feat(authorization): add Authorized Users UI for legacy access management

Replaces the inert Members/Groups panels (which silently failed under legacy
authorization — they wrote to Product_Member rows that legacy auth ignores)
with a working Authorized Users panel that reads/writes the actual M2M
that legacy authorization checks: Product.authorized_users and
Product_Type.authorized_users.

Both classic-Django UI trees (Tailwind and Classic Bootstrap) get the new
panel and lose the dead Members/Groups blocks. The OS templates leave
empty {% block rbac_members_panel %} / {% block rbac_groups_panel %} hooks
for Pro to override (Pro renders RBAC panels via its own template
overrides). Same treatment for the left-nav Groups link, which wraps the
removed link in a {% block groups_submenu_link %} hook.

Endpoints (gated on Permissions.{Product,Product_Type}_Manage_Members
which maps to Action.StaffOnly under legacy):
* /product/<pid>/authorized_users/add
* /product/<pid>/authorized_users/<user_id>/delete
* /product/type/<ptid>/authorized_users/add
* /product/type/<ptid>/authorized_users/<user_id>/delete

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: devGregA

dojo/asset/urls.py

@@ -263,6 +263,12 @@
                 name="edit_product_member"),
         re_path(r"^product/member/(?P<memberid>\d+)/delete$", views.delete_product_member,
                 name="delete_product_member"),
+        re_path(r"^product/(?P<pid>\d+)/authorized_users/add$",
+                views.add_product_authorized_users,
+                name="add_product_authorized_users"),
+        re_path(r"^product/(?P<pid>\d+)/authorized_users/(?P<user_id>\d+)/delete$",
+                views.delete_product_authorized_user,
+                name="delete_product_authorized_user"),
         re_path(r"^product/(?P<pid>\d+)/add_api_scan_configuration$", views.add_api_scan_configuration,
                 name="add_api_scan_configuration"),
         re_path(r"^product/(?P<pid>\d+)/view_api_scan_configurations$", views.view_api_scan_configurations,

dojo/forms.py

@@ -306,6 +306,23 @@ class Meta:
         fields = ["product_type", "users", "role"]
 
 
+class Add_Product_Type_AuthorizedUsersForm(forms.Form):
+    users = forms.ModelMultipleChoiceField(
+        queryset=Dojo_User.objects.none(), required=True, label="Users",
+    )
+
+    def __init__(self, *args, product_type=None, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.product_type = product_type
+        current = product_type.authorized_users.values_list("pk", flat=True)
+        self.fields["users"].queryset = (
+            Dojo_User.objects.filter(is_active=True)
+            .exclude(is_superuser=True)
+            .exclude(pk__in=current)
+            .order_by("first_name", "last_name")
+        )
+
+
 class Add_Product_Type_Member_UserForm(forms.ModelForm):
     product_types = forms.ModelMultipleChoiceField(queryset=Product_Type.objects.none(), required=True,
                                                    label=labels.ORG_PLURAL_LABEL)
@@ -476,6 +493,23 @@ class Meta:
         fields = ["product", "users", "role"]
 
 
+class Add_Product_AuthorizedUsersForm(forms.Form):
+    users = forms.ModelMultipleChoiceField(
+        queryset=Dojo_User.objects.none(), required=True, label="Users",
+    )
+
+    def __init__(self, *args, product=None, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.product = product
+        current = product.authorized_users.values_list("pk", flat=True)
+        self.fields["users"].queryset = (
+            Dojo_User.objects.filter(is_active=True)
+            .exclude(is_superuser=True)
+            .exclude(pk__in=current)
+            .order_by("first_name", "last_name")
+        )
+
+
 class Add_Product_Member_UserForm(forms.ModelForm):
     products = forms.ModelMultipleChoiceField(queryset=Product.objects.none(), required=True,
                                               label=labels.ASSET_PLURAL_LABEL)

