Current
When a user opens the role assignment wizard and selects a course role, the "Where It Applies" step lists all courses regardless of whether the user has MANAGE_COURSE_TEAM permission on each one.
This means a user who has course_admin on Course A and course_staff on Course B can:
- Select a course role in step 1 — because the
MANAGE_COURSE_TEAM check is global (not scoped), having it on any course enables course roles in the wizard.
- See Course B listed in step 2 alongside Course A.
- Select Course B and reach the submission step.
The backend then rejects the request and the user sees a "You do not have permission to perform this assignment." error toast.
Expected
The "Where It Applies" step must only list scopes where the authenticated user actually has permission to manage the team for the selected role type.
- If the user has
MANAGE_COURSE_TEAM on Course A but not on Course B, only Course A must appear when a course role is selected in step 1.
- If the user has
MANAGE_LIBRARY_TEAM on Library A but not on Library B, only Library A must appear when a library role is selected in step 1.
Users must not be able to reach the submission step for a scope they cannot manage.
US
As a user assigning roles to others,
I want to see only the scopes where I have permission to manage the team,
So that I do not attempt to assign roles to scopes I cannot manage and encounter a confusing backend error.
Current
When a user opens the role assignment wizard and selects a course role, the "Where It Applies" step lists all courses regardless of whether the user has
MANAGE_COURSE_TEAMpermission on each one.This means a user who has
course_adminon Course A andcourse_staffon Course B can:MANAGE_COURSE_TEAMcheck is global (not scoped), having it on any course enables course roles in the wizard.The backend then rejects the request and the user sees a "You do not have permission to perform this assignment." error toast.
Expected
The "Where It Applies" step must only list scopes where the authenticated user actually has permission to manage the team for the selected role type.
MANAGE_COURSE_TEAMon Course A but not on Course B, only Course A must appear when a course role is selected in step 1.MANAGE_LIBRARY_TEAMon Library A but not on Library B, only Library A must appear when a library role is selected in step 1.Users must not be able to reach the submission step for a scope they cannot manage.
US
As a user assigning roles to others,
I want to see only the scopes where I have permission to manage the team,
So that I do not attempt to assign roles to scopes I cannot manage and encounter a confusing backend error.