Skip to content

feat: add authz permission checks for course grading configuration endpoints #38208

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
wgu-taylor-payne merged 2 commits into from
Mar 31, 2026
Merged

feat: add authz permission checks for course grading configuration endpoints #38208

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b11298b
feat: add authz permission checks for course grading configuration en…
rodmgwgu Mar 24, 2026
5f3dea0
squash!: Apply suggestions
rodmgwgu Mar 31, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
118 changes: 118 additions & 0 deletions cms/djangoapps/contentstore/rest_api/v0/tests/test_authoring_grading.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,118 @@
"""
Unit tests for authoring grading views.
"""
import json

from openedx_authz.constants.roles import COURSE_DATA_RESEARCHER, COURSE_STAFF
from rest_framework import status
from rest_framework.test import APIClient

from cms.djangoapps.contentstore.api.tests.base import BaseCourseViewTest
from common.djangoapps.student.tests.factories import UserFactory
from openedx.core.djangoapps.authz.tests.mixins import CourseAuthzTestMixin

class AuthoringGradingViewAuthzTest(CourseAuthzTestMixin, BaseCourseViewTest):
"""
Tests Authoring Grading configuration API authorization using openedx-authz.
The endpoint uses the COURSES_EDIT_GRADING_SETTINGS permission.
"""

view_name = "cms.djangoapps.contentstore:v0:cms_api_update_grading"
authz_roles_to_assign = [COURSE_STAFF.external_key]
post_data = json.dumps({
"graders": [
{
"type": "Homework",
"min_count": 1,
"drop_count": 0,
"short_label": "",
"weight": 100,
"id": 0
}
],
"grade_cutoffs": {
"A": 0.75,
"B": 0.63,
"C": 0.57,
"D": 0.5
},
"grace_period": {
"hours": 12,
"minutes": 0
},
"minimum_grade_credit": 0.7,
"is_credit_course": True
})

def test_authorized_user_can_access_post(self):
"""User with COURSE_STAFF role can access."""
resp = self.authorized_client.post(
self.get_url(self.course_key),
data=self.post_data,
content_type="application/json"
)
self.assertEqual(resp.status_code, status.HTTP_200_OK)
Comment on lines +47 to +54
Copy link
Copy Markdown
Contributor

@BryanttV BryanttV Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we check the access for all roles? Since the COURSE_AUDITOR role shouldn't have permission to update.

Copy link
Copy Markdown
Contributor Author

@rodmgwgu rodmgwgu Mar 26, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In this case we are not interested in testing the role permissions, just that the authz permission check is working.

In this case we picked 4 main cases:

  1. A user with a role we know has access (COURSE_STAFF)
  2. A user with a role we know doesn't have access (COURSE_DATA_RESEARCHER)
  3. A user with no role
  4. A user with Django staff or superuser permissions.


def test_unauthorized_user_cannot_access_post(self):
"""User without role cannot access."""
resp = self.unauthorized_client.post(
self.get_url(self.course_key),
data=self.post_data,
content_type="application/json"
)
self.assertEqual(resp.status_code, status.HTTP_403_FORBIDDEN)

def test_role_scoped_to_course_post(self):
"""Authorization should only apply to the assigned course."""
other_course = self.store.create_course("OtherOrg", "OtherCourse", "Run", self.staff.id)

resp = self.authorized_client.post(
self.get_url(other_course.id),
data=self.post_data,
content_type="application/json"
)
self.assertEqual(resp.status_code, status.HTTP_403_FORBIDDEN)

def test_staff_user_allowed_via_legacy_post(self):
Copy link
Copy Markdown
Contributor

@BryanttV BryanttV Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since the flag is enabled, I think it's not validating the legacy permissions here?

