fix(tests): repair CI failures from legacy auth rebuild + cache authorized ids

Move query_registrations import from dojo.authorization.__init__ to
apps.py ready() so the per-app auth-filter registry is guaranteed
populated by the time any code path imports dojo.authorization.query_filters.
The eager package-init import was raising mid-app-load circular ImportErrors
that the try/except in each queries.py silently swallowed, leaving callers
with the stub get_auth_filter that returns None — every per-model auth
filter was bypassed and querysets returned unfiltered results.

Cache the authorized product / product-type id sets per request and use
set membership in _user_authorized_for instead of repeated
authorized_users.filter(pk=user.pk).exists() probes; Alert dispatch skips
the user_id FK existence check in clean_fields since the user instance
was just fetched from the DB.

Unit-test alignments under legacy auth: UserProfileSerializer no longer
returns RBAC carriers, UsersTest.deleted_objects is 12 not 13, and the
ZAP-import query baselines drop to 1378/1256 (one EXISTS-per-recipient
per dispatch goes away, net -7 against pre-Track-B).

Integration tests: rewrite product_member / product_type_member flows
for the authorized_users add/revoke UI (no per-member role), and delete
group_test / product_group_test / product_type_group_test outright —
groups don't exist under legacy auth.

Author: devGregA

.github/workflows/integration-tests.yml

@@ -37,20 +37,17 @@ jobs:
           "tests/finding_extended_test.py",
           "tests/finding_group_test.py",
           "tests/finding_test.py",
-          "tests/group_test.py",
           "tests/login_test.py",
           "tests/metrics_extended_test.py",
           "tests/note_type_test.py",
           "tests/notes_test.py",
           "tests/notification_webhook_test.py",
           "tests/notifications_test.py",
           "tests/object_test.py",
-          "tests/product_group_test.py",
           "tests/product_member_test.py",
           "tests/product_metadata_test.py",
           "tests/product_tag_metrics_test.py",
           "tests/product_test.py",
-          "tests/product_type_group_test.py",
           "tests/product_type_member_test.py",
           "tests/product_type_test.py",
           "tests/questionnaire_advanced_test.py",

dojo/apps.py

@@ -72,6 +72,12 @@ def ready(self):
 
         register_check(check_configuration_deduplication, "dojo")
 
+        # Trigger registration of the OS authorization queryset filters.
+        # query_registrations.py is no longer imported by the package
+        # __init__ (to avoid circular import edge cases during early model
+        # loading) — we do it here once all models are ready.
+        import dojo.authorization.query_registrations  # noqa: PLC0415, F401
+
         # Load any signals here that will be ready for runtime
         # Importing the signals file is good enough if using the receiver decorator
         import dojo.announcement.signals  # noqa: PLC0415, F401 raised: AppRegistryNotReady

dojo/authorization/__init__.py

@@ -1,11 +1,7 @@
-# Import query_registrations to trigger RBAC filter registration at startup
-from dojo.authorization import query_registrations  # noqa: F401
-from dojo.authorization.authorization import (  # noqa: F401
-    user_has_configuration_permission,
-    user_has_global_permission,
-    user_has_global_permission_or_403,
-    user_has_permission,
-    user_has_permission_or_403,
-    user_is_superuser_or_global_owner,
-)
-from dojo.authorization.roles_permissions import Permissions, Roles  # noqa: F401
+# NOTE: do not import query_registrations here. It pulls in dojo.models
+# (and dojo.location.models), which can be mid-import when this package
+# is loaded transitively (e.g. via `from dojo.authorization.query_filters
+# import get_auth_filter`). If that chain raises ImportError, callers
+# silently fall back to a stub `get_auth_filter` and the queryset auth
+# filters never apply. Registration is now triggered explicitly in
+# dojo/apps.py ready() once all models are loaded.

