fix(authorization): restore is_staff bypass for View

The legacy rewrite had `is_staff and action != Action.View` guards on
Product_Type and Product, denying staff users View unless they were
in authorized_users. That diverged from the actual pre-2020 model:
dojo/user/helper.py at commit e7805aa~ shows is_staff was an
absolute bypass for every perm_type (view, change, delete, staff).

A pre-2020 customer's staff users could see every product. Without
this fix they would suddenly see nothing on /product after the upgrade
— a behavior regression, not a faithful re-creation.

Drop the carve-out in both the per-object check and the queryset
filter. Document the historical reference in the docstring.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: devGregA

dojo/authorization/authorization.py

@@ -87,9 +87,13 @@ def user_has_permission(user: Dojo_User, obj: Model, permission) -> bool:
       3. action → mapped from Permissions / string / Action via permission_to_action
       4. SuperuserOnly action → deny (already handled superuser above)
       5. StaffOnly / Delete → require is_staff
-      6. View / Edit / Add / Import → user.is_staff for non-View, or membership
-         in the obj.authorized_users chain (climbing Product_Type ←
-         Product ← Engagement ← Test ← Finding when needed).
+      6. View / Edit / Add / Import → is_staff bypasses unconditionally,
+         otherwise check membership in the obj.authorized_users chain
+         (climbing Product_Type ← Product ← Engagement ← Test ← Finding).
+         This matches the pre-Auth-V2 (pre-2020) behavior where is_staff
+         was an absolute bypass on every perm_type — see
+         dojo/user/helper.py at commit e7805aa14~ for the historical
+         reference.
 
     The Member / Group / Cred_Mapping / etc. carrier objects don't expose
     authorized_users themselves; they delegate to their wrapped product
@@ -125,12 +129,12 @@ def _user_authorized_for(user: Dojo_User, obj: Model, action: Action) -> bool:
         return False
 
     if isinstance(obj, Product_Type):
-        if user.is_staff and action != Action.View:
+        if user.is_staff:
             return True
         return obj.authorized_users.filter(pk=user.pk).exists()
 
     if isinstance(obj, Product):
-        if user.is_staff and action != Action.View:
+        if user.is_staff:
             return True
         if obj.authorized_users.filter(pk=user.pk).exists():
             return True

dojo/authorization/query_registrations.py

@@ -29,7 +29,7 @@
     Product_Type_Member,
 )
 from dojo.authorization.query_filters import register_auth_filter
-from dojo.authorization.roles_permissions import Action, permission_to_action
+from dojo.authorization.roles_permissions import permission_to_action
 from dojo.location.models import Location, LocationFindingReference, LocationProductReference
 from dojo.models import (
     App_Analysis,
@@ -65,13 +65,16 @@ def _resolve_user(user):
 def _is_unrestricted(user, action):
     """
     Returns True if the user can see every object regardless of membership.
-    Superuser always; staff for non-View actions (legacy semantics).
+    Superuser and staff both bypass — matches pre-2020 behavior where
+    is_staff was an absolute bypass for every perm_type. The ``action``
+    arg is retained for callers that may want to gate StaffOnly /
+    SuperuserOnly differently in the future.
     """
     if not user or getattr(user, "is_anonymous", False):
         return False
     if user.is_superuser:
         return True
-    return bool(user.is_staff and action != Action.View)
+    return bool(user.is_staff)
 
 
 def _authorized_product_ids(user):