remove orphaned AssetMember V3 API ViewSet, serializer, filter, and permission

The asset_members route was never registered with v2_api (the
add_asset_urls() comment confirms it was punted to pro/product_members
instead). The AssetMemberViewSet, AssetMemberSerializer,
AssetMemberFilterSet, and UserHasAssetMemberPermission classes have lived
on as dead code that touches the Product_Member RBAC model. Drop them.

Author: devGregA

dojo/asset/api/filters.py

@@ -5,7 +5,6 @@
 
 from dojo.authorization.models import (
     Product_Group,
-    Product_Member,
 )
 from dojo.filters import (
     CharFieldFilterANDExpression,
@@ -108,14 +107,6 @@ class ApiAssetFilter(DojoFilter):
     )
 
 
-class AssetMemberFilterSet(FilterSet):
-    asset_id = NumberFilter(field_name="product_id")
-
-    class Meta:
-        model = Product_Member
-        fields = ("id", "user_id")
-
-
 class AssetGroupFilterSet(FilterSet):
     asset_id = NumberFilter(field_name="product_id")
 

dojo/asset/api/serializers.py

@@ -5,7 +5,6 @@
 from dojo.authorization.authorization import user_has_permission
 from dojo.authorization.models import (
     Product_Group,
-    Product_Member,
 )
 from dojo.models import (
     Dojo_User,
@@ -81,49 +80,6 @@ def get_findings_list(self, obj) -> list[int]:
         return obj.open_findings_list()
 
 
-class AssetMemberSerializer(serializers.ModelSerializer):
-    asset = RelatedAssetField(source="product")
-
-    class Meta:
-        model = Product_Member
-        exclude = ("product",)
-
-    def validate(self, data):
-        if (
-            self.instance is not None
-            and data.get("asset") != self.instance.product
-            and not user_has_permission(
-                self.context["request"].user,
-                data.get("asset"),
-                "staff_only",
-            )
-        ):
-            msg = "You are not permitted to add a member to this Asset"
-            raise PermissionDenied(msg)
-
-        if (
-            self.instance is None
-            or data.get("asset") != self.instance.product
-            or data.get("user") != self.instance.user
-        ):
-            members = Product_Member.objects.filter(
-                product=data.get("asset"), user=data.get("user"),
-            )
-            if members.count() > 0:
-                msg = "Asset Member already exists"
-                raise ValidationError(msg)
-
-        if data.get("role").is_owner and not user_has_permission(
-            self.context["request"].user,
-            data.get("asset"),
-            "staff_only",
-        ):
-            msg = "You are not permitted to add a member as Owner to this Asset"
-            raise PermissionDenied(msg)
-
-        return data
-
-
 class AssetGroupSerializer(serializers.ModelSerializer):
     asset = RelatedAssetField(source="product")
 

dojo/asset/api/views.py

@@ -14,12 +14,10 @@
     ApiAssetFilter,
     AssetAPIScanConfigurationFilterSet,
     AssetGroupFilterSet,
-    AssetMemberFilterSet,
 )
 from dojo.authorization import api_permissions as permissions
 from dojo.authorization.models import (
     Product_Group,
-    Product_Member,
 )
 from dojo.models import (
     Product,
@@ -28,7 +26,6 @@
 from dojo.product.queries import (
     get_authorized_product_api_scan_configurations,
     get_authorized_product_groups,
-    get_authorized_product_members,
     get_authorized_products,
 )
 from dojo.utils import async_delete, get_setting
@@ -129,34 +126,6 @@ def generate_report(self, request, pk=None):
         return Response(report.data)
 
 
-# Authorization: object-based
-@extend_schema_view(**schema_with_prefetch())
-class AssetMemberViewSet(
-    PrefetchDojoModelViewSet,
-):
-    serializer_class = serializers.AssetMemberSerializer
-    queryset = Product_Member.objects.none()
-    filter_backends = (DjangoFilterBackend,)
-    filterset_class = AssetMemberFilterSet
-    permission_classes = (
-        IsAuthenticated,
-        permissions.UserHasAssetMemberPermission,
-    )
-
-    def get_queryset(self):
-        return get_authorized_product_members(
-            "view",
-        ).distinct()
-
-    @extend_schema(
-        exclude=True,
-    )
-    def partial_update(self, request, pk=None):
-        # Object authorization won't work if not all data is provided
-        response = {"message": "Patch function is not offered in this path."}
-        return Response(response, status=status.HTTP_405_METHOD_NOT_ALLOWED)
-
-
 # Authorization: object-based
 @extend_schema_view(**schema_with_prefetch())
 class AssetGroupViewSet(

dojo/authorization/api_permissions.py

@@ -535,22 +535,6 @@ def has_object_permission(self, request, view, obj):
         )
 
 
-class UserHasAssetMemberPermission(permissions.BasePermission):
-    def has_permission(self, request, view):
-        return check_post_permission(
-            request, Product, "asset", "staff_only",
-        )
-
-    def has_object_permission(self, request, view, obj):
-        return check_object_permission(
-            request,
-            obj,
-            "view",
-            "staff_only",
-            "delete",
-        )
-
-
 class UserHasAssetGroupPermission(permissions.BasePermission):
     def has_permission(self, request, view):
         return check_post_permission(