Authorized User does not get full list of Findings through APIv2

[Yuuichi89]

Bug description
When using APIv2 (on the newest Release 1.8) to view findings by ID as an Authorized User for a Product, this User gets a reply which only contains the findings created (reported) by him. This only happens through the API. When listing the findings through the WebUI all findings are shown.

Steps to reproduce
Steps to reproduce the behavior:

1. On the settings.py file set DD_AUTHORIZED_USERS_ALLOW_STAFF,
   DD_AUTHORIZED_USERS_ALLOW_CHANGE and
   DD_AUTHORIZED_USERS_ALLOW_DELETE, to true
2. Go to the DefectDojo APIv2 and authorize with a Authorized User who does not have the Staff role
3. Click on GET /findings/{id}/
4. Click on Try Out and insert an ID of a Product which the User is authorized to and contains a finding which he is not the Reporter of
5. Click on Execute
6. The Response only contains a finding of which he is the reporter of. If it is a Product he is authorized to but in which no Finding exists he is reporter of the response:
   { "detail": "Not found." }
   is printed.

Expected behavior
A full List of all Findings created for that Product should be contained in the response. It should be the same Response as if a Staff User would execute that Request.

Deployment method (select with an X)

• Kubernetes
• Docker
• setup.bash / legacy-setup.bash

Environment information

• Operating System: Ubuntu 20.04
• DefectDojo Commit Message:
  [2020-10-02 18:19:00 +0200] a89d7df: renovate: only rebase when conflicted [ (HEAD -> master, origin/master, origin/HEAD)]

[valentijnscholten]

Click on Try Out and insert an ID of a Product which the User is authorized to and contains a finding which he is not the Reporter of

You need to provide the ID of a finding, not of a product. To list findings for a product you can use the /findings/ endpoint and supply the test__engagement__product=xxx parameter in the body of the request.

[Yuuichi89]

Yes thank you for the reply, got that messed up there I meant the ID of a finding of another reporter. But the Issue still exists.
If I supply the test_engagement_product parameter on the get findings query. An authorized User for the product shows the following response:

{
  "count": 2,
  "next": null,
  "previous": null,
  "results": [
    {
      "id": 5,...

Which gets only the 2 findings in that response of which he is the reporter of
While a user with Staff role gets all the findings of that product as he gets this response:

{
  "count": 4,
  "next": null,
  "previous": null,
  "results": [
    {
      "id": 5, ...

if I do the /findings/{id} query as the authorized User on a finding ID which belongs to that product which another User is the reporter of the response is:
{ "detail": "Not found." }