test: add unit tests for new scope

Author: BryanttV

openedx_authz/tests/api/test_data.py

@@ -14,6 +14,7 @@
     OrgContentLibraryGlobData,
     OrgCourseOverviewGlobData,
     PermissionData,
+    PlatformCourseOverviewGlobData,
     RoleAssignmentData,
     RoleData,
     ScopeData,
@@ -267,12 +268,17 @@ def test_scope_data_registration(self):
         self.assertIn("course-v1", ScopeMeta.org_glob_registry)
         self.assertIs(ScopeMeta.org_glob_registry["course-v1"], OrgCourseOverviewGlobData)
 
+        # Glob registries for platform-level scopes
+        self.assertIn("course-v1", ScopeMeta.platform_glob_registry)
+        self.assertIs(ScopeMeta.platform_glob_registry["course-v1"], PlatformCourseOverviewGlobData)
+
     @data(
         ("ccx-v1^ccx-v1:OpenedX+DemoX+DemoCourse+ccx@1", CCXCourseOverviewData),
         ("course-v1^course-v1:WGU+CS002+2025_T1", CourseOverviewData),
         ("lib^lib:DemoX:CSPROB", ContentLibraryData),
         ("lib^lib:DemoX*", OrgContentLibraryGlobData),
         ("course-v1^course-v1:OpenedX*", OrgCourseOverviewGlobData),
+        ("course-v1^course-v1:*", PlatformCourseOverviewGlobData),
         ("global^generic_scope", ScopeData),
     )
     @unpack
@@ -294,6 +300,7 @@ def test_dynamic_instantiation_via_namespaced_key(self, namespaced_key, expected
         ("lib^lib:DemoX:CSPROB", ContentLibraryData),
         ("lib^lib:DemoX:*", OrgContentLibraryGlobData),
         ("course-v1^course-v1:OpenedX+*", OrgCourseOverviewGlobData),
+        ("course-v1^course-v1:*", PlatformCourseOverviewGlobData),
         ("global^generic", ScopeData),
         ("unknown^something", ScopeData),
     )
@@ -318,6 +325,7 @@ def test_get_subclass_by_namespaced_key(self, namespaced_key, expected_class):
         ("lib:DemoX:CSPROB", ContentLibraryData),
         ("lib:DemoX:*", OrgContentLibraryGlobData),
         ("course-v1:OpenedX+*", OrgCourseOverviewGlobData),
+        ("course-v1:*", PlatformCourseOverviewGlobData),
         ("lib:edX:Demo", ContentLibraryData),
         ("global:generic_scope", ScopeData),
     )
@@ -906,3 +914,79 @@ def test_exists_false_when_org_cannot_be_parsed(self):
 
