feat(members): List global role members in Prod and ProdType

[kiblik]

Until now, UI listed only regular members of Prod or ProdType. From now on, owners of Prods are transparently informed that also Global_Role members also have access to their data.

In ProdType:

In Prod:

[dryrunsecurity]

DryRun Security Summary

The pull request introduces global roles and permissions, enhances authorization and permissions logic, and updates the product and product type views to display global members, groups, and benchmark progress, with the goal of improving the authorization and permissions management system for product types, products, and their associated members and groups.

Expand for full summary

Summary:

The code changes in this pull request are focused on improving the authorization and permissions management system for product types, products, and their associated members and groups. The key changes include:

1. Introduction of Global Roles and Permissions: The code introduces the concept of global roles and permissions, which can grant users or groups broader access and permissions across multiple product types. This is a significant change that requires careful review and implementation to ensure proper access control and prevent potential privilege escalation vulnerabilities.

2. Enhanced Authorization and Permissions Logic: New query functions have been added to handle the retrieval of authorized global members and groups for product types and products. The code also includes comprehensive checks for superuser and global permissions to ensure that users can only access and modify data they are authorized to.

3. Updates to the Product and Product Type Views: The changes include updates to the product and product type detail pages, allowing the display of global members and groups, as well as the progress of any associated benchmarks. These changes impact the user interface and user experience, and should be reviewed to ensure that sensitive information is not inadvertently exposed.

Files Changed:

• dojo/product_type/views.py: The changes introduce new functions to retrieve authorized global groups and members for product types, and update the view_product_type function to include this information.
• dojo/product/views.py: The changes add functionality to manage global product members and groups, and retrieve and display this information in the view_product function and template.
• dojo/product_type/queries.py: The changes introduce the Global_Role model and new query functions to handle the authorization and permissions for product types, including global members and groups.
• dojo/product/queries.py: The changes add new functions to retrieve authorized global members and groups for products, indicating the introduction of global roles and permissions.
• dojo/templates/dojo/view_product_details.html: The changes update the product details page to display global product members and groups, and add a new section for benchmark progress.
• dojo/templates/dojo/view_product_type.html: The changes update the product type view to display global members and groups, and include dropdown menus for performing actions based on the user's permissions.

Overall, these changes are focused on improving the authorization and permissions management system, which is a crucial aspect of application security. It's important to thoroughly review the implementation and test the changes to ensure that there are no unintended security implications, such as potential privilege escalation or unauthorized access vulnerabilities.

Code Analysis

We ran 9 analyzers against 6 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer	Findings
Authn/Authz Analyzer	14 findings

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

[mtesauro]

Approved

[cneill]

It looks like this includes users who have the global role "None" that do not actually have access to a Product?

Also, shouldn't we return something like an empty list here instead of None? I believe this conditional in the template:

{% if product_groups or product_type_groups or global_product_groups %}

Could result in a "NoneType object is not iterable" error when trying to loop over it here if global_product_groups is None but one of the other 2 values is non-None:

{% for type_group in global_product_groups %}

[kiblik]

I forgot about these cases. Thank you.
I thought that the unsettling Global role, record was removed.

I would prefer ...objects.none() instead. To keep the same data-type as the return type.
In ifs it is evaluated as False and there is no problem with iterations:

>>> bool(Product_Type_Member.objects.none())
False
>>> for i in Product_Type_Member.objects.none():
...     print(i)
...
>>>