fixup! feat: check authz permissions for course tagging

Author: wgu-taylor-payne

cms/djangoapps/contentstore/views/block.py

@@ -11,8 +11,8 @@
 from django.utils.translation import gettext as _
 from django.views.decorators.clickjacking import xframe_options_exempt
 from django.views.decorators.http import require_http_methods
-from openedx_authz.constants.permissions import COURSES_VIEW_COURSE
 from opaque_keys.edx.keys import CourseKey
+from openedx_authz.constants.permissions import COURSES_VIEW_COURSE
 from web_fragments.fragment import Fragment
 
 from cms.djangoapps.contentstore.utils import load_services_for_studio
@@ -28,9 +28,9 @@
 from common.djangoapps.edxmako.shortcuts import render_to_response, render_to_string
 from common.djangoapps.student.auth import has_studio_read_access, has_studio_write_access
 from common.djangoapps.util.json_request import JsonResponse, expect_json
-from openedx.core.djangoapps.content_tagging.toggles import is_tagging_feature_disabled
-from openedx.core.djangoapps.authz.decorators import user_has_course_permission
 from openedx.core.djangoapps.authz.constants import LegacyAuthoringPermission
+from openedx.core.djangoapps.authz.decorators import user_has_course_permission
+from openedx.core.djangoapps.content_tagging.toggles import is_tagging_feature_disabled
 from openedx.core.lib.xblock_utils import hash_resource, request_token, wrap_xblock, wrap_xblock_aside
 from xmodule.modulestore.django import modulestore  # lint-amnesty, pylint: disable=wrong-import-order
 from xmodule.x_module import (  # lint-amnesty, pylint: disable=wrong-import-order

cms/djangoapps/contentstore/views/tests/test_block.py

@@ -9,7 +9,6 @@
 import ddt
 from bs4 import BeautifulSoup
 from django.conf import settings
-from django.core.exceptions import PermissionDenied
 from django.http import Http404
 from django.test import TestCase
 from django.test.client import RequestFactory
@@ -20,6 +19,7 @@
 from opaque_keys.edx.asides import AsideUsageKeyV2
 from opaque_keys.edx.keys import CourseKey, UsageKey
 from opaque_keys.edx.locator import BlockUsageLocator, CourseLocator
+from openedx_authz.constants.roles import COURSE_STAFF
 from openedx_events.content_authoring.data import DuplicatedXBlockData
 from openedx_events.content_authoring.signals import XBLOCK_DUPLICATED
 from openedx_events.testing import OpenEdxEventsTestMixin
@@ -55,13 +55,10 @@
 from common.djangoapps.xblock_django.user_service import DjangoXBlockUserService
 from common.test.utils import assert_dict_contains_subset
 from lms.djangoapps.lms_xblock.mixin import NONSENSICAL_ACCESS_RESTRICTION
-from openedx.core.djangoapps.authz.constants import LegacyAuthoringPermission
 from openedx.core.djangoapps.authz.tests.mixins import CourseAuthoringAuthzTestMixin
 from openedx.core.djangoapps.content_tagging import api as tagging_api
 from openedx.core.djangoapps.discussions.models import DiscussionsConfiguration
 from openedx.core.djangoapps.video_config.toggles import PUBLIC_VIDEO_SHARE
-from openedx_authz.constants.permissions import COURSES_VIEW_COURSE
-from openedx_authz.constants.roles import COURSE_STAFF
 from xmodule.course_block import DEFAULT_START_DATE
 from xmodule.modulestore import ModuleStoreEnum
 from xmodule.modulestore.django import modulestore
@@ -3529,10 +3526,10 @@ def test_authorized_user_gets_json_response(self):
         Test that authorized user gets JSON response from xblock_outline_handler.
         """
         outline_url = reverse_usage_url("xblock_outline_handler", self.usage_key)
-        
+
         self.client.login(username=self.authorized_user.username, password=self.password)
         resp = self.client.get(outline_url, HTTP_ACCEPT="application/json")
-        
+
         assert resp.status_code == 200
         json_response = json.loads(resp.content.decode("utf-8"))
         assert "id" in json_response
@@ -3544,21 +3541,21 @@ def test_unauthorized_user_gets_permission_denied(self):
         Test that unauthorized user gets 403 response from xblock_outline_handler.
         """
         outline_url = reverse_usage_url("xblock_outline_handler", self.usage_key)
-        
+
         self.client.login(username=self.unauthorized_user.username, password=self.password)
         resp = self.client.get(outline_url, HTTP_ACCEPT="application/json")
-        
+
         assert resp.status_code == 403
 
