refactor(reorg): extract every type of class into modules [10/10]#14987
Open
valentijnscholten wants to merge 40 commits into
Open
refactor(reorg): extract every type of class into modules [10/10]#14987valentijnscholten wants to merge 40 commits into
valentijnscholten wants to merge 40 commits into
Conversation
This was referenced Jun 9, 2026
Closed
Closed
valentijnscholten
changed the title
valentijnscholten
force-pushed
the
reorg/peripheral-misc
branch
from
14050e7 to
eed883a
Compare
valentijnscholten
force-pushed
the
reorg/peripheral-notes-files
branch
from
446a238 to
8639d9e
Compare
valentijnscholten
force-pushed
the
reorg/peripheral-misc
branch
from
7dea012 to
c6274ab
Compare
valentijnscholten
force-pushed
the
reorg/peripheral-notes-files
branch
from
8639d9e to
13ab179
Compare
valentijnscholten
changed the title
valentijnscholten
changed the base branch from
reorg/peripheral-notes-files
to
dev
valentijnscholten
force-pushed
the
reorg/peripheral-misc
branch
from
c6274ab to
59bbd3c
Compare
Member
Author
|
As all the classes/methods are still re-exported from their old locations, the dojo-pro codebase still builds and runs fine. |
|
This pull request introduces a high-severity security vulnerability by missing authorization checks in the
🟠 Missing Authorization Checks in
|
| Vulnerability | Missing Authorization Checks |
|---|---|
| Description | The announcement management view 'configure_announcement' lacks any authorization decorators or explicit permission checks. This allows any authenticated user to access, modify, or delete site-wide announcements, which should be restricted to administrative or staff users. |
django-DefectDojo/dojo/announcement/ui/views.py
Lines 7 to 14 in e0a0fef
Comment to provide feedback on these findings.
Report false positive: @dryrunsecurity fp [FINDING ID] [FEEDBACK]
Report low-impact: @dryrunsecurity nit [FINDING ID] [FEEDBACK]
Example: @dryrunsecurity fp drs_90eda195 This code is not user-facing
All finding details can be found in the DryRun Security Dashboard.
valentijnscholten
force-pushed
the
reorg/peripheral-misc
branch
from
3c815e3 to
8189de8
Compare
…type/
Phase 1 of module reorg per AGENTS.md. Move Product_Type class + admin
registration into dojo/product_type/{models,admin}.py with backward-compat
re-export in dojo/models.py. No migration change (app_label unchanged).
…/ui/ [Phase 3,4] Phase 3+4 of module reorg per AGENTS.md. Move Product_TypeForm, Delete_Product_TypeForm, Add_Product_Type_AuthorizedUsersForm into ui/forms.py (re-export from dojo/forms.py) and ProductTypeFilter into ui/filters.py. The filter keeps its DojoFilter base; its only consumer is the product_type view, so no dojo/filters.py re-export is kept (matches the url module) — avoids the extracted-filter<->dojo.filters circular import.
…,8,9] Move 8 Test-domain serializers into api/serializer.py (TestSerializer re-exported from api_v2/serializers.py for ReportGenerateSerializer; rest omitted, sole consumers were the moved viewsets), ApiTestFilter/TestImportAPIFilter into api/filters.py, and TestsViewSet/TestTypesViewSet/TestImportViewSet into api/views.py. api/urls.py adds add_test_urls() preserving routes tests/test_types/test_imports + basenames test/test_type/test_imports. Viewset re-exports omitted (would cycle); dojo/urls.py + test_rest_framework updated. Finding* serializers left in place. Full rest_framework suite green (871 tests).
…to dojo/engagement/
Phase 1 of module reorg per AGENTS.md. Move Engagement, Engagement_Presets +
admin registrations into dojo/engagement/{models,admin}.py. Cross-module FKs use
string refs to avoid circular imports; ENGAGEMENT_STATUS_CHOICES single-sourced
with re-export. No migration change.
…py [Phase 2 pilot] Phase 2 of module reorg per AGENTS.md. Move the engagement copy workflow (copy + product grade recalc + notification) out of the copy_engagement view into an HTTP-free copy_engagement(engagement, user) service, so both UI and (future) API can reuse it. The inline notification carried a TODO asking for exactly this. View is thinned to call the service. Add a unit test for the service (the workflow was previously untested). Notification URL uses relative reverse() to match the codebase convention.
…/ [engagement Phase 3,4]
…gagement Phase 6,7,8,9]
…iguration into dojo/product/
Phase 1 of module reorg per AGENTS.md. Move Product, Product_Line,
Product_API_Scan_Configuration + admin registrations into dojo/product/{models,admin}.py.
Cross-module FKs use string refs to avoid circular imports. Product_Type re-export
now pure backward-compat (F401). No migration change.
