, **kwargs)
-        self.fields["role"].disabled = True
-
-
 class NoteTypeForm(forms.ModelForm):
     description = forms.CharField(widget=forms.Textarea(attrs={}),
                                   required=True)

dojo/product/views.py

@@ -26,10 +26,7 @@
 from github import Github
 
 import dojo.finding.helper as finding_helper
-from dojo.authorization.authorization import user_has_permission, user_has_permission_or_403
-from dojo.authorization.models import (
-    Product_Member,
-)
+from dojo.authorization.authorization import user_has_permission_or_403
 from dojo.authorization.roles_permissions import Permissions
 from dojo.components.sql_group_concat import Sql_GroupConcat
 from dojo.filters import (
@@ -47,16 +44,13 @@
 )
 from dojo.forms import (
     Add_Product_AuthorizedUsersForm,
-    Add_Product_MemberForm,
     AdHocFindingForm,
     AppAnalysisForm,
-    Delete_Product_MemberForm,
     DeleteAppAnalysisForm,
     DeleteEngagementPresetsForm,
     DeleteProduct_API_Scan_ConfigurationForm,
     DeleteProductForm,
     DojoMetaFormSet,
-    Edit_Product_MemberForm,
     EngagementPresetsForm,
     EngForm,
     GITHUB_Product_Form,
@@ -1234,7 +1228,7 @@ def delete_technology(request, tid):
     technology = get_object_or_404(App_Analysis, id=tid)
     form = DeleteAppAnalysisForm(instance=technology)
     if request.method == "POST":
-        form = Delete_Product_MemberForm(request.POST, instance=technology)
+        form = DeleteAppAnalysisForm(request.POST, instance=technology)
         technology = form.instance
         technology.delete()
         messages.add_message(request,
@@ -1666,101 +1660,6 @@ def edit_notifications(request, pid):
     return HttpResponseRedirect(reverse("view_product", args=(pid,)))
 
 
-def add_product_member(request, pid):
-    product = get_object_or_404(Product, pk=pid)
-    memberform = Add_Product_MemberForm(initial={"product": product.id})
-    page_name = str(labels.ASSET_USERS_MEMBER_ADD_LABEL)
-    if request.method == "POST":
-        memberform = Add_Product_MemberForm(request.POST, initial={"product": product.id})
-        if memberform.is_valid():
-            if memberform.cleaned_data["role"].is_owner and not user_has_permission(request.user, product,
-                                                                                    "staff_only"):
-                messages.add_message(request,
-                                     messages.WARNING,
-                                     _("You are not permitted to add users as owners."),
-                                     extra_tags="alert-warning")
-            else:
-                if "users" in memberform.cleaned_data and len(memberform.cleaned_data["users"]) > 0:
-                    for user in memberform.cleaned_data["users"]:
-                        existing_members = Product_Member.objects.filter(product=product, user=user)
-                        if existing_members.count() == 0:
-                            product_member = Product_Member()
-                            product_member.product = product
-                            product_member.user = user
-                            product_member.role = memberform.cleaned_data["role"]
-                            product_member.save()
-                messages.add_message(request,
-                                     messages.SUCCESS,
-                                     labels.ASSET_USERS_MEMBER_ADD_SUCCESS_MESSAGE,
-                                     extra_tags="alert-success")
-                return HttpResponseRedirect(reverse("view_product", args=(pid,)))
-    product_tab = Product_Tab(product, title=page_name, tab="settings")
-    return render(request, "dojo/new_product_member.html", {
-        "name": page_name,
-        "product": product,
-        "form": memberform,
-        "product_tab": product_tab,
-    })
-
-
-def edit_product_member(request, memberid):
-    member = get_object_or_404(Product_Member, pk=memberid)
-    memberform = Edit_Product_MemberForm(instance=member)
-    page_name = str(labels.ASSET_USERS_MEMBER_UPDATE_LABEL)
-    if request.method == "POST":
-        memberform = Edit_Product_MemberForm(request.POST, instance=member)
-        if memberform.is_valid():
-            if member.role.is_owner and not user_has_permission(request.user, member.product,
-                                                                "staff_only"):
-                messages.add_message(request,
-                                     messages.WARNING,
-                                     _("You are not permitted to make users to owners."),
-                                     extra_tags="alert-warning")
-            else:
-                memberform.save()
-                messages.add_message(request,
-                                     messages.SUCCESS,
-                                     labels.ASSET_USERS_MEMBER_UPDATE_SUCCESS_MESSAGE,
-                                     extra_tags="alert-success")
-                if is_title_in_breadcrumbs("View User"):
-                    return HttpResponseRedirect(reverse("view_user", args=(member.user.id,)))
-                return HttpResponseRedirect(reverse("view_product", args=(member.product.id,)))
-    product_tab = Product_Tab(member.product, title=page_name, tab="settings")
-    return render(request, "dojo/edit_product_member.html", {
-        "name": page_name,
-        "memberid": memberid,
-        "form": memberform,
-        "product_tab": product_tab,
-    })
-
-
-def delete_product_member(request, memberid):
-    member = get_object_or_404(Product_Member, pk=memberid)
-    memberform = Delete_Product_MemberForm(instance=member)
-    page_name = str(labels.ASSET_USERS_MEMBER_DELETE_LABEL)
-    if request.method == "POST":
-        memberform = Delete_Product_MemberForm(request.POST, instance=member)
-        member = memberform.instance
-        user = member.user
-        member.delete()
-        messages.add_message(request,
-                             messages.SUCCESS,
-                             labels.ASSET_USERS_MEMBER_DELETE_SUCCESS_MESSAGE,
-                             extra_tags="alert-success")
-        if is_title_in_breadcrumbs("View User"):
-            return HttpResponseRedirect(reverse("view_user", args=(member.user.id,)))
-        if user == request.user:
-            return HttpResponseRedirect(reverse("product"))
-        return HttpResponseRedirect(reverse("view_product", args=(member.product.id,)))
-    product_tab = Product_Tab(member.product, title=page_name, tab="settings")
-    return render(request, "dojo/delete_product_member.html", {
-        "name": page_name,
-        "memberid": memberid,
-        "form": memberform,
-        "product_tab": product_tab,
-    })
-
-
 def add_product_authorized_users(request, pid):
     product = get_object_or_404(Product, pk=pid)
     user_has_permission_or_403(request.user, product, Permissions.Product_Manage_Members)