test(authorization): adapt RBAC-flavored tests to legacy semantics

devGregA · claude · devGregA · commit 8bcf8183bc0f · 2026-04-29T22:26:28.000-06:00
Apply the same legacy-semantics rewrite to the next layer of test fallout — files that exercise risk-acceptance, finding-template, user-API, and user-queries paths through the authorization layer. Notable changes: * test_apply_finding_template: replace test_reader_role_cannot_X / test_writer_role_can_X with test_member_can_X / test_non_member_cannot_X. Legacy collapses Reader/Writer/Maintainer to one bit (membership in authorized_users), so the role pair is meaningless under legacy. * test_apiv2_user: rename allows_global_owner → denies_global_owner. Global_Role(role=Owner) is inert under legacy; resetting another user's API token requires is_superuser, not a Global_Role. * test_bulk_risk_acceptance_api: Writer needs to be added to product.authorized_users to actually have access. Reader's "forbidden" tests now expect 404 (DRF returns not-found when the per-object queryset is empty, hiding existence rather than 403). * test_user_queries: rewrite TestGetAuthorizedUsersForProductType / TestGetAuthorizedUsersForProductAndProductType to assert legacy semantics — the queries are gated on the calling user's staff/superuser status, not on the listed users' RBAC roles. Two real bugs surfaced and fixed: * dojo/authorization/authorization.py: Risk_Acceptance branch crashed with AttributeError because there is no engagement_id field — Risk_Acceptance is reachable from Engagement via the reverse M2M engagement.risk_acceptance. Walk through engagement_set.first() the way pre-2020 code did at e7805aa~. * dojo/authorization/query_registrations.py: _get_authorized_users_for_product_type and _get_authorized_users_for_product_and_product_type crashed when callers passed users=None (the test suite does this idiomatically). Default to Dojo_User.objects.all() in that case. After this commit: 182 of 182 authorization-touching tests pass (was 132/182). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/dojo/authorization/authorization.py b/dojo/authorization/authorization.py
@@ -153,8 +153,12 @@ def _user_authorized_for(user: Dojo_User, obj: Model, action: Action) -> bool:
         return _user_authorized_for(user, obj.test.engagement.product, action)
 
     if isinstance(obj, Risk_Acceptance):
-        if obj.engagement_id is not None:
-            return _user_authorized_for(user, obj.engagement.product, action)
+        # Risk_Acceptance is reachable from Engagement via the reverse M2M
+        # `engagement.risk_acceptance`. Pre-2020 followed the same path
+        # (see dojo/user/helper.py at e7805aa14~).
+        engagement = obj.engagement_set.first()
+        if engagement is not None:
+            return _user_authorized_for(user, engagement.product, action)
         return False
 
     if isinstance(obj, Location):
diff --git a/dojo/authorization/query_registrations.py b/dojo/authorization/query_registrations.py
@@ -609,6 +609,8 @@ def _get_authorized_users(permission, user=None):
 
 
 def _get_authorized_users_for_product_type(users, product_type, permission):
+    if users is None:
+        users = Dojo_User.objects.all()
     user = get_current_user()
     if user is None or getattr(user, "is_anonymous", False):
         return users.none()
@@ -621,6 +623,8 @@ def _get_authorized_users_for_product_type(users, product_type, permission):
 
 
 def _get_authorized_users_for_product_and_product_type(users, product, permission):
+    if users is None:
+        users = Dojo_User.objects.all()
     user = get_current_user()
     if user is None or getattr(user, "is_anonymous", False):
         return users.none()
diff --git a/unittests/test_apiv2_user.py b/unittests/test_apiv2_user.py
@@ -201,8 +201,12 @@ def test_user_reset_api_token_denies_non_privileged(self):
         r = nonpriv_client.post(url)
         self.assertEqual(r.status_code, 403, r.content[:1000])
 
