Skip to content

fix: keep unmigrated legacy roles working under the authz authoring flag#38855

Open
mariajgrimaldi wants to merge 5 commits into
masterfrom
MJG/dual-path-course-authoring-migration
Open

fix: keep unmigrated legacy roles working under the authz authoring flag#38855
mariajgrimaldi wants to merge 5 commits into
masterfrom
MJG/dual-path-course-authoring-migration

Conversation

@mariajgrimaldi

@mariajgrimaldi mariajgrimaldi commented Jul 7, 2026

Copy link
Copy Markdown
Member

Description

Granting and exercising course creator access crashed once the waffle flag authz.enable_course_authoring was on. The courses.create_course permission was implemented in AuthZ, but the course creator role itself was never migrated there. The code deciding whether to use the AuthZ path only checked the flag's state, not whether the specific role had actually been migrated, so unmigrated roles like course creator still used the AuthZ path and crashed. enable_authz_course_authoring now takes an optional role and falls back to the course creator role's own check for any role without a migrated AuthZ equivalent, regardless of the flag. See ADR 0027 for details.

Supporting information

Fixes openedx/openedx-authz#353
Fixes openedx/openedx-authz#354
Related previous PR introducing course.create_course: #38259

Testing instructions

openedx-authz#353 (500 on granting course creator via Django admin)

  1. Enable the authz.enable_course_authoring waffle flag.
  2. Log in to Studio as a user with no course creator access, and request it from Studio.
  3. Log in as a Django admin, go to /admin/course_creators/coursecreator/<id>/change/.
  4. Set the request to Granted and save.
  5. Before this fix a 500 error (InvalidKeyError trying to parse course_key=None) was raised.

openedx-authz#354 (403 on course creation despite a legacy grant)

  1. With the flag still on, grant a non-admin user course creator access for all organizations via Django admin (/admin/course_creators/coursecreator/).
  2. Log in to Studio as that user, open the New Course form, fill it in, and submit.
  3. Before this fix, POST /course/ returns 403 (User does not have the permission to create courses in this organization or course creation is disabled).

Deadline

Verawood since it's a release blocker

Other information

Include anything else that will help reviewers and consumers understand the change.

  • Does this change depend on other changes elsewhere?
  • Any special concerns or limitations? For example: deprecations, migrations, security, or accessibility.
  • If your database migration can't be rolled back easily.

@openedx-webhooks openedx-webhooks added open-source-contribution PR author is not from Axim or 2U core contributor PR author is a Core Contributor (who may or may not have write access to this repo). labels Jul 7, 2026
@openedx-webhooks

openedx-webhooks commented Jul 7, 2026

Copy link
Copy Markdown

Thanks for the pull request, @mariajgrimaldi!

This repository is currently maintained by @openedx/wg-maintenance-openedx-platform.

Once you've gone through the following steps feel free to tag them in a comment and let them know that your changes are ready for engineering review.

🔘 Get product approval

If you haven't already, check this list to see if your contribution needs to go through the product review process.

  • If it does, you'll need to submit a product proposal for your contribution, and have it reviewed by the Product Working Group.
    • This process (including the steps you'll need to take) is documented here.
  • If it doesn't, simply proceed with the next step.
🔘 Provide context

To help your reviewers and other members of the community understand the purpose and larger context of your changes, feel free to add as much of the following information to the PR description as you can:

  • Dependencies

    This PR must be merged before / after / at the same time as ...

  • Blockers

    This PR is waiting for OEP-1234 to be accepted.

  • Timeline information

    This PR must be merged by XX date because ...

  • Partner information

    This is for a course on edx.org.

  • Supporting documentation
  • Relevant Open edX discussion forum threads
🔘 Get a green build

If one or more checks are failing, continue working on your changes until this is no longer the case and your build turns green.

Details
Where can I find more information?

If you'd like to get more details on all aspects of the review process for open source pull requests (OSPRs), check out the following resources:

When can I expect my changes to be merged?

Our goal is to get community contributions seen and reviewed as efficiently as possible.

However, the amount of time that it takes to review and merge a PR can vary significantly based on factors such as:

  • The size and impact of the changes that it introduces
  • The need for product review
  • Maintenance status of the parent repository

💡 As a result it may take up to several weeks or months to complete a review and merge your PR.

Comment thread openedx/core/toggles.py
"""
Returns a boolean if the AuthZ for course authoring feature is enabled for the given course.
"""
return AUTHZ_COURSE_AUTHORING_FLAG.is_enabled(course_key)

@mariajgrimaldi mariajgrimaldi Jul 7, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note to reviewer: this was moved to the roles.py module to avoid a dependency on a more specific module, so that enable_authz_course_authoring remains a specific implementation of the authorization framework.