Copy link
Copy Markdown
Contributor Author

@rodmgwgu rodmgwgu Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here what we are testing is the special case we have that if someone is staff or superuser will always have access, as defined here: https://github.com/openedx/openedx-authz/blob/16a6bbb40e5de690faf0c31cec02cd348f929741/openedx_authz/engine/matcher.py#L55

Maybe the naming is misleading, I'll review it

"""
Staff users should still pass through legacy fallback.
"""
self.client.login(username=self.staff.username, password=self.password)

resp = self.client.post(
self.get_url(self.course_key),
data=self.post_data,
content_type="application/json"
)
self.assertEqual(resp.status_code, status.HTTP_200_OK)

def test_superuser_allowed_post(self):
"""Superusers should always be allowed."""
superuser = UserFactory(is_superuser=True)

client = APIClient()
client.force_authenticate(user=superuser)

resp = client.post(
self.get_url(self.course_key),
data=self.post_data,
content_type="application/json"
)
self.assertEqual(resp.status_code, status.HTTP_200_OK)

def test_non_staff_user_cannot_access_post(self):
"""
User without required permissions should be denied.
This case validates that a non-staff user doesn't get access.
"""
non_staff_user = UserFactory()
non_staff_client = APIClient()
self.add_user_to_role(non_staff_user, COURSE_DATA_RESEARCHER.external_key)
non_staff_client.force_authenticate(user=non_staff_user)

resp = non_staff_client.post(
self.get_url(self.course_key),
data=self.post_data,
content_type="application/json"
)
self.assertEqual(resp.status_code, status.HTTP_403_FORBIDDEN)
14 changes: 7 additions & 7 deletions cms/djangoapps/contentstore/rest_api/v0/views/authoring_grading.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,14 @@

import edx_api_doc_tools as apidocs
from opaque_keys.edx.keys import CourseKey
from openedx_authz.constants.permissions import COURSES_EDIT_GRADING_SETTINGS
from rest_framework.request import Request
from rest_framework.response import Response
from rest_framework.views import APIView

from cms.djangoapps.models.settings.course_grading import CourseGradingModel
from common.djangoapps.student.auth import has_studio_read_access
from openedx.core.djangoapps.authz.constants import LegacyAuthoringPermission
from openedx.core.djangoapps.authz.decorators import authz_permission_required
from openedx.core.djangoapps.credit.tasks import update_credit_course_requirements
from openedx.core.lib.api.view_utils import DeveloperErrorViewMixin, verify_course_exists, view_auth_classes
from ..serializers import CourseGradingModelSerializer
Expand All @@ -31,7 +33,10 @@ class AuthoringGradingView(DeveloperErrorViewMixin, APIView):
},
)
@verify_course_exists()
def post(self, request: Request, course_id: str):
# Please note: previous legacy permisison was checking for has_studio_read_access
# So we are using LegacyAuthoringPermission.READ to keep compatibility
@authz_permission_required(COURSES_EDIT_GRADING_SETTINGS.identifier, LegacyAuthoringPermission.READ)
def post(self, request: Request, course_key: CourseKey):
"""
Update a course's grading.

Expand Down Expand Up @@ -75,11 +80,6 @@ def post(self, request: Request, course_id: str):

If the request is successful, an HTTP 200 "OK" response is returned,
"""
course_key = CourseKey.from_string(course_id)

if not has_studio_read_access(request.user, course_key):
self.permission_denied(request)

if 'minimum_grade_credit' in request.data:
update_credit_course_requirements.delay(str(course_key))

Expand Down
24 changes: 10 additions & 14 deletions cms/djangoapps/contentstore/rest_api/v1/views/grading.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,12 +3,14 @@
import edx_api_doc_tools as apidocs
from django.conf import settings
from opaque_keys.edx.keys import CourseKey
from openedx_authz.constants.permissions import COURSES_VIEW_GRADING_SETTINGS, COURSES_EDIT_GRADING_SETTINGS
from rest_framework.request import Request
from rest_framework.response import Response
from rest_framework.views import APIView

from cms.djangoapps.models.settings.course_grading import CourseGradingModel
from common.djangoapps.student.auth import has_studio_read_access
from openedx.core.djangoapps.authz.constants import LegacyAuthoringPermission
from openedx.core.djangoapps.authz.decorators import authz_permission_required
from openedx.core.djangoapps.credit.api import is_credit_course
from openedx.core.djangoapps.credit.tasks import update_credit_course_requirements
from openedx.core.lib.api.view_utils import DeveloperErrorViewMixin, verify_course_exists, view_auth_classes
Expand Down Expand Up @@ -36,7 +38,8 @@ class CourseGradingView(DeveloperErrorViewMixin, APIView):
},
)
@verify_course_exists()
def get(self, request: Request, course_id: str):
@authz_permission_required(COURSES_VIEW_GRADING_SETTINGS.identifier, LegacyAuthoringPermission.READ)
def get(self, request: Request, course_key: CourseKey):
"""
Get an object containing course grading settings with model.

