feat: enforce authz permissions for Pages & Resources endpoints#38275
feat: enforce authz permissions for Pages & Resources endpoints#38275wgu-taylor-payne wants to merge 1 commit intoopenedx:masterfrom
Conversation
openedx-webhooks
added
open-source-contribution
|
Thanks for the pull request, @wgu-taylor-payne! This repository is currently maintained by Once you've gone through the following steps feel free to tag them in a comment and let them know that your changes are ready for engineering review. 🔘 Get product approvalIf you haven't already, check this list to see if your contribution needs to go through the product review process.
🔘 Provide contextTo help your reviewers and other members of the community understand the purpose and larger context of your changes, feel free to add as much of the following information to the PR description as you can:
🔘 Get a green buildIf one or more checks are failing, continue working on your changes until this is no longer the case and your build turns green. 🔘 Update the status of your PRYour PR is currently marked as a draft. After completing the steps above, update its status by clicking "Ready for Review", or removing "WIP" from the title, as appropriate. Where can I find more information?If you'd like to get more details on all aspects of the review process for open source pull requests (OSPRs), check out the following resources: When can I expect my changes to be merged?Our goal is to get community contributions seen and reviewed as efficiently as possible. However, the amount of time that it takes to review and merge a PR can vary significantly based on factors such as:
💡 As a result it may take up to several weeks or months to complete a review and merge your PR. |
Co-authored-by: Kiro <kiro@amazon.com>
wgu-taylor-payne
force-pushed
the
tpayne/authz-for-pages-and-resources
branch
from
5af6bd9 to
09e80cd
Compare
2 participants
Description
When the
authz.enable_course_authoringflag is enabled use openedx-authz based permissions to authorize calls to the endpoints that support the Pages & Resources pages and functionality in Studio.Supporting information
Closes openedx/openedx-authz#192.
Testing instructions
Automated tests:
pytest --ds="cms.envs.test" \ cms/djangoapps/contentstore/rest_api/v0/tests/test_tabs_permissions.py \ cms/djangoapps/contentstore/tests/test_tabs_permissions.py \ openedx/core/djangoapps/course_apps/rest_api/tests/test_views_permissions.py \ openedx/core/djangoapps/discussions/tests/test_views_permissions.pyManual tests:
Prerequisite: Enable the authz.enable_course_authoring waffle flag for the test course. Assign users to authz roles: course_admin, course_staff, course_auditor, and one user with no role.
View Access
After selecting a course in the Studio course list, navigate to Pages & Resources from the Content dropdown. Course admin, staff, and auditor users should all see the page load with course app cards (Wiki, Discussions, Calculator, etc.). A user with no authz role should see a permission denied error.
Toggle Course Apps
From the Pages & Resources page, toggle a course app (e.g., Wiki) on or off. Course admin and staff should be able to toggle successfully. Course auditor should be denied — the toggle should either be disabled or return a 403.
Discussion Settings
Click the Discussion card to open discussion settings. Admin, staff, and auditor should all be able to view the providers list and current settings. Admin and staff should be able to change settings (e.g., toggle anonymous posting) and save. Auditor should be denied when attempting to save changes.
Custom Pages
Navigate to Custom Pages. Admin, staff, and auditor should see the list of existing custom pages. Admin and staff should be able to create a new page, edit an existing page's title/content, delete a page, reorder pages via drag- and-drop, and toggle tab visibility. Auditor should be denied on all write operations. A user with no role should not be able to view the custom pages list at all.
Deadline
Verawood
Other information
Co-authored with Kiro.