pghistory: add finding.reviewers to tracked models

Author: valentijnscholten

dojo/auditlog.py

@@ -220,26 +220,6 @@ def register_django_pghistory_models():
         },
     )(Finding)
 
-    # # Track the reviewers ManyToMany relationship through table
-    # # This tracks additions/removals of reviewers from findings
-    # reviewers_through = Finding._meta.get_field("reviewers").remote_field.through
-    # if reviewers_through:
-    #     logger.info(f"Tracking reviewers M2M through table: {reviewers_through} (db_table: {reviewers_through._meta.db_table})")
-    #     pghistory.track(
-    #         pghistory.InsertEvent(),
-    #         pghistory.DeleteEvent(),
-    #         meta={
-    #             "indexes": [
-    #                 models.Index(fields=["pgh_created_at"]),
-    #                 models.Index(fields=["pgh_label"]),
-    #                 models.Index(fields=["pgh_context_id"]),
-    #             ],
-    #         },
-    #     )(reviewers_through)
-    #     logger.info("Successfully registered pghistory tracking for reviewers through table")
-    # else:
-    #     logger.warning("Could not find reviewers through table for Finding model!")
-
     pghistory.track(
         pghistory.InsertEvent(),
         pghistory.UpdateEvent(condition=pghistory.AnyChange(exclude_auto=True)),
@@ -354,6 +334,31 @@ def register_django_pghistory_models():
         },
     )(Notification_Webhooks)
 
+    # Track Finding.reviewers ManyToMany relationship
+    # Create a proxy model for the through table as per pghistory docs:
+    # https://django-pghistory.readthedocs.io/en/2.4.2/tutorial.html#tracking-many-to-many-events
+    # Note: For auto-generated through models, we don't specify obj_fk/obj_field
+    # as Django doesn't allow foreign keys to auto-generated through models
+    reviewers_through = Finding._meta.get_field("reviewers").remote_field.through
+
+    class FindingReviewers(reviewers_through):
+        class Meta:
+            proxy = True
+
+    pghistory.track(
+        pghistory.InsertEvent(),
+        pghistory.DeleteEvent(),
+        pghistory.ManualEvent(label="initial_import"),
+        meta={
+            "db_table": "dojo_finding_reviewersevent",
+            "indexes": [
+                models.Index(fields=["pgh_created_at"]),
+                models.Index(fields=["pgh_label"]),
+                models.Index(fields=["pgh_context_id"]),
+            ],
+        },
+    )(FindingReviewers)
+
     # Only log during actual application startup, not during shell commands
     if "shell" not in sys.argv:
         logger.info("Successfully registered models with django-pghistory")

dojo/db_migrations/0247_findingreviewers_findingreviewersevent_and_more.py

@@ -0,0 +1,64 @@
+# Generated by Django 5.1.13 on 2025-11-01 17:04
+
+import django.db.models.deletion
+import pgtrigger.compiler
+import pgtrigger.migrations
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("dojo", "0246_endpoint_idx_ep_product_lower_host_and_more")
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="FindingReviewers",
+            fields=[
+            ],
+            options={
+                "proxy": True,
+                "indexes": [],
+                "constraints": [],
+            },
+            bases=("dojo.finding_reviewers",),
+        ),
+        migrations.CreateModel(
+            name="FindingReviewersEvent",
+            fields=[
+                ("pgh_id", models.AutoField(primary_key=True, serialize=False)),
+                ("pgh_created_at", models.DateTimeField(auto_now_add=True)),
+                ("pgh_label", models.TextField(help_text="The event label.")),
+                ("id", models.IntegerField()),
+                ("dojo_user", models.ForeignKey(db_constraint=False, db_index=False, db_tablespace="", on_delete=django.db.models.deletion.DO_NOTHING, related_name="+", related_query_name="+", to="dojo.dojo_user")),
+                ("finding", models.ForeignKey(db_constraint=False, db_index=False, db_tablespace="", on_delete=django.db.models.deletion.DO_NOTHING, related_name="+", related_query_name="+", to="dojo.finding")),
+                ("pgh_context", models.ForeignKey(db_constraint=False, null=True, on_delete=django.db.models.deletion.DO_NOTHING, related_name="+", to="pghistory.context")),
+                ("pgh_obj", models.ForeignKey(db_constraint=False, on_delete=django.db.models.deletion.DO_NOTHING, related_name="events", to="dojo.findingreviewers")),
+            ],
+            options={
+                "abstract": False,
+                "db_table": "dojo_finding_reviewersevent",
+            },
+        ),
+        migrations.AddIndex(
+            model_name="findingreviewersevent",
+            index=models.Index(fields=["pgh_created_at"], name="dojo_findin_pgh_cre_d5e5b4_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="findingreviewersevent",
+            index=models.Index(fields=["pgh_label"], name="dojo_findin_pgh_lab_5517f9_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="findingreviewersevent",
+            index=models.Index(fields=["pgh_context_id"], name="dojo_findin_pgh_con_06229b_idx"),
+        ),
+        pgtrigger.migrations.AddTrigger(
+            model_name="findingreviewers",
+            trigger=pgtrigger.compiler.Trigger(name="insert_insert", sql=pgtrigger.compiler.UpsertTriggerSql(func='INSERT INTO "dojo_finding_reviewersevent" ("dojo_user_id", "finding_id", "id", "pgh_context_id", "pgh_created_at", "pgh_label", "pgh_obj_id") VALUES (NEW."dojo_user_id", NEW."finding_id", NEW."id", _pgh_attach_context(), NOW(), \'insert\', NEW."id"); RETURN NULL;', hash="5c1fd440159e49c929122cbb590f96983a1c934e", operation="INSERT", pgid="pgtrigger_insert_insert_0808c", table="dojo_finding_reviewers", when="AFTER")),
+        ),
+        pgtrigger.migrations.AddTrigger(
+            model_name="findingreviewers",
+            trigger=pgtrigger.compiler.Trigger(name="delete_delete", sql=pgtrigger.compiler.UpsertTriggerSql(func='INSERT INTO "dojo_finding_reviewersevent" ("dojo_user_id", "finding_id", "id", "pgh_context_id", "pgh_created_at", "pgh_label", "pgh_obj_id") VALUES (OLD."dojo_user_id", OLD."finding_id", OLD."id", _pgh_attach_context(), NOW(), \'delete\', OLD."id"); RETURN NULL;', hash="23a4e01eaea469f708679392a6a92a6e16b21181", operation="DELETE", pgid="pgtrigger_delete_delete_40083", table="dojo_finding_reviewers", when="AFTER")),
+        ),
+    ]

dojo/management/commands/pghistory_backfill.py

@@ -164,6 +164,7 @@ def handle(self, *args, **options):
             "Dojo_User", "Endpoint", "Engagement", "Finding", "Finding_Group",
             "Product_Type", "Product", "Test", "Risk_Acceptance",
             "Finding_Template", "Cred_User", "Notification_Webhooks",
+            "FindingReviewers",  # M2M through table for Finding.reviewers
         ]
 
         specific_model = options.get("model")

dojo/management/commands/pghistory_backfill_fast.py

@@ -490,6 +490,7 @@ def handle(self, *args, **options):
             "Dojo_User", "Endpoint", "Engagement", "Finding", "Finding_Group",
             "Product_Type", "Product", "Test", "Risk_Acceptance",
             "Finding_Template", "Cred_User", "Notification_Webhooks",
+            "FindingReviewers",  # M2M through table for Finding.reviewers
         ]
 
         specific_model = options.get("model")