docs(2.58): document Authorized Users panel + Pro no-op note

devGregA · claude · devGregA · commit 99fbedff9bcf · 2026-04-30T09:49:50.000-06:00
Update the OS 2.58 upgrade notes to describe the new Authorized Users
panel that replaces the inert Members/Groups panels in the classic UI
under legacy authorization, the new endpoints, and the template-block
hooks Pro and other downstreams can override. Update the Pro changelog
with a v2.58.0 entry stating Pro deployments are not impacted — Pro
RBAC continues to drive Members/Groups via template overrides.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/docs/content/releases/os_upgrading/2.58.md b/docs/content/releases/os_upgrading/2.58.md
@@ -2,9 +2,36 @@
 title: 'Upgrading to DefectDojo Version 2.58.x'
 toc_hide: true
 weight: -20260504
-description: Notification .tpl templates relocated under dojo/notifications/
+description: Authorized Users panel replaces Members/Groups under legacy authorization; Notification .tpl templates relocated under dojo/notifications/
 ---
 
+## Authorized Users panel replaces Members/Groups under legacy authorization
+
+Open Source DefectDojo uses the legacy (pre-2020) authorization model: access to a Product is granted by `Product.authorized_users` (with cascade via `Product_Type.authorized_users`), and `is_staff` / `is_superuser` bypass everything. The classic Django-template UI previously rendered "Members" and "Groups" panels driven by the RBAC tables (`Product_Member`, `Product_Type_Member`, `Product_Group`, `Product_Type_Group`), which legacy authorization does not consult — making those panels read-only and the "Add Users" / "Add Groups" actions a silent failure. They wrote rows to the RBAC tables but did not grant any access.
+
+In 2.58 the classic UI replaces both panels with a single **"Authorized Users"** panel on the Product and Product Type detail pages. The panel reads from and writes to `Product.authorized_users` / `Product_Type.authorized_users` directly, so adding a user actually grants them the access the UI suggests it does. The "Groups" entry has also been removed from the **Users** dropdown in the left navigation, since `Dojo_Group` is inert under legacy authorization.
+
+This applies to both the Bootstrap (Classic) and Tailwind opt-in UI trees.
+
+### New endpoints
+
+- `GET/POST /product/<pid>/authorized_users/add` — list / add users to `Product.authorized_users`
+- `POST /product/<pid>/authorized_users/<user_id>/delete` — remove a user
+- `GET/POST /product/type/<ptid>/authorized_users/add` — same for `Product_Type.authorized_users`
+- `POST /product/type/<ptid>/authorized_users/<user_id>/delete`
+
+Both endpoints are gated on `Permissions.Product_Manage_Members` / `Permissions.Product_Type_Manage_Members`, which under legacy authorization map to `Action.StaffOnly` — so only `is_staff` / `is_superuser` users can add or remove. Non-staff users see the panel but no management actions.
+
+### Required actions
+
+- **No data migration required.** Migration `dojo.0267_backfill_authorized_users` (shipped in 2.57) already populated `authorized_users` from the prior RBAC tables, so existing access is preserved.
+- **If you have a Docker volume mount or in-tree patch overriding `dojo/templates_classic/dojo/view_product_details.html`, `view_product_type.html`, or `base.html`:** the Members/Groups panel HTML and the Groups submenu link were removed from these files and replaced with `{% block rbac_members_panel %}{% endblock %}`, `{% block rbac_groups_panel %}{% endblock %}`, `{% block authorized_users_panel %}{% endblock %}`, and `{% block groups_submenu_link %}{% endblock %}` placeholders. Re-apply your override against the new structure, or override the relevant blocks.
+- **If you customized `add_product_member` / `add_product_type_member` URL views:** those URLs still exist and are unchanged; they just no longer have a corresponding entry in the classic UI.
+
+### Pro customers are not impacted
+
+DefectDojo Pro deployments retain full RBAC. The Pro app overrides the new template blocks (`rbac_members_panel`, `rbac_groups_panel`, `groups_submenu_link`) to re-render the Members and Groups panels and the Groups link, and overrides `authorized_users_panel` to empty so the new panel does not appear. The Pro UX is unchanged — same Members/Groups management surface as before.
+
 ## Notification `.tpl` templates relocated
 
 The notification domain has been consolidated under a new `dojo/notifications/` package, and the 62 channel `.tpl` templates that drive alert, mail, MS Teams, Slack, and webhook notifications have moved on disk. The Django template lookup name (e.g. `notifications/mail/scan_added.tpl`) is unchanged, so most customizations keep working without any edits — but operators who override `.tpl` files by mounting them into the source tree need to update their paths.
diff --git a/docs/content/releases/pro/changelog.md b/docs/content/releases/pro/changelog.md
@@ -10,6 +10,12 @@ Here are the release notes for **DefectDojo Pro (Cloud Version)**. These release
 
 For Open Source release notes, please see the [Releases page on GitHub](https://github.com/DefectDojo/django-DefectDojo/releases), or alternatively consult the Open Source [upgrade notes](/releases/os_upgrading/upgrading_guide/).
 
+## May 2026: v2.58
+
+### May 4, 2026: v2.58.0
+
+* **(Authorization)** Pro deployments are **not impacted** by the OS UI rework that replaces the Product/Product Type Members/Groups panels with an Authorized Users panel. Pro retains full RBAC: the Members and Groups management panels and the Groups left-nav link continue to render unchanged, driven by Pro's RBAC tables via Pro template overrides.
+
 ## Apr 2026: v2.57
 
 ### Apr 20, 2026: v2.57.2
