refactor: consolidate RBAC into dojo/authorization package#21
Closed
refactor: consolidate RBAC into dojo/authorization package#21
Conversation
Maffooch
changed the title
Move every RBAC / authorization concern into a single dojo/authorization/ package. Before this change authorization code lived in seven different places: dojo/models.py (RBAC models), 14 per-app queries.py files (get_authorized_*), every view file (@user_is_authorized decorators), dojo/api_v2/permissions.py, dojo/location/api/permissions.py, and dojo/templatetags/authorization_tags.py. Changes - Move 7 RBAC models (Role, Global_Role, Dojo_Group_Member, Product_Member, Product_Group, Product_Type_Member, Product_Type_Group) from dojo/models.py to dojo/authorization/models.py. app_label='dojo' is preserved so no migrations are needed; ~47 import sites are updated. - Merge dojo/api_v2/permissions.py and dojo/location/api/permissions.py into dojo/authorization/api_permissions.py. - Extract template-tag logic from dojo/templatetags/authorization_tags.py into dojo/authorization/template_filters.py; the templatetags module becomes a thin registration proxy. - Add dojo/authorization/query_filters.py (registry) and dojo/authorization/query_registrations.py (~1.9k lines of RBAC filter logic extracted from 14 per-app queries.py files). Each get_authorized_* becomes a thin wrapper that defers to the registry and falls back to unfiltered querysets when no RBAC backend is registered. - Add dojo/authorization/url_permissions.py mapping ~198 URL names to permission checks plus dojo/authorization/middleware.py with AuthorizationMiddleware enforcing them via process_view. Removes @user_is_authorized, @user_has_global_permission, and @user_is_configuration_authorized from 26 view files. - Update dojo/authorization/__init__.py exports and trigger query-filter registration at app startup. Behavior is unchanged: authorization checks for the ~198 mapped URLs now run in middleware (process_view) instead of view bodies, but produce the same allow/deny outcome. Non-RBAC deployments keep working because get_authorized_* falls back to unfiltered querysets. Tests: unittests/test_permissions_audit.py exercises the URL-permission map for completeness; existing API/UI suites pass.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Consolidate every RBAC / authorization concern into a single
dojo/authorization/package. Before this PR, authorization code lived in seven different places:dojo/models.py(RBAC models), 14 per-appqueries.pyfiles (get_authorized_*), every view file (@user_is_authorizeddecorators),dojo/api_v2/permissions.py,dojo/location/api/permissions.py, anddojo/templatetags/authorization_tags.py. After this PR, it all lives indojo/authorization/.Net diff: 85 files changed, +3015 / −2113.
What moves into
dojo/authorization/models.py— 7 RBAC models (Role,Global_Role,Dojo_Group_Member,Product_Member,Product_Group,Product_Type_Member,Product_Type_Group) extracted fromdojo/models.py.app_label='dojo'is preserved so no migrations are needed; ~47 import sites are updated.api_permissions.py—dojo/api_v2/permissions.pyanddojo/location/api/permissions.pymerged into one module; originals deleted; consumers and tests rewritten.template_filters.py— filter functions extracted fromdojo/templatetags/authorization_tags.py. The templatetags module becomes a thin registration proxy.query_filters.py+query_registrations.py— registry pattern (~1.9k lines of RBAC filter logic) extracted from 14 per-appqueries.pyfiles. Eachget_authorized_*becomes a thin wrapper that defers to the registry and falls back to unfiltered querysets when no RBAC backend is registered.url_permissions.py+middleware.py— map ~198 URL names to permission checks and enforce them viaAuthorizationMiddleware.process_view. Removes@user_is_authorized,@user_has_global_permission, and@user_is_configuration_authorizedfrom 26 view files.__init__.py— exports the public surface and triggers query-filter registration at app startup.Why
dojo.modelsfrom authorization — RBAC models live in their own module, removing circular-import pressure.get_authorized_*falls back to unfiltered querysets when no RBAC backend is registered, so non-RBAC deployments keep working.Behavioral changes
None intended. Authorization checks for the ~198 mapped URLs now run in middleware (
process_view) instead of inside view bodies, but produce the same allow/deny outcome.Test results
unittests/test_permissions_audit.pyexercises the URL-permission map for completeness.Documentation
No external documentation impact — this is a structural / internal change.
Checklist
dev.dev.app_label='dojo').maintenance.