feat(authorization): make view_user product/product_type panels read-only under legacy

Restore the "Product Types this User can access" / "Products this User
can access" panels that I'd just stripped, but rebuild them as
legacy-correct, read-only listings:

* dojo/user/views.py:view_user computes accessible_product_types and
  accessible_products from authorized_users (with the cascade
  Product_Type → Product). The Pro-driven product_type_members /
  product_members context vars are kept so the Pro template override
  can keep rendering the RBAC version.
* view_user.html (both UI trees) renders the new context vars in the
  user_product_types_panel / user_products_panel blocks. Drops the
  Add hamburger, the per-row Edit/Delete ellipsis dropdown, and the
  Role column — all of those write to or describe Product_Member rows
  which are inert under legacy and the Product_Member table is no
  longer editable from OS.
* Pro's pro/templates/dojo/view_user.html already overrides both
  blocks with the RBAC-driven content, so Pro renders unchanged.

Author: devGregA

dojo/templates/dojo/view_user.html

@@ -101,8 +101,69 @@ <h4 class="pull-left">{% trans "Contact Information" %}</h4>
                 </table>
             </div>
         </div>
-        {% block user_product_types_panel %}{% endblock %}
-        {% block user_products_panel %}{% endblock %}
+        {% block user_product_types_panel %}
+        <div class="panel panel-default">
+            <div class="panel-heading">
+                <div class="clearfix">
+                    <h4 class="pull-left">{{ labels.ORG_USERS_LABEL }}</h4>
+                </div>
+            </div>
+            {% if accessible_product_types %}
+            <div class="table-responsive">
+                <table class="tablesorter-bootstrap table table-condensed table-striped">
+                    <thead>
+                        <tr>
+                            <th>{{ labels.ORG_LABEL }}</th>
+                        </tr>
+                    </thead>
+                    <tbody>
+                        {% for pt in accessible_product_types %}
+                        <tr>
+                            <td name="member_product_type"><a href="{% url 'view_product_type' pt.id %}">{{ pt.name }}</a></td>
+                        </tr>
+                        {% endfor %}
+                    </tbody>
+                </table>
+            </div>
+            {% else %}
+            <div class="panel-body">
+                <small class="text-muted"><em>{{ labels.ORG_USERS_NO_ACCESS_MESSAGE }}</em></small>
+            </div>
+            {% endif %}
+        </div>
+        {% endblock user_product_types_panel %}
+        {% block user_products_panel %}
+        <div class="panel panel-default">
+            <div class="panel-heading">
+                <div class="clearfix">
+                    <h4 class="pull-left">{{ labels.ASSET_USERS_ACCESS_LABEL }}</h4>
+                </div>
+            </div>
+            {% if accessible_products %}
+            <div class="table-responsive">
+                <table class="tablesorter-bootstrap table table-condensed table-striped">
+                    <thead>
+                        <tr>
+                            <th>{{ labels.ASSET_LABEL }}</th>
+                        </tr>
+                    </thead>
+                    <tbody>
+                        {% for p in accessible_products %}
+                        <tr>
+                            <td name="member_product"><a href="{% url 'view_product' p.id %}">{{ p.name }}</a></td>
+                        </tr>
+                        {% endfor %}
+                    </tbody>
+                </table>
+            </div>
+            {% else %}
+            <div class="panel-body">
+                <small class="text-muted"><em>{{ labels.ASSET_USERS_NO_ACCESS_MESSAGE }}</em></small>
+            </div>
+            {% endif %}
+        </div>
+        {% endblock user_products_panel %}
+
         {% block user_groups_panel %}{% endblock %}
     </div>
     <div class="col-md-4">