         self.assertIsNone(scope.org)
         self.assertFalse(scope.exists())
+
+
+@ddt
+class TestPlatformCourseOverviewGlobData(TestCase):
+    """Tests for the PlatformCourseOverviewGlobData scope."""
+
+    PLATFORM_GLOB_EXTERNAL_KEY = "course-v1:*"
+    PLATFORM_GLOB_NAMESPACED_KEY = "course-v1^course-v1:*"
+
+    def test_build_external_key(self):
+        """build_external_key returns the platform-wide course glob pattern."""
+        self.assertEqual(PlatformCourseOverviewGlobData.build_external_key(), self.PLATFORM_GLOB_EXTERNAL_KEY)
+
+    @data(
+        ("course-v1:*", True),
+        ("course-v1:OpenedX+*", False),
+        ("course-v1:OpenedX*", False),
+        ("course-v1:OpenedX", False),
+        ("course-v1:*:*", False),
+        ("other:*", False),
+        ("lib:*", False),
+    )
+    @unpack
+    def test_validate_external_key(self, external_key, expected_valid):
+        """Validate platform-level course glob external keys."""
+        self.assertEqual(PlatformCourseOverviewGlobData.validate_external_key(external_key), expected_valid)
+
+    def test_exists_always_true(self):
+        """exists() returns True without checking the database."""
+        scope = PlatformCourseOverviewGlobData(external_key=self.PLATFORM_GLOB_EXTERNAL_KEY)
+
+        self.assertTrue(scope.exists())
+
+    def test_get_object_returns_none(self):
+        """Platform glob scopes do not map to a concrete domain object."""
+        scope = PlatformCourseOverviewGlobData(external_key=self.PLATFORM_GLOB_EXTERNAL_KEY)
+
+        self.assertIsNone(scope.get_object())
+
+    def test_namespaced_key(self):
+        """namespaced_key includes namespace prefix and external key."""
+        scope = PlatformCourseOverviewGlobData(external_key=self.PLATFORM_GLOB_EXTERNAL_KEY)
+
+        self.assertEqual(scope.namespaced_key, self.PLATFORM_GLOB_NAMESPACED_KEY)
+
+    def test_dynamic_instantiation_via_scope_data(self):
+        """ScopeData resolves course-v1:* to PlatformCourseOverviewGlobData."""
+        scope = ScopeData(external_key=self.PLATFORM_GLOB_EXTERNAL_KEY)
+
+        self.assertIsInstance(scope, PlatformCourseOverviewGlobData)
+        self.assertEqual(scope.external_key, self.PLATFORM_GLOB_EXTERNAL_KEY)
+
+    def test_get_admin_view_permission(self):
+        """View permission matches course team view permission."""
+        self.assertEqual(
+            PlatformCourseOverviewGlobData.get_admin_view_permission(), permissions.COURSES_VIEW_COURSE_TEAM
+        )
+
+    def test_get_admin_manage_permission(self):
+        """Manage permission matches course team manage permission."""
+        self.assertEqual(
+            PlatformCourseOverviewGlobData.get_admin_manage_permission(),
+            permissions.COURSES_MANAGE_COURSE_TEAM,
+        )
+
+    def test_is_platform_glob(self):
+        """Platform course glob is flagged as a platform-level glob scope."""
+        self.assertTrue(PlatformCourseOverviewGlobData.IS_PLATFORM_GLOB)
+        self.assertFalse(PlatformCourseOverviewGlobData.IS_ORG_GLOB)
+
+    def test_get_all_platform_glob_namespaces(self):
+        """Platform glob namespace is registered in ScopeMeta."""
+        platform_globs = ScopeMeta.get_all_platform_glob_namespaces()
+
+        self.assertIn("course-v1", platform_globs)
+        self.assertIs(platform_globs["course-v1"], PlatformCourseOverviewGlobData)

openedx_authz/tests/test_enforcement.py

@@ -22,6 +22,7 @@
     CourseOverviewData,
     OrgContentLibraryGlobData,
     OrgCourseOverviewGlobData,
+    PlatformCourseOverviewGlobData,
 )
 from openedx_authz.constants import roles
 from openedx_authz.constants.permissions import (
@@ -675,6 +676,41 @@ def test_org_level_glob_enforcement(self, request: AuthRequest):
         self._test_enforcement(self.POLICIES + self.ASSIGNMENTS, request)
 