…ding_Template into dojo/finding/
Phase 1 of module reorg per AGENTS.md. Move Finding (+ custom FindingAdmin),
Vulnerability_Id, Finding_Group, Finding_Template + admin registrations into
dojo/finding/{models,admin}.py. Cross-module FKs use string refs; date/util field
defaults imported from dojo.models to preserve migration serialization path; restore
load-bearing parse_cvss_data re-export for dojo.location side-effect registration.
No migration change.
…g/ [finding Phase 1,6,8,9]
…ettings/ [system_settings Phase 1,3,5,6,8,9]
…jo/<module>/ [Phase 1,3,5,6,8,9]
…oint Phase 1,3,4,5,6,7,8,9]
…ojo/<module>/ [Phase 1,3,4,5]
…s into dojo/<module>/ [Phase 1,3,5,6,8,9]
…eptance/ [risk_acceptance Phase 1,3,6,7,8,9]
…t_environment, object [Phase 1,3,4,5,6,8,9]
…olith line counts
External consumers (notably the dojo-pro plugin, a separate repo) still import several symbols from their pre-reorg locations. Add the missing backward-compat re-exports following the patterns already used on this branch: - dojo.forms: user forms (UserContactInfoForm, DojoUserForm, ...) + FindingForm - dojo.api_v2.serializers: TestType/TestCreate/EngagementCheckList serializers - dojo.api_v2.views: ViewSets moved into per-module api packages, exposed lazily via PEP 562 __getattr__ to avoid entry-order circular imports - dojo.filters: filters moved into per-module ui/api packages, exposed lazily via __getattr__ (they import dojo.filters base classes), plus BooleanFilter and Product_API_Scan_Configuration - dojo.auditlog: TAG_MODEL_MAPPING added to the lazy export table - dojo/<module>/views.py: pure re-export shims to dojo/<module>/ui/views.py (matching the existing dojo/api_v2/permissions.py / pghistory_* shims)
…module The reorg moved FindingCreateSerializer (and its dojo_dispatch_task call for the finding_added notification) from dojo/api_v2/serializers.py to dojo/finding/api/serializer.py. Three TestNotificationTriggersApi tests still patched dojo.api_v2.serializers.dojo_dispatch_task, which no longer has that attribute -> AttributeError at patch time. Point them at the module where the dispatch now resolves. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The DojoMetaViewSet extraction re-added an active @extend_schema_view(**schema_with_prefetch()) above the intentionally commented-out original. This re-enabled prefetch schema generation for the DojoMeta endpoint, which emits a $ref to a Location component that is not registered when V3_FEATURE_LOCATIONS=False, breaking the openapi-generator schema validation integration test (PaginatedMetaList.Location is not of type schema).
valentijnscholten
force-pushed
the
reorg/peripheral-misc
branch
from
8189de8 to
e0a0fef
Compare
Maffooch
approved these changes
Jun 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Stacked PRs
This is one of a stacked series that reorganizes
dojo/into self-containeddojo/{module}/packages (matching thedojo/url/reference). They are stacked — each PR is based on the previous one — so review and merge bottom-up in this order:Merge #14970 first; each following branch is rebased onto the updated base and merged in turn. This PR is the top of the stack (on top of #14986) — full implementation brief is the Phase 10 section in
AGENTS.md.Summary
Reorganizes the
regulations,banner,announcement,development_environment, andobjectdomains into self-containeddojo/{module}/packages withui/(and, where an API exists,api/) sub-packages, matching thedojo/url/reference layout. Pure code-movement: no behaviour or migration changes; backward-compat re-exports keep external consumers working.regulations / development_environment / announcement (have API layers)
Regulation,Development_Environment,Announcement,UserAnnouncementinto their{models,admin}.py(string-ref FKs). TheANNOUNCEMENT_STYLE_CHOICESconstant moves intodojo/announcement/models.py(re-exported fromdojo.models).RegulationSerializer/DevelopmentEnvironmentSerializer/AnnouncementSerializerinto each module'sapi/serializer.py(re-exported fromapi_v2/serializers.pyfor prefetcher discovery), andRegulationsViewSet/DevelopmentEnvironmentViewSet/AnnouncementViewSetintoapi/views.pywithadd_*_urls, preserving routes/basenames.ui/forms.pyandviews.py/urls.pyintoui/;announcement/os_message.pyandsignals.pystay.banner / object (no API layer)
BannerConfandObjects_Review/Objects_Productinto their{models,admin}.py(string-ref FKs; thetagulous.admin.register(Objects_Product.tags)registration moves todojo/object/admin.py). MoveLoginBannerand the object settings forms into each module'sui/forms.py, andviews.py/urls.pyintoui/.