Expand Down Expand Up @@ -90,11 +93,6 @@ def get(self, request: Request, course_id: str):
}
```
"""
course_key = CourseKey.from_string(course_id)

if not has_studio_read_access(request.user, course_key):
self.permission_denied(request)

with modulestore().bulk_operations(course_key):
credit_eligibility_enabled = settings.FEATURES.get("ENABLE_CREDIT_ELIGIBILITY", False)
show_credit_eligibility = is_credit_course(course_key) and credit_eligibility_enabled
Expand All @@ -118,13 +116,16 @@ def get(self, request: Request, course_id: str):
},
)
@verify_course_exists()
def post(self, request: Request, course_id: str):
# Please note: previous legacy permisison was checking for has_studio_read_access
# So we are using LegacyAuthoringPermission.READ to keep compatibility
@authz_permission_required(COURSES_EDIT_GRADING_SETTINGS.identifier, LegacyAuthoringPermission.READ)
def post(self, request: Request, course_key: CourseKey):
"""
Update a course's grading.

**Example Request**

PUT /api/contentstore/v1/course_grading/{course_id}
POST /api/contentstore/v1/course_grading/{course_id}

**POST Parameters**

Expand Down Expand Up @@ -162,11 +163,6 @@ def post(self, request: Request, course_id: str):

If the request is successful, an HTTP 200 "OK" response is returned,
"""
course_key = CourseKey.from_string(course_id)

if not has_studio_read_access(request.user, course_key):
self.permission_denied(request)

if 'minimum_grade_credit' in request.data:
update_credit_course_requirements.delay(str(course_key))

Expand Down
151 changes: 151 additions & 0 deletions cms/djangoapps/contentstore/rest_api/v1/views/tests/test_grading.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,16 @@

import ddt
from django.urls import reverse
from openedx_authz.constants.roles import COURSE_DATA_RESEARCHER, COURSE_STAFF
from rest_framework import status
from rest_framework.test import APIClient

from cms.djangoapps.contentstore.api.tests.base import BaseCourseViewTest
from cms.djangoapps.contentstore.tests.utils import CourseTestCase
from cms.djangoapps.contentstore.utils import get_proctored_exam_settings_url
from cms.djangoapps.models.settings.course_grading import CourseGradingModel
from common.djangoapps.student.tests.factories import UserFactory
from openedx.core.djangoapps.authz.tests.mixins import CourseAuthzTestMixin
from openedx.core.djangoapps.credit.tests.factories import CreditCourseFactory

from ...mixins import PermissionAccessMixin
Expand Down Expand Up @@ -117,3 +122,149 @@ def test_post_course_grading(self, mock_update_credit_course_requirements):
)
self.assertEqual(response.status_code, status.HTTP_200_OK)
mock_update_credit_course_requirements.assert_called_once()


class CourseGradingViewAuthzTest(CourseAuthzTestMixin, BaseCourseViewTest):
"""
Tests Course Grading Configuration API authorization using openedx-authz.
The endpoint uses COURSES_VIEW_GRADING_SETTINGS and COURSES_EDIT_GRADING_SETTINGS permissions.
"""

view_name = "cms.djangoapps.contentstore:v1:course_grading"
authz_roles_to_assign = [COURSE_STAFF.external_key]
post_data = json.dumps({
"graders": [{
"type": "Homework",
"min_count": 1,
"drop_count": 0,
"short_label": "",
"weight": 100,
"id": 0
}],
"grade_cutoffs": {"A": 0.75, "B": 0.63, "C": 0.57, "D": 0.5},
"grace_period": {"hours": 12, "minutes": 0},
"minimum_grade_credit": 0.7,
"is_credit_course": False,
})

def test_authorized_user_can_access_get(self):
"""User with COURSE_STAFF role can access."""
resp = self.authorized_client.get(self.get_url(self.course_key))
self.assertEqual(resp.status_code, status.HTTP_200_OK)

def test_unauthorized_user_cannot_access_get(self):
"""User without role cannot access."""
