1919from lms .djangoapps .courseware .exceptions import CourseAccessRedirect
2020from openedx .core .djangoapps .authz .tests .mixins import CourseAuthoringAuthzTestMixin
2121from openedx .core .djangoapps .content .course_overviews .models import CourseOverview
22+ from xmodule .course_block import CATALOG_VISIBILITY_NONE
2223from xmodule .modulestore .exceptions import ItemNotFoundError # pylint: disable=wrong-import-order
2324from xmodule .modulestore .tests .django_utils import ( # pylint: disable=wrong-import-order
2425 ModuleStoreTestCase ,
@@ -147,7 +148,8 @@ def setUpClass(cls):
147148 cls .course = cls .create_course ()
148149 cls .hidden_course = cls .create_course (
149150 course = 'hidden' ,
150- visible_to_staff_only = True
151+ visible_to_staff_only = True ,
152+ catalog_visibility = CATALOG_VISIBILITY_NONE ,
151153 )
152154
153155 def test_get_existing_course_as_authorized_user (self ):
@@ -167,13 +169,13 @@ def test_get_existing_course_as_authorized_user(self):
167169 self .verify_course (course )
168170
169171 def test_get_existing_course_as_unauthorized_user (self ):
170- """User without role should be denied ."""
171- with pytest . raises ( CourseAccessRedirect ):
172- self ._make_api_call (
173- self .unauthorized_user ,
174- self .unauthorized_user ,
175- self . course . id
176- )
172+ """User without AuthZ role can still access when catalog visibility allows ."""
173+ course = self . _make_api_call (
174+ self .unauthorized_user ,
175+ self .unauthorized_user ,
176+ self .course . id
177+ )
178+ self . verify_course ( course )
177179
178180 def test_get_nonexistent_course (self ):
179181 """Nonexistent course should raise 404."""
@@ -212,24 +214,24 @@ def test_hidden_course_for_staff_as_unauthorized_user(self):
212214 )
213215
214216 def test_user_gains_access_after_role_assignment (self ):
215- """User initially denied, then allowed after role assignment."""
217+ """User denied when catalog is hidden , then allowed after role assignment."""
216218 with pytest .raises (CourseAccessRedirect ):
217219 self ._make_api_call (
218220 self .unauthorized_user ,
219221 self .unauthorized_user ,
220- self .course .id
222+ self .hidden_course .id
221223 )
222224 self .add_user_to_role_in_course (
223225 self .unauthorized_user ,
224226 COURSE_EDITOR .external_key ,
225- self .course .id
227+ self .hidden_course .id
226228 )
227229 course = self ._make_api_call (
228230 self .unauthorized_user ,
229231 self .unauthorized_user ,
230- self .course .id
232+ self .hidden_course .id
231233 )
232- self .verify_course (course )
234+ self .verify_course (course , course_id = 'course-v1:edX+hidden+2012_Fall' )
233235
234236 def test_staff_access_without_authz_role (self ):
235237 """Staff bypasses AuthZ roles."""
0 commit comments