     def test_superuser_gets_json_response(self):
         """
         Test that superuser gets JSON response from xblock_outline_handler.
         """
         outline_url = reverse_usage_url("xblock_outline_handler", self.usage_key)
-        
+
         self.client.login(username=self.super_user.username, password=self.password)
         resp = self.client.get(outline_url, HTTP_ACCEPT="application/json")
-        
+
         assert resp.status_code == 200
         json_response = json.loads(resp.content.decode("utf-8"))
         assert "id" in json_response
@@ -3570,10 +3567,10 @@ def test_staff_user_gets_json_response(self):
         Test that staff user gets JSON response from xblock_outline_handler.
         """
         outline_url = reverse_usage_url("xblock_outline_handler", self.usage_key)
-        
+
         self.client.login(username=self.staff_user.username, password=self.password)
         resp = self.client.get(outline_url, HTTP_ACCEPT="application/json")
-        
+
         assert resp.status_code == 200
         json_response = json.loads(resp.content.decode("utf-8"))
         assert "id" in json_response
@@ -3585,10 +3582,10 @@ def test_authorized_chapter_outline(self):
         Test that authorized user can access chapter-level outline.
         """
         outline_url = reverse_usage_url("xblock_outline_handler", self.chapter.location)
-        
+
         self.client.login(username=self.authorized_user.username, password=self.password)
         resp = self.client.get(outline_url, HTTP_ACCEPT="application/json")
-        
+
         assert resp.status_code == 200
         json_response = json.loads(resp.content.decode("utf-8"))
         assert json_response["display_name"] == "Week 1"
@@ -3603,10 +3600,10 @@ def test_unauthorized_chapter_outline(self):
         Test that unauthorized user cannot access chapter-level outline.
         """
         outline_url = reverse_usage_url("xblock_outline_handler", self.chapter.location)
-        
+
         self.client.login(username=self.unauthorized_user.username, password=self.password)
         resp = self.client.get(outline_url, HTTP_ACCEPT="application/json")
-        
+
         assert resp.status_code == 403
 
 

openedx/core/djangoapps/content_tagging/auth.py

@@ -7,10 +7,11 @@
 from opaque_keys.edx.keys import CourseKey
 from opaque_keys.edx.locator import LibraryLocatorV2
 from openedx_authz import api as authz_api
-from openedx_authz.constants.permissions import COURSES_EXPORT_TAGS, COURSES_MANAGE_TAGS, COURSES_VIEW_COURSE
+from openedx_authz.constants.permissions import COURSES_EXPORT_TAGS
 from openedx_tagging import rules as oel_tagging_rules
 
 from openedx.core import toggles as core_toggles
+
 from .utils import get_context_key_from_key_string
 
 log = logging.getLogger(__name__)
@@ -46,7 +47,7 @@ def has_view_object_tags_access(user, object_id):
 def should_use_authz_for_object(object_id) -> tuple[bool, CourseKey | None]:
     """
     Check if openedx-authz should be used for the given object based on the context key and toggle.
-    
+
     Returns (should_use_authz, course_key) where:
     - should_use_authz: True if authz should be used, False otherwise
     - course_key: The CourseKey if object is a course, None otherwise
@@ -62,6 +63,6 @@ def should_use_authz_for_object(object_id) -> tuple[bool, CourseKey | None]:
     # Check if toggle is active
     if not core_toggles.enable_authz_course_authoring(context_key):
         return False, context_key
-    
+
     # Authz should be used for this course object
     return True, context_key

openedx/core/djangoapps/content_tagging/rest_api/v1/serializers.py

@@ -4,17 +4,16 @@
 
 from __future__ import annotations
 
+from openedx_authz import api as authz_api
+from openedx_authz.constants.permissions import COURSES_MANAGE_TAGS
 from openedx_tagging.rest_api.v1.serializers import (
     ObjectTagMinimalSerializer,
     ObjectTagsByTaxonomySerializer,
-    ObjectTagSerializer,
     TaxonomyListQueryParamsSerializer,
     TaxonomySerializer,
 )
 from organizations.models import Organization
 from rest_framework import fields, serializers
-from openedx_authz import api as authz_api
-from openedx_authz.constants.permissions import COURSES_MANAGE_TAGS
 
 from ...auth import should_use_authz_for_object
 from ...models import TaxonomyOrg
@@ -118,7 +117,7 @@ def can_tag_object(self, obj_tag) -> bool | None:
                     request.user.username, COURSES_MANAGE_TAGS.identifier, str(course_key)
                 )
             return False
-        
+
         # Fall back to parent implementation
         return super().can_tag_object(obj_tag)
 