resp = self.unauthorized_client.get(self.get_url(self.course_key))
self.assertEqual(resp.status_code, status.HTTP_403_FORBIDDEN)

def test_role_scoped_to_course_get(self):
"""Authorization should only apply to the assigned course."""
other_course = self.store.create_course("OtherOrg", "OtherCourse", "Run", self.staff.id)

resp = self.authorized_client.get(self.get_url(other_course.id))
self.assertEqual(resp.status_code, status.HTTP_403_FORBIDDEN)

def test_staff_user_allowed_via_legacy_get(self):
"""
Staff users should still pass through legacy fallback.
"""
self.client.login(username=self.staff.username, password=self.password)

resp = self.client.get(self.get_url(self.course_key))
self.assertEqual(resp.status_code, status.HTTP_200_OK)

def test_superuser_allowed_get(self):
"""Superusers should always be allowed."""
superuser = UserFactory(is_superuser=True)

client = APIClient()
client.force_authenticate(user=superuser)

resp = client.get(self.get_url(self.course_key))
self.assertEqual(resp.status_code, status.HTTP_200_OK)

def test_non_staff_user_cannot_access_get(self):
"""
User without required permissions should be denied.
This case validates that a non-staff user doesn't get access.
"""
non_staff_user = UserFactory()
non_staff_client = APIClient()
self.add_user_to_role(non_staff_user, COURSE_DATA_RESEARCHER.external_key)
non_staff_client.force_authenticate(user=non_staff_user)

resp = non_staff_client.get(self.get_url(self.course_key))
self.assertEqual(resp.status_code, status.HTTP_403_FORBIDDEN)

def test_authorized_user_can_access_post(self):
"""User with COURSE_STAFF role can access."""
resp = self.authorized_client.post(
self.get_url(self.course_key),
data=self.post_data,
content_type="application/json"
)
self.assertEqual(resp.status_code, status.HTTP_200_OK)

def test_unauthorized_user_cannot_access_post(self):
"""User without role cannot access."""
resp = self.unauthorized_client.post(
self.get_url(self.course_key),
data=self.post_data,
content_type="application/json"
)
self.assertEqual(resp.status_code, status.HTTP_403_FORBIDDEN)

def test_role_scoped_to_course_post(self):
"""Authorization should only apply to the assigned course."""
other_course = self.store.create_course("OtherOrg", "OtherCourse", "Run", self.staff.id)

resp = self.authorized_client.post(
self.get_url(other_course.id),
data=self.post_data,
content_type="application/json"
)
self.assertEqual(resp.status_code, status.HTTP_403_FORBIDDEN)

def test_staff_user_allowed_via_legacy_post(self):
"""
Staff users should still pass through legacy fallback.
"""
self.client.login(username=self.staff.username, password=self.password)

resp = self.client.post(
self.get_url(self.course_key),
data=self.post_data,
content_type="application/json"
)
self.assertEqual(resp.status_code, status.HTTP_200_OK)

def test_superuser_allowed_post(self):
"""Superusers should always be allowed."""
superuser = UserFactory(is_superuser=True)

client = APIClient()
client.force_authenticate(user=superuser)

resp = client.post(
self.get_url(self.course_key),
data=self.post_data,
content_type="application/json"
)
self.assertEqual(resp.status_code, status.HTTP_200_OK)

def test_non_staff_user_cannot_access_post(self):
"""
User without required permissions should be denied.
This case validates that a non-staff user doesn't get access.
"""
non_staff_user = UserFactory()
non_staff_client = APIClient()
self.add_user_to_role(non_staff_user, COURSE_DATA_RESEARCHER.external_key)
non_staff_client.force_authenticate(user=non_staff_user)

resp = non_staff_client.post(
self.get_url(self.course_key),
data=self.post_data,
content_type="application/json"
)
self.assertEqual(resp.status_code, status.HTTP_403_FORBIDDEN)
Loading