fix(user): use forward FK to look up Global_Role on profile / user / group save

Global_Role.user and Global_Role.group both use related_name="+" under
legacy authorization, so user.global_role / group.global_role are not
reverse accessors. The hasattr() guard always returned False, so the
profile / edit-user / edit-group save paths bound the form to a brand-
new Global_Role with no PK, then save() INSERTed a duplicate row,
violating the unique(user_id) / unique(group_id) constraint and 500'ing
the request — surfaced when a user tried to toggle ui_use_tailwind on
their own profile.

Look up the existing Global_Role via the forward FK
(Global_Role.objects.filter(user=...).first() and the group equivalent)
so save() UPDATEs the existing row instead.

Same fix applies to the delete_user authorization check that gates on
"is the target user a global-role holder?" — switched from the broken
hasattr to the forward-FK lookup.

Regression test in unittests/test_user_ui_timestamps.py seeds an
existing Global_Role for admin, POSTs /profile, and asserts no 500 +
no duplicate row.

Author: devGregA

dojo/group/views.py

@@ -134,8 +134,10 @@ def get_group(self, group_id: int):
         return get_object_or_404(Dojo_Group, id=group_id)
 
     def get_global_role(self, group: Dojo_Group):
-        # Try to pull the global role from the group object
-        return group.global_role if hasattr(group, "global_role") else None
+        # Global_Role.group uses related_name="+", so group.global_role is
+        # not a reverse accessor — look up via the forward FK so we update
+        # the existing row instead of inserting a duplicate.
+        return Global_Role.objects.filter(group=group).first()
 
     def get_group_form(self, request: HttpRequest, group: Dojo_Group):
         # Set up the args for the form

dojo/user/views.py

@@ -30,7 +30,7 @@
 from rest_framework.exceptions import ValidationError as RFValidationError
 
 from dojo.authorization.authorization import user_is_superuser_or_global_owner
-from dojo.authorization.models import Dojo_Group_Member, Product_Member, Product_Type_Member
+from dojo.authorization.models import Dojo_Group_Member, Global_Role, Product_Member, Product_Type_Member
 from dojo.decorators import dojo_ratelimit
 from dojo.filters import UserFilter
 from dojo.forms import (
@@ -257,7 +257,10 @@ def view_profile(request):
     user_contact = user.usercontactinfo if hasattr(user, "usercontactinfo") else None
     contact_form = UserContactInfoForm(user=user) if user_contact is None else UserContactInfoForm(instance=user_contact, user=user)
 
-    global_role = user.global_role if hasattr(user, "global_role") else None
+    # Global_Role.user uses related_name="+", so user.global_role is not a
+    # reverse accessor — look it up via the forward FK so we update the
+    # existing row instead of trying to insert a duplicate.
+    global_role = Global_Role.objects.filter(user=user).first()
     if global_role is None:
         previous_global_role = None
         global_role_form = GlobalRoleForm()
@@ -422,7 +425,9 @@ def edit_user(request, uid):
     user_contact = user.usercontactinfo if hasattr(user, "usercontactinfo") else None
     contact_form = UserContactInfoForm(user=user) if user_contact is None else UserContactInfoForm(instance=user_contact, user=user)
 
-    global_role = user.global_role if hasattr(user, "global_role") else None
+    # Look up Global_Role via the forward FK; user.global_role is not a
+    # reverse accessor (related_name="+").
+    global_role = Global_Role.objects.filter(user=user).first()
     global_role_form = GlobalRoleForm() if global_role is None else GlobalRoleForm(instance=global_role)
 
     if request.method == "POST":
@@ -521,7 +526,9 @@ def delete_user(request, uid):
                                         messages.ERROR,
                                         _("Only superusers are allowed to delete superusers. User was not removed."),
                                         extra_tags="alert-danger")
-                elif not request.user.is_superuser and hasattr(user, "global_role") and user.global_role.role:
+                elif (not request.user.is_superuser
+                      and (existing_global_role := Global_Role.objects.filter(user=user).first())
+                      and existing_global_role.role):
                     messages.add_message(request,
                                         messages.ERROR,
                                         _("Only superusers are allowed to delete users with a global role. User was not removed."),

unittests/test_user_ui_timestamps.py

@@ -102,3 +102,32 @@ def test_user_list_page_renders(self):
         self.client.force_login(admin)
         resp = self.client.get(reverse("users"))
         self.assertEqual(resp.status_code, 200)
+
+    def test_profile_save_does_not_duplicate_global_role(self):
+        # Regression: /profile POST previously did
+        #   global_role = user.global_role if hasattr(user, "global_role") else None
+        # Under legacy authorization Global_Role.user uses related_name="+"
+        # so the hasattr always returned False, the form bound to a fresh
+        # Global_Role with no PK, and global_role.save() INSERTed a second
+        # row that violated the unique(user_id) constraint and 500'd. The
+        # forward-FK lookup must find the existing row and UPDATE it.
+        from dojo.authorization.models import Global_Role, Role
+
+        admin = Dojo_User.objects.get(username="admin")
+        # Seed an existing Global_Role row for this user (mirrors a Pro
+        # snapshot or a stale legacy backfill).
+        owner_role = Role.objects.filter(name="Owner").first()
+        Global_Role.objects.update_or_create(user=admin, defaults={"role": owner_role})
+
+        self.client.force_login(admin)
+        resp = self.client.post(reverse("view_profile"), data={
+            "username": admin.username,
+            "first_name": admin.first_name,
+            "last_name": admin.last_name,
+            "email": admin.email,
+            "role": owner_role.id if owner_role else "",
+        })
+        # Must not 500. Either the form bounces back (200) or saves (302).
+        self.assertIn(resp.status_code, (200, 302))
+        # And there must still be exactly one Global_Role row for admin.
+        self.assertEqual(Global_Role.objects.filter(user=admin).count(), 1)