dojo/authorization/authorization.py

@@ -21,6 +21,10 @@
 from django.db.models import Model
 
 from dojo.authorization.models import Dojo_Group_Member, Product_Member, Product_Type_Member
+from dojo.authorization.query_registrations import (
+    authorized_product_id_set,
+    authorized_product_type_id_set,
+)
 from dojo.authorization.roles_permissions import (
     Action,
     permission_to_action,
@@ -121,14 +125,14 @@ def _user_authorized_for(user: Dojo_User, obj: Model, action: Action) -> bool:
     if isinstance(obj, Product_Type):
         if user.is_staff:
             return True
-        return obj.authorized_users.filter(pk=user.pk).exists()
+        return obj.pk in authorized_product_type_id_set(user.pk)
 
     if isinstance(obj, Product):
         if user.is_staff:
             return True
-        if obj.authorized_users.filter(pk=user.pk).exists():
-            return True
-        return bool(obj.prod_type_id and obj.prod_type.authorized_users.filter(pk=user.pk).exists())
+        # authorized_product_id_set folds direct Product membership AND
+        # inherited membership via prod_type into one cached lookup.
+        return obj.pk in authorized_product_id_set(user.pk)
 
     if isinstance(obj, Engagement):
         return _user_authorized_for(user, obj.product, action)

dojo/authorization/query_registrations.py

@@ -40,6 +40,7 @@
     Tool_Product_Settings,
     Vulnerability_Id,
 )
+from dojo.request_cache import cache_for_request
 
 
 def _resolve_user(user):
@@ -62,15 +63,57 @@ def _is_unrestricted(user, action):
 
 
 def _authorized_product_ids(user):
+    """
+    QuerySet of product ids the user can access via authorized_users.
+    Lazy on purpose — callers that pass this into ``.filter(id__in=...)``
+    let Postgres collapse it into a single subquery.
+    """
     return Product.objects.filter(
         Q(authorized_users=user) | Q(prod_type__authorized_users=user),
     ).values("id")
 
 
 def _authorized_product_type_ids(user):
+    """
+    QuerySet of product_type ids the user can access via authorized_users.
+    Lazy on purpose (see ``_authorized_product_ids``).
+    """
     return Product_Type.objects.filter(authorized_users=user).values("id")
 
 
+@cache_for_request
+def authorized_product_id_set(user_pk):
+    """
+    Frozen set of product ids the user can access via authorized_users
+    (direct or via prod_type). Result is cached for the lifetime of the
+    current request — repeated per-object permission checks (one per
+    object, often dozens per request) collapse to a single SELECT.
+
+    Returns an empty frozenset for anonymous / missing users so callers
+    can do ``pid in set`` without a None check.
+    """
+    if not user_pk:
+        return frozenset()
+    return frozenset(
+        Product.objects.filter(
+            Q(authorized_users=user_pk) | Q(prod_type__authorized_users=user_pk),
+        ).values_list("id", flat=True),
+    )
+
+
+@cache_for_request
+def authorized_product_type_id_set(user_pk):
+    """
+    Frozen set of product_type ids the user is a direct member of via
+    authorized_users. Cached per request (see ``authorized_product_id_set``).
+    """
+    if not user_pk:
+        return frozenset()
+    return frozenset(
+        Product_Type.objects.filter(authorized_users=user_pk).values_list("id", flat=True),
+    )
+
+
 def _filter_by_authorized_products(queryset, product_path, permission, user=None):
     """
     Generic helper: restrict ``queryset`` to rows whose ``product_path`` FK

dojo/notifications/helper.py

@@ -607,8 +607,13 @@ def send_alert_notification(
                 icon=icon[:25],
                 source=source,
             )
-            # relative urls will fail validation
-            alert.clean_fields(exclude=["url"])
+            # ``url`` skips validation (relative URLs are valid here but
+            # URLField.validate rejects them). ``user_id`` skips the FK
+            # existence probe — the user was just fetched from our own
+            # DB by the caller, so the ``SELECT 1 FROM auth_user WHERE id=N
+            # LIMIT 1`` round-trip every ForeignKey.validate would issue
+            # is pure overhead at fan-out time.
+            alert.clean_fields(exclude=["url", "user_id"])
             alert.save()
         except Exception as exception:
             logger.exception("Unable to create Alert Notification")