dojo/organization/urls.py

@@ -103,6 +103,12 @@
                 name="edit_product_type_member"),
         re_path(r"^product/type/member/(?P<memberid>\d+)/delete$", views.delete_product_type_member,
                 name="delete_product_type_member"),
+        re_path(r"^product/type/(?P<ptid>\d+)/authorized_users/add$",
+                views.add_product_type_authorized_users,
+                name="add_product_type_authorized_users"),
+        re_path(r"^product/type/(?P<ptid>\d+)/authorized_users/(?P<user_id>\d+)/delete$",
+                views.delete_product_type_authorized_user,
+                name="delete_product_type_authorized_user"),
         re_path(r"^product/type/(?P<ptid>\d+)/add_group$", views.add_product_type_group,
                 name="add_product_type_group"),
         re_path(r"^product/type/group/(?P<groupid>\d+)/edit$", views.edit_product_type_group,

dojo/product/views.py

@@ -31,6 +31,7 @@
     Product_Group,
     Product_Member,
 )
+from dojo.authorization.roles_permissions import Permissions
 from dojo.components.sql_group_concat import Sql_GroupConcat
 from dojo.filters import (
     EngagementFilter,
@@ -46,6 +47,7 @@
     ProductFilterWithoutObjectLookups,
 )
 from dojo.forms import (
+    Add_Product_AuthorizedUsersForm,
     Add_Product_GroupForm,
     Add_Product_MemberForm,
     AdHocFindingForm,
@@ -78,6 +80,7 @@
     Benchmark_Product_Summary,
     Benchmark_Type,
     BurpRawRequestResponse,
+    Dojo_User,
     DojoMeta,
     Endpoint,
     Endpoint_Status,
@@ -252,6 +255,9 @@ def view_product(request, pid):
                                       .prefetch_related("members") \
                                       .prefetch_related("prod_type__members")
     prod = get_object_or_404(prod_query, id=pid)
+    authorized_users = prod.authorized_users.order_by("first_name", "last_name", "username")
+    # kept for Pro template override `{% block rbac_members_panel %}` /
+    # `{% block rbac_groups_panel %}` at pro/templates/dojo/view_product_details.html
     product_members = get_authorized_members_for_product(prod, "view")
     global_product_members = get_authorized_global_members_for_product(prod, "view")
     product_type_members = get_authorized_members_for_product_type(prod.prod_type, "view")
@@ -333,6 +339,7 @@ def view_product(request, pid):
         "benchmarks_percents": benchAndPercent,
         "benchmarks": benchmarks,
         "benchmark_type": product_tab.benchmark_type,
+        "authorized_users": authorized_users,
         "product_members": product_members,
         "global_product_members": global_product_members,
         "product_type_members": product_type_members,
@@ -1778,6 +1785,46 @@ def delete_product_member(request, memberid):
     })
 
 
+def add_product_authorized_users(request, pid):
+    product = get_object_or_404(Product, pk=pid)
+    user_has_permission_or_403(request.user, product, Permissions.Product_Manage_Members)
+    page_name = _("Add Authorized Users")
+    form = Add_Product_AuthorizedUsersForm(product=product)
+    if request.method == "POST":
+        form = Add_Product_AuthorizedUsersForm(request.POST, product=product)
+        if form.is_valid():
+            users = form.cleaned_data["users"]
+            product.authorized_users.add(*users)
+            messages.add_message(
+                request, messages.SUCCESS,
+                _("Added %(count)d user(s) to authorized users.") % {"count": len(users)},
+                extra_tags="alert-success",
+            )
+            return HttpResponseRedirect(reverse("view_product", args=(pid,)))
+    product_tab = Product_Tab(product, title=page_name, tab="settings")
+    return render(request, "dojo/new_product_authorized_users.html", {
+        "name": page_name,
+        "product": product,
+        "form": form,
+        "product_tab": product_tab,
+    })
+
+
+def delete_product_authorized_user(request, pid, user_id):
+    product = get_object_or_404(Product, pk=pid)
+    user_has_permission_or_403(request.user, product, Permissions.Product_Manage_Members)
+    if request.method != "POST":
+        raise PermissionDenied
+    user = get_object_or_404(Dojo_User, pk=user_id)
+    product.authorized_users.remove(user)
+    messages.add_message(
+        request, messages.SUCCESS,
+        _("Removed %(username)s from authorized users.") % {"username": user.username},
+        extra_tags="alert-success",
+    )
+    return HttpResponseRedirect(reverse("view_product", args=(pid,)))
+
+
 def add_api_scan_configuration(request, pid):
     product = get_object_or_404(Product, id=pid)
     if request.method == "POST":

