feat: add AuthZ permissions for course schedule & details

[dwong2708]

Description

This PR introduces new AuthZ permission checks for the Schedule & Details section in course settings, implemented behind a feature flag.

The work follows the requirements defined in the ticket, covering both read and update operations for course schedule and details.

Scope of Changes

Permissions introduced:

• courses.view_schedule_and_details
• course.edit_schedule
• course.edit_details
• course.view_course

Endpoints updated:

GET /api/contentstore/v1/course_settings/{course_id}/
GET /api/contentstore/v1/course_details/{course_id}/
PUT /api/contentstore/v1/course_details/{course_id}/

All permission checks are gated behind the corresponding feature flag.

Implementation Details

• GET endpoints. Require courses.view_schedule_and_details permission.
• PUT endpoint
  • Handles updates for both schedule and details in a single request.
  • Introduce payload-level inspection to differentiate between schedule and details updates, and enforce permissions accordingly.
• Due to the merged data model (schedule + details updated together), enforcing separate permissions (course.edit_schedule vs course.edit_details) at field level would introduce additional complexity and performance overhead.

Testing instructions

Verified that:

• Authorized users can access the endpoints.
• Unauthorized users receive a 403 response.
• Legacy permission fallback works as expected.

Running relevant tests manually:

On a cms container (run with tutor dev exec cms bash), do:

pytest -p no:randomly --ds=cms.envs.test cms/djangoapps/contentstore/rest_api/v1/views/tests/test_course_details.py::CourseDetailsAuthzViewTest

pytest -p no:randomly --ds=cms.envs.test cms/djangoapps/contentstore/rest_api/v1/views/tests/test_settings.py

Deadline

Verawood

Other information

Closes openedx/openedx-authz#195

[openedx-webhooks]

Thanks for the pull request, @dwong2708!

This repository is currently maintained by @openedx/wg-maintenance-openedx-platform.

Once you've gone through the following steps feel free to tag them in a comment and let them know that your changes are ready for engineering review.

🔘 Get product approval

If you haven't already, check this list to see if your contribution needs to go through the product review process.

• If it does, you'll need to submit a product proposal for your contribution, and have it reviewed by the Product Working Group.
  • This process (including the steps you'll need to take) is documented here.
• If it doesn't, simply proceed with the next step.

🔘 Provide context

To help your reviewers and other members of the community understand the purpose and larger context of your changes, feel free to add as much of the following information to the PR description as you can:

• Dependencies

  This PR must be merged before / after / at the same time as ...

• Blockers

  This PR is waiting for OEP-1234 to be accepted.

• Timeline information

  This PR must be merged by XX date because ...

• Partner information

  This is for a course on edx.org.

• Supporting documentation
• Relevant Open edX discussion forum threads

🔘 Get a green build

If one or more checks are failing, continue working on your changes until this is no longer the case and your build turns green.

Details

---

Where can I find more information?

If you'd like to get more details on all aspects of the review process for open source pull requests (OSPRs), check out the following resources:

• Overview of Review Process for Community Contributions
• Pull Request Status Guide
• Making changes to your pull request

When can I expect my changes to be merged?

Our goal is to get community contributions seen and reviewed as efficiently as possible.

However, the amount of time that it takes to review and merge a PR can vary significantly based on factors such as:

• The size and impact of the changes that it introduces
• The need for product review
• Maintenance status of the parent repository

💡 As a result it may take up to several weeks or months to complete a review and merge your PR.

[rodmgwgu]

Just some nits and changes needed due to other PRs already merged in master.

Please make sure to rebase from master to make sure nothing breaks.

[rodmgwgu]

Looking good, thanks!

[wgu-taylor-payne]

I think technically if a PUT request comes in with the same data as the current data, the endpoint should return a 200 response with the current object state. So, at least in that case, an error wouldn't be appropriate.

[dwong2708]

Right — I decided to return 200 for authorized users and 403 for unauthorized users when both send a payload with no changes.

[wgu-taylor-payne]

I was testing this a little and found I got to this line under the if statement with these values:

field: 'certificates_display_behavior'
payload_value: 'CertificatesDisplayBehaviors.END'
current_value: <CertificatesDisplayBehaviors.END: 'end'>

[dwong2708]

I left a comment in the code about this. It happens because I used the value directly from the GET response, which resulted in an invalid string. I added a note explaining this and updated the test payload with the correct value.

[wgu-taylor-payne]

Can payload_value be None?

[dwong2708]

Yes, the issue is that there’s no prior validation in the endpoint, so I need to take a defensive programming approach in some parts of the code.

[mariajgrimaldi]

Only one question left! Thank you for all the clarifications :)

[mariajgrimaldi]

Should certificate_available_date also be included here? I'm unclear on what counts as schedule and what doesn't. If we're considering everything datetime to be part of the schedule, it might be safer to not have this here hardcoded and derive it from CourseDetailsSerializer. If a new field is added down the rode then we'd be missing it.

[dwong2708]

I based on the UI section:

Even though I enabled certificates, I don’t see certificate_available_date in the Schedule section. I don’t have enough context, do you think it should be included as part of the schedule fields?

[mariajgrimaldi]

It's supposed to be this: https://docs.openedx.org/en/latest/educators/how-tos/set_up_course/edit_certificate.html#specify-a-different-certificates-available-date, but I always struggle to set it up. This time I:

1. Enabled this waffle switch /admin/waffle/switch/ certificates.auto_certificate_generation
2. Configured my course to be instructor paced with a valid certificate (not sure if the certificate was necessary)

It's not only a question of whether it's part of the schedule, but also whether the course has an available date, which is part of the course details. I think this would fail, no? (I think this was already discussed here: #38213 (comment))

@rodmgwgu what do you think?

[rodmgwgu]

I think this would be a product question, @gviedma-aulasneo what do you think?

[wgu-taylor-payne]

LGTM!