core: rework recursive group membership (#6017)

* rework checking group membership and add `user.all_groups` to get full list of groups

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* refactor some more for better performance

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* migrate things to use all_groups

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* update release notes

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix for django 4.2

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

website/docs/releases/2023/v2023.7.md

@@ -13,6 +13,14 @@ slug: "/releases/2023.7"
 
     For Kubernetes install, a manual one-time migration has to be done: [Upgrading PostgreSQL on Kubernetes](../../troubleshooting/postgres/upgrade_kubernetes.md)
 
+-   Changed nested Group membership behaviour
+
+    In previous versions, nested groups were handled very inconsistently. Binding a group to an application/etc would check the membership recursively, however when using `user.ak_groups.all()` would only return direct memberships. Additionally, using `user.group_attributes()` would do the same and only merge all group attributes for direct memberships.
+
+    This has been changed to always use the same logic as when checking for access, which means dealing with complex group structures is a lot more consistent.
+
+    Policies that do use `user.ak_groups.all()` will retain the current behaviour, to use the new behaviour replace the call with `user.all_groups()`.
+
 ## New features
 
 ## Upgrading