dojo/product_type/views.py

@@ -3,6 +3,7 @@
 
 from django.contrib import messages
 from django.contrib.admin.utils import NestedObjects
+from django.core.exceptions import PermissionDenied
 from django.db import DEFAULT_DB_ALIAS
 from django.db.models import OuterRef, Value
 from django.db.models.functions import Coalesce
@@ -12,10 +13,12 @@
 from django.urls import reverse
 from django.utils.translation import gettext as _
 
-from dojo.authorization.authorization import user_has_permission
+from dojo.authorization.authorization import user_has_permission, user_has_permission_or_403
 from dojo.authorization.models import Product_Type_Group, Product_Type_Member, Role
+from dojo.authorization.roles_permissions import Permissions
 from dojo.filters import ProductFilter, ProductFilterWithoutObjectLookups, ProductTypeFilter
 from dojo.forms import (
+    Add_Product_Type_AuthorizedUsersForm,
     Add_Product_Type_GroupForm,
     Add_Product_Type_MemberForm,
     Delete_Product_Type_GroupForm,
@@ -26,7 +29,7 @@
     Product_TypeForm,
 )
 from dojo.labels import get_labels
-from dojo.models import Finding, Product, Product_Type
+from dojo.models import Dojo_User, Finding, Product, Product_Type
 from dojo.product.queries import get_authorized_products
 from dojo.product_type.queries import (
     get_authorized_global_groups_for_product_type,
@@ -125,6 +128,9 @@ def add_product_type(request):
 def view_product_type(request, ptid):
     page_name = str(labels.ORG_READ_LABEL)
     pt = get_object_or_404(Product_Type, pk=ptid)
+    authorized_users = pt.authorized_users.order_by("first_name", "last_name", "username")
+    # kept for Pro template override `{% block rbac_members_panel %}` /
+    # `{% block rbac_groups_panel %}` at pro/templates/dojo/view_product_type.html
     members = get_authorized_members_for_product_type(pt, "view")
     global_members = get_authorized_global_members_for_product_type(pt, "view")
     groups = get_authorized_groups_for_product_type(pt, "view")
@@ -141,6 +147,7 @@ def view_product_type(request, ptid):
         "pt": pt,
         "products": products,
         "prod_filter": prod_filter,
+        "authorized_users": authorized_users,
         "groups": groups,
         "members": members,
         "global_groups": global_groups,
@@ -319,6 +326,45 @@ def delete_product_type_member(request, memberid):
     })
 
