feat: authz permission validation for Course Updates (#2938)

* feat: adding permission validations from authz for course updates for view and manage

* refactor: replace useUserPermissionsWithAuthzCourse with useCourseUserPermissions

Remove the deprecated useUserPermissionsWithAuthzCourse hook and migrate all consumers to use useCourseUserPermissions, which provides a flatter API by spreading permission booleans directly into the return object.

Author: jacobo-dominguez-wgu

src/authz/constants.ts

@@ -24,6 +24,8 @@ export const COURSE_PERMISSIONS = {
   VIEW_SCHEDULE_AND_DETAILS: 'courses.view_schedule_and_details',
   EDIT_SCHEDULE: 'courses.edit_schedule',
   EDIT_DETAILS: 'courses.edit_details',
+  VIEW_COURSE_UPDATES: 'courses.view_course_updates',
+  MANAGE_COURSE_UPDATES: 'courses.manage_course_updates',
 
   VIEW_PAGES_AND_RESOURCES: 'courses.view_pages_and_resources',
   MANAGE_PAGES_AND_RESOURCES: 'courses.manage_pages_and_resources',

src/authz/hooks.test.ts

@@ -60,8 +60,8 @@ describe('useCourseUserPermissions', () => {
 
     expect(result.current.isLoading).toBe(true);
     expect(result.current.isAuthzEnabled).toBe(true);
-    expect(result.current.canView).toBeUndefined();
-    expect(result.current.canEdit).toBeUndefined();
+    expect(result.current.canView).toBe(false);
+    expect(result.current.canEdit).toBe(false);
   });
 
   it('falls back to false for permissions absent from server response when authz is enabled', () => {

src/authz/hooks.test.tsx

@@ -0,0 +1,135 @@
+import React from 'react';
+import { renderHook, waitFor } from '@testing-library/react';
+import { QueryClient, QueryClientProvider } from '@tanstack/react-query';
+
+import * as authzApi from '@src/authz/data/api';
+import { PermissionValidationQuery } from '@src/authz/types';
+import { mockWaffleFlags } from '@src/data/apiHooks.mock';
+import { useCourseUserPermissions } from './hooks';
+
+jest.mock('@src/data/api');
+jest.mock('@src/authz/data/api');
+
+const mockedAuthzApi = jest.mocked(authzApi);
+
+describe('useCourseUserPermissions', () => {
+  let queryClient: QueryClient;
+
+  const createWrapper = () =>
+    function TestWrapper({ children }: { children: React.ReactNode; }) {
+      return (
+        <QueryClientProvider client={queryClient}>
+          {children}
+        </QueryClientProvider>
+      );
+    };
+
+  const mockPermissions: PermissionValidationQuery = {
+    canViewFiles: {
+      action: 'course.view_files',
+      scope: 'course-v1:Test+101+2023',
+    },
+    canManageFiles: {
+      action: 'course.manage_files',
+      scope: 'course-v1:Test+101+2023',
+    },
+  };
+
+  beforeEach(() => {
+    queryClient = new QueryClient({
+      defaultOptions: {
+        queries: { retry: false },
+      },
+    });
+    jest.clearAllMocks();
+  });
+
+  it('returns all permissions as true when authz is disabled', async () => {
+    mockWaffleFlags({
+      enableAuthzCourseAuthoring: false,
+    });
+
+    const { result } = renderHook(
+      () => useCourseUserPermissions('course-v1:Test+101+2023', mockPermissions),
+      { wrapper: createWrapper() },
+    );
+
+    await waitFor(() => {
+      expect(result.current.isLoading).toBe(false);
+    });
+
+    expect(result.current.isAuthzEnabled).toBe(false);
+    expect(result.current.canViewFiles).toBe(true);
+    expect(result.current.canManageFiles).toBe(true);
+  });
+
+  it('returns loading state when authz is enabled and permissions are loading', async () => {
+    mockWaffleFlags({
+      enableAuthzCourseAuthoring: true,
+    });
+
+    mockedAuthzApi.validateUserPermissions.mockImplementation(
+      () => new Promise(() => {}),
+    );
+
+    const { result } = renderHook(
+      () => useCourseUserPermissions('course-v1:Test+101+2023', mockPermissions),
+      { wrapper: createWrapper() },
+    );
+
+    await waitFor(() => {
+      expect(result.current.isAuthzEnabled).toBe(true);
+    });
+
+    expect(result.current.isLoading).toBe(true);
+    expect(result.current.canViewFiles).toBe(false);
+    expect(result.current.canManageFiles).toBe(false);
+  });
+
+  it('returns actual permission values when authz is enabled and permissions loaded', async () => {
+    mockWaffleFlags({
+      enableAuthzCourseAuthoring: true,
+    });
+
+    mockedAuthzApi.validateUserPermissions.mockResolvedValue({
+      canViewFiles: true,
+      canManageFiles: false,
+    });
+
+    const { result } = renderHook(
+      () => useCourseUserPermissions('course-v1:Test+101+2023', mockPermissions),
+      { wrapper: createWrapper() },
+    );
+
+    await waitFor(() => {
+      expect(result.current.isLoading).toBe(false);
+    });
+
+    expect(result.current.isAuthzEnabled).toBe(true);
+    expect(result.current.canViewFiles).toBe(true);
+    expect(result.current.canManageFiles).toBe(false);
+  });
+
+  it('falls back to false for undefined permissions when authz is enabled', async () => {
+    mockWaffleFlags({
+      enableAuthzCourseAuthoring: true,
+    });
+
+    mockedAuthzApi.validateUserPermissions.mockResolvedValue({
+      canViewFiles: true,
+    });
+
+    const { result } = renderHook(
+      () => useCourseUserPermissions('course-v1:Test+101+2023', mockPermissions),
+      { wrapper: createWrapper() },
+    );
+
+    await waitFor(() => {
+      expect(result.current.isLoading).toBe(false);
+    });
+
+    expect(result.current.isAuthzEnabled).toBe(true);
+    expect(result.current.canViewFiles).toBe(true);
+    expect(result.current.canManageFiles).toBe(false);
+  });
+});