@mariajgrimaldi mariajgrimaldi force-pushed the MJG/dual-path-course-authoring-migration branch from 80d3f45 to e414311 Compare July 7, 2026 13:55
mariajgrimaldi and others added 4 commits July 8, 2026 15:17
Granting and exercising course creator access crashed once
authz.enable_course_authoring was on. The courses.create_course
permission was implemented in AuthZ, but the course creator role itself
was never migrated there. The code deciding whether to use the AuthZ path
only checked the flag's state, not whether the specific role had actually
been migrated, so unmigrated roles like course creator still used the
AuthZ path and crashed.

enable_authz_course_authoring now takes an optional role and falls back
to the course creator role's own check for any role without a migrated
AuthZ equivalent, regardless of the flag. See ADR 0027.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
is_content_creator still checked authz for the course creator role, but
that role isn't migrated there, so the check was dead code and never
actually used. Some tests asserted the authz behavior as correct (deny by
default, staff blocked by DISABLE_COURSE_CREATION), but we want the
course creator role's own behavior here: staff exempt, wide open unless
ENABLE_CREATOR_GROUP is set.

Now always checks the course creator role directly. Removes the dead
authz check and its unused imports, fixes a stale
core_toggles.enable_authz_course_authoring reference found along the way,
and drops the tests asserting the wrong behavior.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
TestCourseHandlerAuthz didn't test anything AuthZ-specific anymore since
course creation always checks the course creator role now. Replaced its
one test with TestCourseHandlerStaffAccess, no AuthZ mixin. Also notes in
ADR 0027 that course creation skips the role check entirely for now.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
is_content_creator doesn't check the flag at all for course creation now,
so this proves it, not just tests one flag state by coincidence.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Comment on lines -253 to -270
def _has_content_creator_access(user, org):
"""
Check if the user has content creator access based on AuthZ permissions.

Returns:
bool: True if the user has platform-wide or org-scoped course creation permission.
"""
if settings.FEATURES.get("DISABLE_COURSE_CREATION", False):
return False

scope_keys = (
authz_api.PlatformCourseOverviewGlobData.build_external_key(),
authz_api.OrgCourseOverviewGlobData.build_external_key(org),
)
return any(
authz_api.is_user_allowed(user.username, COURSES_CREATE_COURSE.identifier, scope_key)
for scope_key in scope_keys
)

@mariajgrimaldi mariajgrimaldi Jul 8, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note for reviewer:

Noticed a discrepancy in course creation permissions which made it unsustainable to maintain these while we don't support course creation:

Today, staff can always create courses, even when course creation is disabled site-wide with DISABLE_COURSE_CREATION. This can be confirmed with the _has_legacy_content_creator_access function:

https://github.com/openedx/openedx-platform/blob/master/common/djangoapps/student/auth.py#L245-L254

https://github.com/openedx/openedx-platform/blob/master/common/djangoapps/student/auth.py#L50-L77

Now, once the AuthZ flag is on, that stops being true, disabling course creation blocks everyone, staff included. I don't think this is intentional, so I dropped this code path until we have support for course creation. We fallback to the previous course creation mechanism in all cases.

@mariajgrimaldi mariajgrimaldi force-pushed the MJG/dual-path-course-authoring-migration branch from 32f4237 to 0c57040 Compare July 8, 2026 14:40
Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
@mariajgrimaldi mariajgrimaldi marked this pull request as ready for review July 8, 2026 15:35
@mphilbrick211 mphilbrick211 moved this from Needs Triage to Ready for Review in Contributions Jul 8, 2026
@mariajgrimaldi mariajgrimaldi added the create-sandbox open-craft-grove should create a sandbox environment from this PR label Jul 9, 2026
@mariajgrimaldi

Copy link
Copy Markdown
Member Author

I tested in the sandbox https://github.com/openedx/openedx-platform/pull/38855/checks?check_run_id=86068585865 by following the instructions from the cover letter.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

core contributor PR author is a Core Contributor (who may or may not have write access to this repo). create-sandbox open-craft-grove should create a sandbox environment from this PR open-source-contribution PR author is not from Axim or 2U

Projects

Status: Ready for Review

Development

Successfully merging this pull request may close these issues.

Can't create course as user with course creator access when flag is enabled Can't grant course creator when flag is enabled

3 participants