fix: form validation on permission protected fields

component_catalog/tests/test_views.py

@@ -3566,15 +3566,16 @@ def test_component_catalog_package_form_add(self):
             "usage_policy": policy_approved.pk,
         }
         form = PackageForm(user=self.super_user, data=data)
-        self.assertEqual(0, len(form.fields["usage_policy"].queryset))
+        self.assertNotIn("usage_policy", form.fields)
         self.assertTrue(form.is_valid())
         package = form.save()
         self.assertIsNone(package.usage_policy)
 
         data["filename"] = "with policy"
         self.super_user = add_perm(self.super_user, "change_usage_policy_on_package")
         form = PackageForm(user=self.super_user, data=data)
-        self.assertEqual(1, len(form.fields["usage_policy"].queryset))
+        self.assertIn("usage_policy", form.fields)
+        self.assertQuerySetEqual([policy_approved], form.fields["usage_policy"].queryset)
         self.assertTrue(form.is_valid())
         package = form.save()
         self.assertEqual(policy_approved, package.usage_policy)
@@ -4386,15 +4387,16 @@ def test_component_catalog_component_form_add(self):
             "usage_policy": policy_approved.pk,
         }
         form = ComponentForm(user=self.user, data=data)
-        self.assertEqual(0, len(form.fields["usage_policy"].queryset))
+        self.assertNotIn("usage_policy", form.fields)
         self.assertTrue(form.is_valid())
         component = form.save()
         self.assertIsNone(component.usage_policy)
 
         data["version"] = "with policy"
         self.user = add_perm(self.user, "change_usage_policy_on_component")
         form = ComponentForm(user=self.user, data=data)
-        self.assertEqual(1, len(form.fields["usage_policy"].queryset))
+        self.assertIn("usage_policy", form.fields)
+        self.assertQuerySetEqual([policy_approved], form.fields["usage_policy"].queryset)
         self.assertTrue(form.is_valid())
         component = form.save()
         self.assertEqual(policy_approved, component.usage_policy)
@@ -4413,6 +4415,7 @@ def test_component_catalog_component_form_add(self):
             "homepage_url": "https://nexb.com",
             "configuration_status": status.pk,
             "release_date": "2019-03-01",
+            "usage_policy": policy_approved.pk,
             "submit": "Add Component",
         }
         form = ComponentForm(user=self.user, data=data)
@@ -4422,6 +4425,7 @@ def test_component_catalog_component_form_add(self):
         self.assertEqual(status, component.configuration_status)
         self.assertEqual(license1.key, component.license_expression)
         self.assertEqual(["Key1", "Another keyword"], component.keywords)
+        self.assertEqual(policy_approved, component.usage_policy)
 
     def test_component_catalog_component_form_assigned_packages(self):
         data = {

dje/forms.py

@@ -109,18 +109,23 @@ class ScopeAndProtectRelationships:
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
 
-        protected_fields = get_protected_fields(self._meta.model, self.user)
-        self.protected_fields = protected_fields
+        self.protected_fields = get_protected_fields(self._meta.model, self.user)
+
+        # On submit, remove protected fields so they are not validated or saved.
+        # On display, render them as disabled with an empty queryset.
+        for name in self.protected_fields:
+            if self.is_bound:
+                self.fields.pop(name, None)
+            elif field := self.fields.get(name):
+                field.disabled = True
+                if hasattr(field, "queryset"):
+                    field.queryset = field.queryset.none()
 
+        # Scope relational fields to the user's Dataspace
         for name, field in self.fields.items():
             has_queryset = hasattr(field, "queryset")
 
-            if name in protected_fields:
-                field.disabled = True
-                if has_queryset:
-                    field.queryset = field.queryset.none()
-
-            elif has_queryset and is_dataspace_related(field.queryset.model):
+            if has_queryset and is_dataspace_related(field.queryset.model):
                 field.queryset = field.queryset.scope(self.user.dataspace)
 
                 related_model = field.queryset.model

product_portfolio/templates/product_portfolio/tables/product_list_table.html

@@ -71,7 +71,7 @@
         </tr>
       {% endfor %}
     {% empty %}
-      <tr><td colspan="8">No results.</td></tr>
+      <tr><td colspan="9">No results.</td></tr>
     {% endfor %}
   </tbody>
 </table>

product_portfolio/tests/test_views.py

@@ -2680,6 +2680,45 @@ def test_product_portfolio_product_manage_packages_grid_view_permissions(self):
         response = self.client.get(manage_url)
         self.assertEqual(200, response.status_code)
 
+    def test_product_portfolio_product_manage_packages_grid_fields_permissions(self):
+        add_perms(self.basic_user, ["change_productpackage"])
+        assign_perm("view_product", self.basic_user, self.product1)
+        assign_perm("change_product", self.basic_user, self.product1)
+        self.client.login(username=self.basic_user.username, password="secret")
+
+        make_product_package(self.product1)
+        manage_url = self.product1.get_manage_packages_url()
+        response = self.client.get(manage_url)
+
+        self.assertEqual(200, response.status_code)
+        expected = (
+            '<select name="form-0-review_status" class="select form-select" disabled'
+            ' aria-describedby="id_form-0-review_status_helptext" id="id_form-0-review_status">'
+            ' <option value="" selected>---------</option>'
+            "</select>"
+        )
+        self.assertContains(response, expected, html=True)
+        form = response.context["formset"].forms[0]
+        self.assertIn("review_status", form.fields)
+        self.assertTrue(form.fields["review_status"].disabled)
+
+        data = {
+            "form-TOTAL_FORMS": 1,
+            "form-INITIAL_FORMS": 0,
+            "form-MIN_NUM_FORMS": 0,
+            "form-MAX_NUM_FORMS": 1000,
+            "form-0-product": self.product1.pk,
+            "form-0-package": self.package1.pk,
+            "form-0-object_display": str(self.package1),
+            "form-0-review_status": "PROTECTED FIELD",
+            "form-0-notes": "Some notes",
+        }
+        response = self.client.post(manage_url, data, follow=True)
+        self.assertContains(response, "Product changes saved.")
+        self.assertRedirects(response, manage_url)
+        pp2 = ProductPackage.objects.get(product=self.product1, package=self.package1.pk)
+        self.assertIsNone(pp2.review_status)
+
     def test_product_portfolio_product_manage_packages_grid_view_delete(self):
         self.client.login(username=self.basic_user.username, password="secret")