src/authz/hooks.ts

@@ -42,29 +42,35 @@ export const useCourseUserPermissions = <Query extends PermissionValidationQuery
   permissions: Query,
 ): UseCourseUserPermissionsReturn<Query> => {
   const waffleFlags = useWaffleFlags(courseId);
+  const isWaffleFlagsLoading: boolean = waffleFlags?.isLoading ?? true;
   const isAuthzEnabled: boolean = waffleFlags?.enableAuthzCourseAuthoring ?? false;
 
   const {
     isLoading: isLoadingUserPermissions,
     data: userPermissions,
   } = useUserPermissions(permissions, isAuthzEnabled);
 
+  const isLoading = isWaffleFlagsLoading || (isAuthzEnabled && isLoadingUserPermissions);
+
   const resolvePermission = (key: string): boolean => {
     if (!isAuthzEnabled) {
       return true;
     }
     return userPermissions?.[key] ?? false;
   };
 
-  const permissionResults: Record<string, boolean> = isLoadingUserPermissions
-    ? {}
+  const permissionResults: Record<string, boolean> = isLoading
+    ? Object.keys(permissions).reduce<Record<string, boolean>>((acc, key) => {
+      acc[key] = false;
+      return acc;
+    }, {})
     : Object.keys(permissions).reduce<Record<string, boolean>>((acc, key) => {
       acc[key] = resolvePermission(key);
       return acc;
     }, {});
 
   return {
-    isLoading: isAuthzEnabled ? isLoadingUserPermissions : false,
+    isLoading,
     isAuthzEnabled,
     ...permissionResults as PermissionValidationAnswer<Query>,
   };

src/authz/permissionHelpers.test.ts

@@ -2,11 +2,38 @@ import {
   getGradingPermissions,
   getPagesAndResourcesPermissions,
   getAdvancedSettingsPermissions,
+  getCourseUpdatesPermissions,
 } from './permissionHelpers';
 import { COURSE_PERMISSIONS } from './constants';
 
+const courseId = 'course-v1:org+course+run';
+
 describe('permissionHelpers', () => {
-  const courseId = 'course-v1:org+course+run';
+  describe('getCourseUpdatesPermissions', () => {
+    it('should return correct permission structure for course updates operations', () => {
+      const result = getCourseUpdatesPermissions(courseId);
+
+      expect(result).toEqual({
+        canViewCourseUpdates: {
+          action: COURSE_PERMISSIONS.VIEW_COURSE_UPDATES,
+          scope: courseId,
+        },
+        canManageCourseUpdates: {
+          action: COURSE_PERMISSIONS.MANAGE_COURSE_UPDATES,
+          scope: courseId,
+        },
+      });
+    });
+
+    it('should use the provided courseId as scope for all permissions', () => {
+      const customCourseId = 'course-v1:TestOrg+TestCourse+2024';
+      const result = getCourseUpdatesPermissions(customCourseId);
+
+      Object.values(result).forEach(permission => {
+        expect(permission.scope).toBe(customCourseId);
+      });
+    });
+  });
 
   describe('getGradingPermissions', () => {
     it('returns VIEW and EDIT permissions with the correct actions and scope', () => {

src/authz/permissionHelpers.ts

@@ -26,6 +26,17 @@ export const getGradingPermissions = (courseId: string) => ({
   },
 });
 
+export const getCourseUpdatesPermissions = (courseId: string) => ({
+  canViewCourseUpdates: {
+    action: COURSE_PERMISSIONS.VIEW_COURSE_UPDATES,
+    scope: courseId,
+  },
+  canManageCourseUpdates: {
+    action: COURSE_PERMISSIONS.MANAGE_COURSE_UPDATES,
+    scope: courseId,
+  },
+});
+
 export const getPagesAndResourcesPermissions = (courseId: string) => ({
   canViewPagesAndResources: {
     action: COURSE_PERMISSIONS.VIEW_PAGES_AND_RESOURCES,