From 896a9d08bb7f13ed1a8db539733b7a17a6e9aead Mon Sep 17 00:00:00 2001
From: Cody Maffucci <46459665+Maffooch@users.noreply.github.com>
Date: Mon, 9 Feb 2026 11:15:43 -0700
Subject: [PATCH 1/2] Add configuration permission check for authorized groups
 retrieval

---
 dojo/group/queries.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/dojo/group/queries.py b/dojo/group/queries.py
index deee04a346a..6b778364df9 100644
--- a/dojo/group/queries.py
+++ b/dojo/group/queries.py
@@ -1,7 +1,7 @@
 from crum import get_current_user
 from django.db.models import Subquery
 
-from dojo.authorization.authorization import get_roles_for_permission
+from dojo.authorization.authorization import get_roles_for_permission, user_has_configuration_permission
 from dojo.authorization.roles_permissions import Permissions
 from dojo.models import Dojo_Group, Dojo_Group_Member, Product_Group, Product_Type_Group, Role
 from dojo.request_cache import cache_for_request
@@ -18,6 +18,10 @@ def get_authorized_groups(permission):
     if user.is_superuser:
         return Dojo_Group.objects.all().order_by("name")
 
+    # Check for the case of the view_group config permission
+    if user_has_configuration_permission(user, "auth.view_group"):
+        return Dojo_Group.objects.all().order_by("name")
+
     roles = get_roles_for_permission(permission)
 
     # Get authorized group IDs via subquery

From 29d456ea79452952d5caef23e17fe5cbc6f5b847 Mon Sep 17 00:00:00 2001
From: Cody Maffucci <46459665+Maffooch@users.noreply.github.com>
Date: Mon, 9 Feb 2026 11:56:10 -0700
Subject: [PATCH 2/2] Add case where user has add_group, but not view_group

---
 dojo/group/queries.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dojo/group/queries.py b/dojo/group/queries.py
index 6b778364df9..11a6718bf62 100644
--- a/dojo/group/queries.py
+++ b/dojo/group/queries.py
@@ -19,7 +19,7 @@ def get_authorized_groups(permission):
         return Dojo_Group.objects.all().order_by("name")
 
     # Check for the case of the view_group config permission
-    if user_has_configuration_permission(user, "auth.view_group"):
+    if user_has_configuration_permission(user, "auth.view_group") or user_has_configuration_permission(user, "auth.add_group"):
         return Dojo_Group.objects.all().order_by("name")
 
     roles = get_roles_for_permission(permission)