Merge branch 'master' into marslan/10083-export-content-libraries-git

Author: pdpinch

cms/djangoapps/contentstore/rest_api/v1/views/certificates.py

@@ -6,11 +6,14 @@
 from rest_framework.response import Response
 from rest_framework.views import APIView
 
+from openedx_authz.constants.permissions import COURSES_MANAGE_CERTIFICATES
+
 from cms.djangoapps.contentstore.utils import get_certificates_context
 from cms.djangoapps.contentstore.rest_api.v1.serializers import (
     CourseCertificatesSerializer,
 )
-from common.djangoapps.student.auth import has_studio_write_access
+from openedx.core.djangoapps.authz.constants import LegacyAuthoringPermission
+from openedx.core.djangoapps.authz.decorators import user_has_course_permission
 from openedx.core.lib.api.view_utils import (
     DeveloperErrorViewMixin,
     verify_course_exists,
@@ -96,7 +99,12 @@ def get(self, request: Request, course_id: str):
         course_key = CourseKey.from_string(course_id)
         store = modulestore()
 
-        if not has_studio_write_access(request.user, course_key):
+        if not user_has_course_permission(
+            request.user,
+            COURSES_MANAGE_CERTIFICATES.identifier,
+            course_key,
+            LegacyAuthoringPermission.WRITE
+        ):
             self.permission_denied(request)
 
         with store.bulk_operations(course_key):

cms/djangoapps/contentstore/rest_api/v1/views/tests/test_certificates.py

@@ -4,8 +4,11 @@
 from django.urls import reverse
 from rest_framework import status
 
+from openedx_authz.constants.roles import COURSE_STAFF, COURSE_EDITOR
+
 from cms.djangoapps.contentstore.tests.utils import CourseTestCase
 from cms.djangoapps.contentstore.views.tests.test_certificates import HelperMethods
+from openedx.core.djangoapps.authz.tests.mixins import CourseAuthoringAuthzTestMixin
 
 from ...mixins import PermissionAccessMixin
 
@@ -36,3 +39,35 @@ def test_success_response(self):
         self.assertEqual(response_data["course_number_override"], self.course.display_coursenumber)
         self.assertEqual(response_data["course_title"], self.course.display_name_with_default)
         self.assertEqual(response_data["course_number"], self.course.number)
+
+
+class CourseCertificatesAuthzViewTest(
+        CourseAuthoringAuthzTestMixin, CourseTestCase, PermissionAccessMixin, HelperMethods
+    ):
+    """
+    Tests for CourseCertificatesView with AuthZ enabled.
+    """
+
+    def setUp(self):
+        super().setUp()
+        self.url = reverse(
+            "cms.djangoapps.contentstore:v1:certificates",
+            kwargs={"course_id": self.course.id},
+        )
+
+    def test_authorized_user_can_access(self):
+        """User with COURSE_STAFF role can access."""
+        self._add_course_certificates(count=2, signatory_count=2)
+        self.add_user_to_role_in_course(self.authorized_user, COURSE_STAFF.external_key, self.course.id)
+        resp = self.authorized_client.get(self.url)
+        self.assertEqual(resp.status_code, status.HTTP_200_OK)
+
+    def test_non_staff_user_cannot_access(self):
+        """
+        User without permissions should be denied.
+        This case validates that a non-staff user cannot access.
+        """
+        self._add_course_certificates(count=2, signatory_count=2)
+        self.add_user_to_role_in_course(self.authorized_user, COURSE_EDITOR.external_key, self.course.id)
+        resp = self.authorized_client.get(self.url)
+        self.assertEqual(resp.status_code, status.HTTP_403_FORBIDDEN)

cms/djangoapps/contentstore/tests/test_utils.py

@@ -9,7 +9,6 @@
 from django.conf import settings
 from django.test import TestCase
 from django.test.utils import override_settings
-from edx_toggles.toggles.testutils import override_waffle_flag
 from opaque_keys.edx.keys import CourseKey
 from opaque_keys.edx.locator import CourseLocator, LibraryLocator
 from openedx_events.tests.utils import OpenEdxEventsTestMixin
@@ -24,7 +23,6 @@
 from cms.djangoapps.contentstore.utils import send_course_update_notification
 from common.djangoapps.student.models import CourseEnrollment
 from common.djangoapps.student.tests.factories import GlobalStaffFactory, InstructorFactory, UserFactory
-from openedx.core.djangoapps.notifications.config.waffle import ENABLE_NOTIFICATIONS
 from openedx.core.djangoapps.notifications.models import Notification
 from openedx.core.djangoapps.site_configuration.tests.test_util import with_site_configuration_context
 from xmodule.modulestore import ModuleStoreEnum  # lint-amnesty, pylint: disable=wrong-import-order
@@ -938,7 +936,6 @@ def test_update_course_details_instructor_paced(self, mock_update):
         mock_update.assert_called_once_with(self.course.id, payload, mock_request.user)
 
 
-@override_waffle_flag(ENABLE_NOTIFICATIONS, active=True)
 class CourseUpdateNotificationTests(OpenEdxEventsTestMixin, ModuleStoreTestCase):
     """
     Unit tests for the course_update notification.