fix: keep unmigrated legacy roles working under the authz authoring flag#38855
fix: keep unmigrated legacy roles working under the authz authoring flag#38855mariajgrimaldi wants to merge 5 commits into
Conversation
|
Thanks for the pull request, @mariajgrimaldi! This repository is currently maintained by Once you've gone through the following steps feel free to tag them in a comment and let them know that your changes are ready for engineering review. 🔘 Get product approvalIf you haven't already, check this list to see if your contribution needs to go through the product review process.
🔘 Provide contextTo help your reviewers and other members of the community understand the purpose and larger context of your changes, feel free to add as much of the following information to the PR description as you can:
🔘 Get a green buildIf one or more checks are failing, continue working on your changes until this is no longer the case and your build turns green. DetailsWhere can I find more information?If you'd like to get more details on all aspects of the review process for open source pull requests (OSPRs), check out the following resources: When can I expect my changes to be merged?Our goal is to get community contributions seen and reviewed as efficiently as possible. However, the amount of time that it takes to review and merge a PR can vary significantly based on factors such as:
💡 As a result it may take up to several weeks or months to complete a review and merge your PR. |
| """ | ||
| Returns a boolean if the AuthZ for course authoring feature is enabled for the given course. | ||
| """ | ||
| return AUTHZ_COURSE_AUTHORING_FLAG.is_enabled(course_key) |
There was a problem hiding this comment.
Note to reviewer: this was moved to the roles.py module to avoid a dependency on a more specific module, so that enable_authz_course_authoring remains a specific implementation of the authorization framework.
80d3f45 to
e414311
Compare
Granting and exercising course creator access crashed once authz.enable_course_authoring was on. The courses.create_course permission was implemented in AuthZ, but the course creator role itself was never migrated there. The code deciding whether to use the AuthZ path only checked the flag's state, not whether the specific role had actually been migrated, so unmigrated roles like course creator still used the AuthZ path and crashed. enable_authz_course_authoring now takes an optional role and falls back to the course creator role's own check for any role without a migrated AuthZ equivalent, regardless of the flag. See ADR 0027. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
is_content_creator still checked authz for the course creator role, but that role isn't migrated there, so the check was dead code and never actually used. Some tests asserted the authz behavior as correct (deny by default, staff blocked by DISABLE_COURSE_CREATION), but we want the course creator role's own behavior here: staff exempt, wide open unless ENABLE_CREATOR_GROUP is set. Now always checks the course creator role directly. Removes the dead authz check and its unused imports, fixes a stale core_toggles.enable_authz_course_authoring reference found along the way, and drops the tests asserting the wrong behavior. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
TestCourseHandlerAuthz didn't test anything AuthZ-specific anymore since course creation always checks the course creator role now. Replaced its one test with TestCourseHandlerStaffAccess, no AuthZ mixin. Also notes in ADR 0027 that course creation skips the role check entirely for now. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
is_content_creator doesn't check the flag at all for course creation now, so this proves it, not just tests one flag state by coincidence. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
| def _has_content_creator_access(user, org): | ||
| """ | ||
| Check if the user has content creator access based on AuthZ permissions. | ||
|
|
||
| Returns: | ||
| bool: True if the user has platform-wide or org-scoped course creation permission. | ||
| """ | ||
| if settings.FEATURES.get("DISABLE_COURSE_CREATION", False): | ||
| return False | ||
|
|
||
| scope_keys = ( | ||
| authz_api.PlatformCourseOverviewGlobData.build_external_key(), | ||
| authz_api.OrgCourseOverviewGlobData.build_external_key(org), | ||
| ) | ||
| return any( | ||
| authz_api.is_user_allowed(user.username, COURSES_CREATE_COURSE.identifier, scope_key) | ||
| for scope_key in scope_keys | ||
| ) |
There was a problem hiding this comment.
Note for reviewer:
Noticed a discrepancy in course creation permissions which made it unsustainable to maintain these while we don't support course creation:
Today, staff can always create courses, even when course creation is disabled site-wide with DISABLE_COURSE_CREATION. This can be confirmed with the _has_legacy_content_creator_access function:
https://github.com/openedx/openedx-platform/blob/master/common/djangoapps/student/auth.py#L245-L254
https://github.com/openedx/openedx-platform/blob/master/common/djangoapps/student/auth.py#L50-L77
Now, once the AuthZ flag is on, that stops being true, disabling course creation blocks everyone, staff included. I don't think this is intentional, so I dropped this code path until we have support for course creation. We fallback to the previous course creation mechanism in all cases.
32f4237 to
0c57040
Compare
Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
|
I tested in the sandbox https://github.com/openedx/openedx-platform/pull/38855/checks?check_run_id=86068585865 by following the instructions from the cover letter. |
Description
Granting and exercising course creator access crashed once the waffle flag
authz.enable_course_authoringwas on. Thecourses.create_coursepermission was implemented in AuthZ, but the course creator role itself was never migrated there. The code deciding whether to use the AuthZ path only checked the flag's state, not whether the specific role had actually been migrated, so unmigrated roles like course creator still used the AuthZ path and crashed.enable_authz_course_authoringnow takes an optional role and falls back to the course creator role's own check for any role without a migrated AuthZ equivalent, regardless of the flag. See ADR 0027 for details.Supporting information
Fixes openedx/openedx-authz#353
Fixes openedx/openedx-authz#354
Related previous PR introducing
course.create_course: #38259Testing instructions
openedx-authz#353 (500 on granting course creator via Django admin)
authz.enable_course_authoringwaffle flag./admin/course_creators/coursecreator/<id>/change/.InvalidKeyErrortrying to parsecourse_key=None) was raised.openedx-authz#354 (403 on course creation despite a legacy grant)
/admin/course_creators/coursecreator/).POST /course/returns 403 (User does not have the permission to create courses in this organization or course creation is disabled).Deadline
Verawood since it's a release blocker
Other information
Include anything else that will help reviewers and consumers understand the change.