 
+def add_product_type_authorized_users(request, ptid):
+    pt = get_object_or_404(Product_Type, pk=ptid)
+    user_has_permission_or_403(request.user, pt, Permissions.Product_Type_Manage_Members)
+    page_name = _("Add Authorized Users")
+    form = Add_Product_Type_AuthorizedUsersForm(product_type=pt)
+    if request.method == "POST":
+        form = Add_Product_Type_AuthorizedUsersForm(request.POST, product_type=pt)
+        if form.is_valid():
+            users = form.cleaned_data["users"]
+            pt.authorized_users.add(*users)
+            messages.add_message(
+                request, messages.SUCCESS,
+                _("Added %(count)d user(s) to authorized users.") % {"count": len(users)},
+                extra_tags="alert-success",
+            )
+            return HttpResponseRedirect(reverse("view_product_type", args=(ptid,)))
+    add_breadcrumb(title=page_name, top_level=False, request=request)
+    return render(request, "dojo/new_product_type_authorized_users.html", {
+        "name": page_name,
+        "pt": pt,
+        "form": form,
+    })
+
+
+def delete_product_type_authorized_user(request, ptid, user_id):
+    pt = get_object_or_404(Product_Type, pk=ptid)
+    user_has_permission_or_403(request.user, pt, Permissions.Product_Type_Manage_Members)
+    if request.method != "POST":
+        raise PermissionDenied
+    user = get_object_or_404(Dojo_User, pk=user_id)
+    pt.authorized_users.remove(user)
+    messages.add_message(
+        request, messages.SUCCESS,
+        _("Removed %(username)s from authorized users.") % {"username": user.username},
+        extra_tags="alert-success",
+    )
+    return HttpResponseRedirect(reverse("view_product_type", args=(ptid,)))
+
+
 def add_product_type_group(request, ptid):
     page_name = str(labels.ORG_GROUPS_ADD_LABEL)
     pt = get_object_or_404(Product_Type, pk=ptid)

dojo/templates/base.html

@@ -290,7 +290,7 @@
                     </div>
 
                     <!-- Users -->
-                    {% if "auth.view_user"|has_configuration_permission:request or "auth.view_group"|has_configuration_permission:request %}
+                    {% if "auth.view_user"|has_configuration_permission:request %}
                     <div x-data="{ open: false }">
                         <a href="{% url 'users' %}" @click.prevent="open = !open"
                            class="flex items-center gap-3 px-4 py-2 text-gray-300 hover:text-white hover:bg-white/10 transition-colors cursor-pointer">
@@ -302,9 +302,8 @@
                             {% if "auth.view_user"|has_configuration_permission:request %}
                                 <a href="{% url 'users' %}" class="block py-1.5 pl-12 pr-4 text-sm text-gray-400 hover:text-white hover:bg-white/10">{% trans "Users" %}</a>
                             {% endif %}
-                            {% if "auth.view_group"|has_configuration_permission:request %}
-                                <a href="{% url 'groups' %}" class="block py-1.5 pl-12 pr-4 text-sm text-gray-400 hover:text-white hover:bg-white/10">{% trans "Groups" %}</a>
-                            {% endif %}
+                            {# Pro restores the Groups link by overriding this block. #}
+                            {% block groups_submenu_link %}{% endblock %}
                         </div>
                     </div>
                     {% endif %}

dojo/templates/dojo/new_product_authorized_users.html

@@ -0,0 +1,14 @@
+{% extends "base.html" %}
+{% load i18n %}
+{% block content %}
+    {{ block.super }}
+    <h3>{{ name }}</h3>
+    <form class="" action="{% url 'add_product_authorized_users' product.id %}" method="post">{% csrf_token %}
+        {% include "dojo/form_fields.html" with form=form %}
+        <div class="form-group">
+            <div class="col-sm-offset-2 col-sm-10">
+                <input class="btn btn-primary" type="submit" value="{% trans "Submit" %}"/>
+            </div>
+        </div>
+    </form>
+{% endblock %}

dojo/templates/dojo/new_product_type_authorized_users.html

@@ -0,0 +1,14 @@
+{% extends "base.html" %}
+{% load i18n %}
+{% block content %}
+    {{ block.super }}
+    <h3>{{ name }}</h3>
+    <form class="" action="{% url 'add_product_type_authorized_users' pt.id %}" method="post">{% csrf_token %}
+        {% include "dojo/form_fields.html" with form=form %}
+        <div class="form-group">
+            <div class="col-sm-offset-2 col-sm-10">
+                <input class="btn btn-primary" type="submit" value="{% trans "Submit" %}"/>
+            </div>
+        </div>
+    </form>
+{% endblock %}