@@ -139,7 +138,7 @@ class Meta(ObjectTagMinimalSerializer.Meta):
     def can_delete_object_tag(self, instance) -> bool | None:
         """
         Check if the user is authorized to delete the provided tag.
-        
+
         Override to return `False` if the object tag is copied,
         and conditionally use openedx-authz for course objects with the toggle enabled.
         """

openedx/core/djangoapps/content_tagging/rest_api/v1/tests/test_views.py

@@ -2153,11 +2153,11 @@ def setUpClass(cls):
 
     def setUp(self):
         super().setUp()
-        
+
         # Create another course for cross-course scoping tests
         self.other_course = self.store.create_course("OtherOrg", "OtherCourse", "Run", self.authorized_user.id)
         self.other_course_key = self.other_course.id
-        
+
         # Create taxonomy
         self.taxonomy = tagging_api.create_taxonomy(
             name="Test Taxonomy",
@@ -2168,7 +2168,7 @@ def setUp(self):
             org=None, # Global taxonomy not tied to any org
             rel_type=TaxonomyOrg.RelType.OWNER,
         )
-        
+
         # Create tags
         self.tag1 = Tag.objects.create(
             taxonomy=self.taxonomy,
@@ -2178,12 +2178,12 @@ def setUp(self):
             taxonomy=self.taxonomy,
             value="Tag 2",
         )
-        
-        # Create auditor user with view-only permissions  
+
+        # Create auditor user with view-only permissions
         self.auditor_user = UserFactory(password=self.password)
         self.auditor_client = APIClient()
         self.auditor_client.force_authenticate(user=self.auditor_user)
-        
+
         # Assign auditor role to auditor_user
         self.add_user_to_role_in_course(
             self.auditor_user,
@@ -2200,7 +2200,7 @@ def _update_tags_request(self, object_id, tags_data=None):
                     "tags": ["Tag 1", "Tag 2"]
                 }
             ]
-        
+
         url = OBJECT_TAG_UPDATE_URL.format(object_id=object_id)
         return url, {"tagsData": tags_data}
 
@@ -2251,12 +2251,12 @@ def test_course_staff_sees_manage_permissions(self):
         url, data = self._update_tags_request(str(self.course_key))
         response = self.authorized_client.put(url, data, format='json')
         assert response.status_code == status.HTTP_200_OK
-        
+
         # Now check permissions in GET response
         url = self._get_tags_request(str(self.course_key))
         response = self.authorized_client.get(url)
         assert response.status_code == status.HTTP_200_OK
-        
+
         # Check serializer permissions in response data
         taxonomies = response.data[str(self.course_key)]["taxonomies"]
         assert len(taxonomies) == 1
@@ -2273,12 +2273,12 @@ def test_course_auditor_sees_view_only_permissions(self):
         url, data = self._update_tags_request(str(self.course_key))
         response = self.authorized_client.put(url, data, format='json')
         assert response.status_code == status.HTTP_200_OK
-        
+
         # Now check permissions as auditor in GET response
         url = self._get_tags_request(str(self.course_key))
         response = self.auditor_client.get(url)
         assert response.status_code == status.HTTP_200_OK
-        
+
         # Check serializer permissions in response data
         taxonomies = response.data[str(self.course_key)]["taxonomies"]
         assert len(taxonomies) == 1
@@ -2299,7 +2299,7 @@ def test_library_fallthrough_to_legacy(self):
         """Library object_id falls through to legacy permissions"""
         # Create organization for library
         org, created = Organization.objects.get_or_create(short_name="TestOrg")
-        
+
         # Create library
         library = create_library(
             org=org,
@@ -2308,14 +2308,14 @@ def test_library_fallthrough_to_legacy(self):
             description="Test library for authz fallthrough",
         )
         library_key = library.key
-        
+
         # Grant library access to authorized_user
         set_library_user_permissions(
             library_key,
             self.authorized_user,
             AccessLevel.ADMIN_LEVEL
         )
-        
+
         # Test that library requests fall through to legacy permissions
         url = self._get_tags_request(str(library_key))
         response = self.authorized_client.get(url)

openedx/core/djangoapps/content_tagging/rest_api/v1/views.py

@@ -5,12 +5,12 @@
 
 from django.db.models import Count
 from django.http import StreamingHttpResponse
+from openedx_authz import api as authz_api
+from openedx_authz.constants.permissions import COURSES_MANAGE_TAGS, COURSES_VIEW_COURSE
 from openedx_events.content_authoring.data import ContentObjectChangedData, ContentObjectData
 from openedx_events.content_authoring.signals import CONTENT_OBJECT_ASSOCIATIONS_CHANGED, CONTENT_OBJECT_TAGS_CHANGED
 from openedx_tagging import rules as oel_tagging_rules
 from openedx_tagging.rest_api.v1.views import ObjectTagView, TaxonomyView
-from openedx_authz.constants.permissions import COURSES_MANAGE_TAGS, COURSES_VIEW_COURSE
-from openedx_authz import api as authz_api
 from rest_framework import status
 from rest_framework.decorators import action
 from rest_framework.exceptions import PermissionDenied, ValidationError
@@ -174,14 +174,14 @@ def _should_use_authz(self) -> bool:
     def get_permissions(self):
         """
         Override get_permissions when using openedx-authz.
-        
+
         When the toggle is enabled for course objects, we need to change the default
         permission classes set by the parent ObjectTagView so that only openedx-authz
         permissions are used.
         """
         if self._should_use_authz():
             return [IsAuthenticated()]
-        
+
         return super().get_permissions()
 
     def ensure_has_view_object_tag_permission(self, user, taxonomy, object_id):