-    def test_user_reset_api_token_allows_global_owner(self):
-        # Create a global-owner user (not superuser)
+    def test_user_reset_api_token_denies_global_owner_legacy(self):
+        """
+        Legacy: Global_Role(role=Owner) is inert. Resetting another
+        user's API token requires is_superuser; a global-owner who isn't
+        a superuser is treated like any non-privileged user.
+        """
         password = "testTEST1234!@#$"
         r = self.client.post(reverse("user-list"), {
             "username": "api-user-global-owner",
@@ -240,4 +244,4 @@ def test_user_reset_api_token_allows_global_owner(self):
 
         url = "{}{}/reset_api_token/".format(reverse("user-list"), target_id)
         r = go_client.post(url)
-        self.assertEqual(r.status_code, 204, r.content[:1000])
+        self.assertEqual(r.status_code, 403, r.content[:1000])
diff --git a/unittests/test_apply_finding_template.py b/unittests/test_apply_finding_template.py
@@ -16,6 +16,7 @@
 from dojo.finding import views
 from dojo.finding.helper import save_endpoints_template, save_vulnerability_ids_template
 from dojo.models import (
+    Dojo_User,
     Engagement,
     Finding,
     Finding_Template,
@@ -107,9 +108,14 @@ def create_user(is_staff):
 
     @staticmethod
     def create_user_with_role(product, role_name, *, is_staff=False):
-        """Create a user with a specific role on a product"""
+        """
+        Create a user with a specific role on a product. Under the
+        legacy authorization model the role is informational only —
+        callers needing actual access must add the user to
+        product.authorized_users.
+        """
         user_count = User.objects.count()
-        user = User()
+        user = Dojo_User()
         user.is_staff = is_staff
         user.is_superuser = False
         user.username = f"TestUser{role_name}{user_count}"
@@ -219,41 +225,48 @@ def test_unauthorized_apply_template_to_finding_fails(self):
                                     "impact": "template impact"},
                                    )
 
-    def test_reader_role_cannot_apply_template(self):
-        """Test that a Reader role user (read-only) cannot apply template"""
-        reader_user = FindingTemplateTestUtil.create_user_with_role(
-            self.finding.test.engagement.product, "Reader", is_staff=False,
-        )
+    def test_authorized_user_can_apply_template(self):
+        """
+        Legacy: any user in product.authorized_users can apply a template
+        (Reader/Writer/Maintainer/Owner all collapse to one bit of access).
+        """
+        product = self.finding.test.engagement.product
+        member = FindingTemplateTestUtil.create_user_with_role(product, "Writer", is_staff=False)
+        product.authorized_users.add(member)
         request = FindingTemplateTestUtil.create_post_request(
-            reader_user, self.apply_template_url,
+            member, self.apply_template_url,
             data={"title": "Finding for Testing Apply Template functionality",
                   "cwe": "89",
                   "severity": "High",
                   "description": "Finding for Testing Apply Template Functionality",
                   "mitigation": "template mitigation",
                   "impact": "template impact"},
         )
-        with impersonate(reader_user), self.assertRaises(PermissionDenied):
-            views.apply_template_to_finding(request, fid=self.finding.id, tid=self.template.id)
+        with impersonate(member):
+            result = views.apply_template_to_finding(request, fid=self.finding.id, tid=self.template.id)
+            self.assertEqual(302, result.status_code)
+            self.assertEqual(f"/finding/{self.finding.id}", result.url)
 
-    def test_writer_role_can_apply_template(self):
-        """Test that a Writer role user (non-staff) can apply template"""
-        writer_user = FindingTemplateTestUtil.create_user_with_role(
-            self.finding.test.engagement.product, "Writer", is_staff=False,
-        )
+    def test_non_member_cannot_apply_template(self):
+        """
+        Legacy: a user with no authorized_users membership and no staff
+        flag is denied — covers the case test_reader_role_cannot_apply_template
+        used to assert under RBAC.
+        """
+        product = self.finding.test.engagement.product
+        outsider = FindingTemplateTestUtil.create_user_with_role(product, "Reader", is_staff=False)
+        # Deliberately NOT added to product.authorized_users.
         request = FindingTemplateTestUtil.create_post_request(
-            writer_user, self.apply_template_url,
+            outsider, self.apply_template_url,
             data={"title": "Finding for Testing Apply Template functionality",
                   "cwe": "89",
                   "severity": "High",
                   "description": "Finding for Testing Apply Template Functionality",
                   "mitigation": "template mitigation",
                   "impact": "template impact"},
         )
-        with impersonate(writer_user):
-            result = views.apply_template_to_finding(request, fid=self.finding.id, tid=self.template.id)
-            self.assertEqual(302, result.status_code)
-            self.assertEqual(f"/finding/{self.finding.id}", result.url)
+        with impersonate(outsider), self.assertRaises(PermissionDenied):
+            views.apply_template_to_finding(request, fid=self.finding.id, tid=self.template.id)
 
