remove orphaned AssetGroup V3 API ViewSet, serializer, filter, and permission

Same shape as the AssetMember removal: the asset_groups route was never
registered with v2_api (punted to pro/product_groups). The AssetGroupViewSet,
AssetGroupSerializer, AssetGroupFilterSet, and UserHasAssetGroupPermission
classes have lived on as dead code that touches the Product_Group RBAC
model. Drop them along with their now-unused imports
(Product_Group, get_authorized_product_groups, user_has_permission,
PermissionDenied, ValidationError).

Author: devGregA

dojo/asset/api/filters.py

@@ -3,9 +3,6 @@
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import extend_schema_field
 
-from dojo.authorization.models import (
-    Product_Group,
-)
 from dojo.filters import (
     CharFieldFilterANDExpression,
     CharFieldInFilter,
@@ -107,9 +104,3 @@ class ApiAssetFilter(DojoFilter):
     )
 
 
-class AssetGroupFilterSet(FilterSet):
-    asset_id = NumberFilter(field_name="product_id")
-
-    class Meta:
-        model = Product_Group
-        fields = ("id", "group_id")

dojo/asset/api/serializers.py

@@ -1,11 +1,6 @@
 from rest_framework import serializers
-from rest_framework.exceptions import PermissionDenied, ValidationError
 
 from dojo.api_v2.serializers import ProductMetaSerializer, TagListSerializerField
-from dojo.authorization.authorization import user_has_permission
-from dojo.authorization.models import (
-    Product_Group,
-)
 from dojo.models import (
     Dojo_User,
     Product,
@@ -80,44 +75,3 @@ def get_findings_list(self, obj) -> list[int]:
         return obj.open_findings_list()
 
 
-class AssetGroupSerializer(serializers.ModelSerializer):
-    asset = RelatedAssetField(source="product")
-
-    class Meta:
-        model = Product_Group
-        exclude = ("product",)
-
-    def validate(self, data):
-        if (
-            self.instance is not None
-            and data.get("asset") != self.instance.product
-            and not user_has_permission(
-                self.context["request"].user,
-                data.get("asset"),
-                "add",
-            )
-        ):
-            msg = "You are not permitted to add a group to this Asset"
-            raise PermissionDenied(msg)
-
-        if (
-            self.instance is None
-            or data.get("asset") != self.instance.product
-            or data.get("group") != self.instance.group
-        ):
-            members = Product_Group.objects.filter(
-                product=data.get("asset"), group=data.get("group"),
-            )
-            if members.count() > 0:
-                msg = "Asset Group already exists"
-                raise ValidationError(msg)
-
-        if data.get("role").is_owner and not user_has_permission(
-            self.context["request"].user,
-            data.get("asset"),
-            "staff_only",
-        ):
-            msg = "You are not permitted to add a group as Owner to this Asset"
-            raise PermissionDenied(msg)
-
-        return data

dojo/asset/api/views.py

@@ -13,19 +13,14 @@
 from dojo.asset.api.filters import (
     ApiAssetFilter,
     AssetAPIScanConfigurationFilterSet,
-    AssetGroupFilterSet,
 )
 from dojo.authorization import api_permissions as permissions
-from dojo.authorization.models import (
-    Product_Group,
-)
 from dojo.models import (
     Product,
     Product_API_Scan_Configuration,
 )
 from dojo.product.queries import (
     get_authorized_product_api_scan_configurations,
-    get_authorized_product_groups,
     get_authorized_products,
 )
 from dojo.utils import async_delete, get_setting
@@ -126,29 +121,3 @@ def generate_report(self, request, pk=None):
         return Response(report.data)
 
 
-# Authorization: object-based
-@extend_schema_view(**schema_with_prefetch())
-class AssetGroupViewSet(
-    PrefetchDojoModelViewSet,
-):
-    serializer_class = serializers.AssetGroupSerializer
-    queryset = Product_Group.objects.none()
-    filter_backends = (DjangoFilterBackend,)
-    filterset_class = AssetGroupFilterSet
-    permission_classes = (
-        IsAuthenticated,
-        permissions.UserHasAssetGroupPermission,
-    )
-
-    def get_queryset(self):
-        return get_authorized_product_groups(
-            "view",
-        ).distinct()
-
-    @extend_schema(
-        exclude=True,
-    )
-    def partial_update(self, request, pk=None):
-        # Object authorization won't work if not all data is provided
-        response = {"message": "Patch function is not offered in this path."}
-        return Response(response, status=status.HTTP_405_METHOD_NOT_ALLOWED)

dojo/authorization/api_permissions.py

@@ -535,22 +535,6 @@ def has_object_permission(self, request, view, obj):
         )
 
 
-class UserHasAssetGroupPermission(permissions.BasePermission):
-    def has_permission(self, request, view):
-        return check_post_permission(
-            request, Product, "asset", "add",
-        )
-
-    def has_object_permission(self, request, view, obj):
-        return check_object_permission(
-            request,
-            obj,
-            "view",
-            "edit",
-            "delete",
-        )
-
-
 class UserHasProductTypePermission(permissions.BasePermission):
     def has_permission(self, request, view):
         if request.method == "POST":