 
+@ddt
+class PlatformGlobCourseEnforcementTests(CasbinEnforcementTestCase):
+    """
+    Tests for platform-level glob patterns in course scopes.
+
+    This test class verifies that policies defined with platform-level glob patterns
+    (e.g., ``course-v1:*``) are correctly enforced for concrete course scopes across
+    all organizations on the platform.
+    """
+
+    POLICIES = [
+        make_policy(roles.COURSE_STAFF.external_key, COURSES_VIEW_COURSE.identifier, CourseOverviewData.NAMESPACE)
+    ]
+
+    ASSIGNMENTS = [
+        make_course_assignment("user1", roles.COURSE_STAFF.external_key, "course-v1:*"),
+    ]
+
+    CASES = [
+        # Permission granted across organizations
+        make_course_case("user1", COURSES_VIEW_COURSE.identifier, "course-v1:OpenedX+Python+2026", True),
+        make_course_case("user1", COURSES_VIEW_COURSE.identifier, "course-v1:OtherOrg+Course+2025", True),
+        make_course_case("user1", COURSES_VIEW_COURSE.identifier, "course-v1:InexistentOrg+Demo+2026", True),
+        make_course_case("user1", COURSES_VIEW_COURSE.identifier, "course-v1:OpenedXv2+Demo+2026", True),
+        # Permission denied
+        make_course_case("user1", COURSES_CREATE_FILES.identifier, "course-v1:OpenedX+Python+2026", False),
+        make_course_case("user2", COURSES_VIEW_COURSE.identifier, "course-v1:OpenedX+Demo+2026", False),
+    ]
+
+    @data(*CASES)
+    def test_platform_level_glob_enforcement(self, request: AuthRequest):
+        """Test that platform-level glob patterns in course scopes are enforced correctly."""
+        self._test_enforcement(self.POLICIES + self.ASSIGNMENTS, request)
+
+
 def make_org_library_glob_key(key: str) -> str:
     """Create a namespaced org-level library glob key (e.g., 'lib^lib:DemoX:*')."""
     return f"{OrgContentLibraryGlobData.NAMESPACE}{OrgContentLibraryGlobData.SEPARATOR}{key}"
@@ -685,6 +721,11 @@ def make_org_course_glob_key(key: str) -> str:
     return f"{OrgCourseOverviewGlobData.NAMESPACE}{OrgCourseOverviewGlobData.SEPARATOR}{key}"
 
 
+def make_platform_course_glob_key(key: str) -> str:
+    """Create a namespaced platform-level course glob key (e.g., 'course-v1^course-v1:*')."""
+    return f"{PlatformCourseOverviewGlobData.NAMESPACE}{PlatformCourseOverviewGlobData.SEPARATOR}{key}"
+
+
 @pytest.mark.django_db
 @ddt
 class StaffSuperuserAccessTests(CasbinEnforcementTestCase):
@@ -869,6 +910,25 @@ def setUp(self) -> None:
             make_org_course_glob_key("course-v1:TestOrg+*"),
             False,
         ),
+        # PlatformCourseOverviewGlobData scope
+        (
+            make_user_key("staff_user"),
+            make_action_key("courses.view_course"),
+            make_platform_course_glob_key("course-v1:*"),
+            True,
+        ),
+        (
+            make_user_key("superuser"),
+            make_action_key("courses.view_course"),
+            make_platform_course_glob_key("course-v1:*"),
+            True,
+        ),
+        (
+            make_user_key("regular_user"),
+            make_action_key("courses.view_course"),
+            make_platform_course_glob_key("course-v1:*"),
+            False,
+        ),
         # Unsupported scope type - no one is granted access via this matcher
         (make_user_key("staff_user"), make_action_key("manage"), make_scope_key("org", "TestOrg"), False),
         (make_user_key("superuser"), make_action_key("manage"), make_scope_key("org", "TestOrg"), False),
@@ -885,13 +945,14 @@ def test_is_admin_or_superuser_check(
 
         Verifies that:
         - Staff users are always allowed for ContentLibraryData, CourseOverviewData,
-          OrgContentLibraryGlobData, and OrgCourseOverviewGlobData scopes.
+          OrgContentLibraryGlobData, OrgCourseOverviewGlobData, and
+          PlatformCourseOverviewGlobData scopes.
         - Superusers are always allowed for the same scopes.
         - Regular users are denied when they have no role assignments.
         - Unsupported scope types (e.g., org) are denied even for staff/superusers.
 
         Expected result:
-            - staff_user and superuser: True for all four supported scope types.
+            - staff_user and superuser: True for all supported scope types.
             - regular_user: False for all scope types (no role assignments).
             - staff_user and superuser: False for unsupported scope types.
         """