     def test_apply_template_to_finding_with_illegal_finding_fails(self):
         with self.assertRaises(Http404):
diff --git a/unittests/test_bulk_risk_acceptance_api.py b/unittests/test_bulk_risk_acceptance_api.py
@@ -10,6 +10,7 @@
 )
 from dojo.authorization.roles_permissions import Roles
 from dojo.models import (
+    Dojo_User,
     Engagement,
     Finding,
     Product,
@@ -166,8 +167,9 @@ def setUpTestData(cls):
             target_end=datetime.datetime(2000, 2, 1, tzinfo=datetime.UTC),
         )
 
-        # Writer user: has Risk_Acceptance permission, NOT is_staff
-        cls.writer = User.objects.create(username="rbac_writer", is_staff=False)
+        # Writer user: a member of both products (legacy: any member of
+        # authorized_users can perform risk acceptance).
+        cls.writer = Dojo_User.objects.create(username="rbac_writer", is_staff=False)
         cls.writer_token = Token.objects.create(user=cls.writer)
         Product_Member.objects.create(
             product=cls.product_enabled, user=cls.writer,
@@ -177,9 +179,13 @@ def setUpTestData(cls):
             product=cls.product_disabled, user=cls.writer,
             role=Role.objects.get(id=Roles.Writer),
         )
+        cls.product_enabled.authorized_users.add(cls.writer)
+        cls.product_disabled.authorized_users.add(cls.writer)
 
-        # Reader user: does NOT have Risk_Acceptance permission, NOT is_staff
-        cls.reader = User.objects.create(username="rbac_reader", is_staff=False)
+        # Reader user: NOT in authorized_users — under legacy this is the
+        # only way to deny access (Reader/Writer/Maintainer/Owner are all
+        # the same bit). The Product_Member row is informational only.
+        cls.reader = Dojo_User.objects.create(username="rbac_reader", is_staff=False)
         cls.reader_token = Token.objects.create(user=cls.reader)
         Product_Member.objects.create(
             product=cls.product_enabled, user=cls.reader,
@@ -243,25 +249,28 @@ def test_writer_can_accept_risks_on_findings(self):
         )
         self.assertEqual(result.status_code, 201)
 
-    # --- Reader (no Risk_Acceptance) is forbidden ---
+    # --- Non-member (reader is not in product.authorized_users under
+    # legacy) sees the object as not-found because get_authorized_*
+    # filters return an empty queryset, hiding existence rather than
+    # leaking it via 403. ---
 
-    def test_reader_forbidden_on_engagement(self):
+    def test_non_member_not_found_on_engagement(self):
         client = self._client_for(self.reader_token)
         result = client.post(
             reverse("engagement-accept-risks", kwargs={"pk": self.engagement_enabled.id}),
             data=self._accepted_risks(["CVE-2024-3"]),
             format="json",
         )
-        self.assertEqual(result.status_code, 403)
+        self.assertEqual(result.status_code, 404)
 
-    def test_reader_forbidden_on_test(self):
+    def test_non_member_not_found_on_test(self):
         client = self._client_for(self.reader_token)
         result = client.post(
             reverse("test-accept-risks", kwargs={"pk": self.test_enabled.id}),
             data=self._accepted_risks(["CVE-2024-4"]),
             format="json",
         )
-        self.assertEqual(result.status_code, 403)
+        self.assertEqual(result.status_code, 404)
 
     def test_reader_gets_empty_result_on_findings(self):
         client = self._client_for(self.reader_token)
diff --git a/unittests/test_user_queries.py b/unittests/test_user_queries.py
