devGregA elevate Writer Global_Role to is_staff in legacy auth backfill

Maffooch · Maffooch · commit baf0f3ea197d · 2026-05-08T11:04:03.000-06:00
Adds Writer to the is_staff flip set in 0267_backfill_authorized_users so
Writer Global_Role users keep visibility post-conversion instead of
silently dropping to nothing. Reader stays excluded since legacy has no
read-only-everywhere primitive. Updates the matching tuple in
preview_legacy_authorization_migration so the dry-run report tracks the
migration, and documents the full RBAC -&gt; legacy mapping in the 2.59
upgrade notes.
diff --git a/docs/content/releases/os_upgrading/2.59.md b/docs/content/releases/os_upgrading/2.59.md
@@ -20,6 +20,20 @@ In 2.59 the classic UI restores the **"Authorized Users"** panel on the Product
 
 Both endpoints are gated so only `is_staff` / `is_superuser` users can add or remove. Non-staff users see the panel but no management actions.
 
+### How RBAC rows are converted
+
+The data migration `0267_backfill_authorized_users` translates RBAC tables into the legacy model with the following rules:
+
+| RBAC row | Legacy effect |
+|---|---|
+| `Product_Member` (any role, direct or via `Product_Group` + `Dojo_Group_Member`) | Adds the user to `Product.authorized_users` |
+| `Product_Type_Member` (any role, direct or via `Product_Type_Group` + `Dojo_Group_Member`) | Adds the user to `Product_Type.authorized_users` |
+| `Global_Role(Owner)` (direct or via group) | Sets `User.is_superuser = True` |
+| `Global_Role(Writer | Maintainer | API_Importer)` (direct or via group) | Sets `User.is_staff = True` |
+| `Global_Role(Reader)` | No global elevation — relies on per-product membership |
+
+Per-product role granularity (Reader vs Writer vs Maintainer vs Owner) collapses to membership-only because the legacy model has no per-product role concept. `Dojo_Group` structure as a permission-bearing entity is also lost; only the flattened individual user memberships remain.
+
 ### Required actions
 
 - **Database migrations run automatically on upgrade.** Existing access is carried forward into the legacy `authorized_users` model. Existing data is preserved.
diff --git a/dojo/db_migrations/0267_backfill_authorized_users.py b/dojo/db_migrations/0267_backfill_authorized_users.py
@@ -21,11 +21,11 @@
                                         -> Product_Type.authorized_users (flattened)
   Global_Role(Owner) for user           -> User.is_superuser = True
   Global_Role(Owner) via group          -> all group members.is_superuser = True
-  Global_Role(Maintainer|API_Importer) for user
+  Global_Role(Writer|Maintainer|API_Importer) for user
                                         -> User.is_staff = True
-  Global_Role(Maintainer|API_Importer) via group
+  Global_Role(Writer|Maintainer|API_Importer) via group
                                         -> all group members.is_staff = True
-  Global_Role(Writer|Reader)            -> no global elevation
+  Global_Role(Reader)                   -> no global elevation
                                           (relies on per-product membership)
 
 Things lost on this transition (acknowledged in the upgrade release notes):
@@ -96,13 +96,13 @@ def backfill_authorized_users(apps, schema_editor):
 
     elevated_user_ids = list(
         Global_Role.objects.filter(
-            role__name__in=("Maintainer", "API_Importer"),
+            role__name__in=("Writer", "Maintainer", "API_Importer"),
             user__isnull=False,
         ).values_list("user_id", flat=True),
     )
     elevated_group_ids = list(
         Global_Role.objects.filter(
-            role__name__in=("Maintainer", "API_Importer"),
+            role__name__in=("Writer", "Maintainer", "API_Importer"),
             group__isnull=False,
         ).values_list("group_id", flat=True),
     )
diff --git a/dojo/management/commands/preview_legacy_authorization_migration.py b/dojo/management/commands/preview_legacy_authorization_migration.py
@@ -16,8 +16,8 @@
     added (broken down by source: direct member rows vs flattened group
     members).
   * Users that would be flipped to ``is_superuser=True`` (Global_Role.Owner).
-  * Users that would be flipped to ``is_staff=True`` (Global_Role.Maintainer
-    / API_Importer).
+  * Users that would be flipped to ``is_staff=True`` (Global_Role.Writer /
+    Maintainer / API_Importer).
   * Counts of role granularity that the legacy model cannot preserve
     (Reader vs Writer vs Maintainer per product, group membership as a
     permission-bearing entity, configuration permissions per codename).
@@ -109,13 +109,13 @@ def _build_report(self):
 
         elevated_user_ids = set(
             Global_Role.objects.filter(
-                role__name__in=("Maintainer", "API_Importer"),
+                role__name__in=("Writer", "Maintainer", "API_Importer"),
                 user__isnull=False,
             ).values_list("user_id", flat=True),
         )
         elevated_group_ids = list(
             Global_Role.objects.filter(
-                role__name__in=("Maintainer", "API_Importer"),
+                role__name__in=("Writer", "Maintainer", "API_Importer"),
                 group__isnull=False,
             ).values_list("group_id", flat=True),
         )