dojo/templates_classic/dojo/view_user.html

@@ -101,8 +101,69 @@ <h4 class="pull-left">{% trans "Contact Information" %}</h4>
                 </table>
             </div>
         </div>
-        {% block user_product_types_panel %}{% endblock %}
-        {% block user_products_panel %}{% endblock %}
+        {% block user_product_types_panel %}
+        <div class="panel panel-default">
+            <div class="panel-heading">
+                <div class="clearfix">
+                    <h4 class="pull-left">{{ labels.ORG_USERS_LABEL }}</h4>
+                </div>
+            </div>
+            {% if accessible_product_types %}
+            <div class="table-responsive">
+                <table class="tablesorter-bootstrap table table-condensed table-striped">
+                    <thead>
+                        <tr>
+                            <th>{{ labels.ORG_LABEL }}</th>
+                        </tr>
+                    </thead>
+                    <tbody>
+                        {% for pt in accessible_product_types %}
+                        <tr>
+                            <td name="member_product_type"><a href="{% url 'view_product_type' pt.id %}">{{ pt.name }}</a></td>
+                        </tr>
+                        {% endfor %}
+                    </tbody>
+                </table>
+            </div>
+            {% else %}
+            <div class="panel-body">
+                <small class="text-muted"><em>{{ labels.ORG_USERS_NO_ACCESS_MESSAGE }}</em></small>
+            </div>
+            {% endif %}
+        </div>
+        {% endblock user_product_types_panel %}
+        {% block user_products_panel %}
+        <div class="panel panel-default">
+            <div class="panel-heading">
+                <div class="clearfix">
+                    <h4 class="pull-left">{{ labels.ASSET_USERS_ACCESS_LABEL }}</h4>
+                </div>
+            </div>
+            {% if accessible_products %}
+            <div class="table-responsive">
+                <table class="tablesorter-bootstrap table table-condensed table-striped">
+                    <thead>
+                        <tr>
+                            <th>{{ labels.ASSET_LABEL }}</th>
+                        </tr>
+                    </thead>
+                    <tbody>
+                        {% for p in accessible_products %}
+                        <tr>
+                            <td name="member_product"><a href="{% url 'view_product' p.id %}">{{ p.name }}</a></td>
+                        </tr>
+                        {% endfor %}
+                    </tbody>
+                </table>
+            </div>
+            {% else %}
+            <div class="panel-body">
+                <small class="text-muted"><em>{{ labels.ASSET_USERS_NO_ACCESS_MESSAGE }}</em></small>
+            </div>
+            {% endif %}
+        </div>
+        {% endblock user_products_panel %}
+
         {% block user_groups_panel %}{% endblock %}
     </div>
     <div class="col-md-4">

dojo/user/views.py

@@ -49,7 +49,7 @@
 )
 from dojo.group.queries import get_authorized_group_members_for_user
 from dojo.labels import get_labels
-from dojo.models import Alerts, Dojo_User, UserContactInfo
+from dojo.models import Alerts, Dojo_User, Product, Product_Type, UserContactInfo
 from dojo.product.queries import get_authorized_product_members_for_user
 from dojo.product_type.queries import get_authorized_product_type_members_for_user
 from dojo.user.authentication import reset_token_for_user
@@ -408,6 +408,16 @@ def add_user(request):
 
 def view_user(request, uid):
     user = get_object_or_404(Dojo_User, id=uid)
+    # Legacy access lists: Product / Product_Type the user is on
+    # via authorized_users (with cascade Product_Type → Product).
+    accessible_product_types = Product_Type.objects.filter(
+        authorized_users=user,
+    ).order_by("name")
+    accessible_products = Product.objects.filter(
+        Q(authorized_users=user) | Q(prod_type__authorized_users=user),
+    ).distinct().order_by("name")
+    # kept for Pro template override `{% block user_product_types_panel %}` /
+    # `{% block user_products_panel %}` at pro/templates/dojo/view_user.html
     product_members = get_authorized_product_members_for_user(user, "view")
     product_type_members = get_authorized_product_type_members_for_user(user, "view")
     group_members = get_authorized_group_members_for_user(user)
@@ -416,6 +426,8 @@ def view_user(request, uid):
     add_breadcrumb(title=_("View User"), top_level=False, request=request)
     return render(request, "dojo/view_user.html", {
         "user": user,
+        "accessible_product_types": accessible_product_types,
+        "accessible_products": accessible_products,
         "product_members": product_members,
         "product_type_members": product_type_members,
         "group_members": group_members,