Skip to content

feat: enforce authz permissions for Pages & Resources endpoints#38275

Open
wgu-taylor-payne wants to merge 1 commit intoopenedx:masterfrom
WGU-Open-edX:tpayne/authz-for-pages-and-resources
Open

feat: enforce authz permissions for Pages & Resources endpoints#38275
wgu-taylor-payne wants to merge 1 commit intoopenedx:masterfrom
WGU-Open-edX:tpayne/authz-for-pages-and-resources

Conversation

@wgu-taylor-payne
Copy link
Copy Markdown
Contributor

@wgu-taylor-payne wgu-taylor-payne commented Apr 2, 2026
edited
Loading

Description

When the authz.enable_course_authoring flag is enabled use openedx-authz based permissions to authorize calls to the endpoints that support the Pages & Resources pages and functionality in Studio.

Endpoints covered

Pages & Resources

UI Action Type URL Path Django View
Load Pages & Resources grid GET /api/course_apps/v1/apps/{courseId} openedx.core.djangoapps.course_apps.rest_api.v1.views.CourseAppsView
Toggle app enabled/disabled PATCH /api/course_apps/v1/apps/{courseId} openedx.core.djangoapps.course_apps.rest_api.v1.views.CourseAppsView
Load app settings (wiki visibility, etc.) GET /api/contentstore/v0/advanced_settings/{courseId} cms.djangoapps.contentstore.rest_api.v0.views.advanced_settings.AdvancedCourseSettingsView *
Save app settings PATCH /api/contentstore/v0/advanced_settings/{courseId} cms.djangoapps.contentstore.rest_api.v0.views.advanced_settings.AdvancedCourseSettingsView *

Discussions

UI Action Type URL Path Django View
Load discussions settings GET /api/discussions/v0/course/{courseId}/settings openedx.core.djangoapps.discussions.views.DiscussionsConfigurationSettingsView
Save discussions settings POST /api/discussions/v0/course/{courseId}/settings openedx.core.djangoapps.discussions.views.DiscussionsConfigurationSettingsView
Load discussions providers GET /api/discussions/v0/course/{courseId}/providers openedx.core.djangoapps.discussions.views.DiscussionsProvidersView

Custom Pages

UI Action Type URL Path Django View
List custom pages / tabs GET /api/contentstore/v0/tabs/{courseId} cms.djangoapps.contentstore.rest_api.v0.views.tabs.CourseTabListView
Reorder custom pages POST /api/contentstore/v0/tabs/{courseId}/reorder cms.djangoapps.contentstore.rest_api.v0.views.tabs.CourseTabReorderView
Toggle custom page visibility POST /api/contentstore/v0/tabs/{courseId}/settings cms.djangoapps.contentstore.rest_api.v0.views.tabs.CourseTabSettingsView
Add custom page PUT /xblock/ cms.djangoapps.contentstore.views.component.xblock_handler *
Edit custom page PUT /xblock/{blockId} cms.djangoapps.contentstore.views.component.xblock_handler *
Delete custom page DELETE /xblock/{blockId} cms.djangoapps.contentstore.views.component.xblock_handler *

Textbooks

UI Action Type URL Path Django View
List textbooks GET /api/contentstore/v1/textbooks/{courseId} cms.djangoapps.contentstore.rest_api.v1.views.textbooks.CourseTextbooksView
Create/update textbook POST /textbooks/{courseId} cms.djangoapps.contentstore.views.course.textbooks_list_handler
Edit textbook POST /textbooks/{courseId}/{textbookId} cms.djangoapps.contentstore.views.course.textbooks_detail_handler
Delete textbook DELETE /textbooks/{courseId}/{textbookId} cms.djangoapps.contentstore.views.course.textbooks_detail_handler

* Not modified in this PR — shared endpoints used by other features.

Supporting information

Closes openedx/openedx-authz#192.

Testing instructions

Automated tests:

pytest --ds="cms.envs.test" \
  cms/djangoapps/contentstore/rest_api/v0/tests/test_tabs_permissions.py \
  cms/djangoapps/contentstore/rest_api/v1/views/tests/test_textbooks.py \
  cms/djangoapps/contentstore/views/tests/test_textbooks_permissions.py \
  openedx/core/djangoapps/course_apps/rest_api/tests/test_views_permissions.py \
  openedx/core/djangoapps/discussions/tests/test_views_permissions.py

Manual tests:

Prerequisite: Enable the authz.enable_course_authoring waffle flag for the test course. Assign users to authz roles: course_admin, course_staff, course_auditor, and one user with no role.

  • View Access — Navigate to Pages & Resources from the Content dropdown. Admin, staff, and auditor should all see the page load with course app cards (Wiki, Discussions, Calculator, etc.). A user with no role should see a permission denied error.
  • Toggle Course Apps — Toggle a course app (e.g., Wiki) on or off. Admin and staff should succeed. Auditor should be denied (toggle disabled or 403).
  • Discussion Settings — Click the Discussion card. Admin, staff, and auditor should all view providers and current settings. Admin and staff should be able to save changes. Auditor should be denied when saving.
  • Custom Pages — Navigate to Custom Pages. Admin, staff, and auditor should see the list of pages. Admin and staff should be able to reorder pages and toggle tab visibility. Auditor should be denied on write operations. A user with no role should not see the list at all. Note: creating, editing, and deleting custom pages go through xblock_handler which is out of scope for this PR.
  • Textbooks — Navigate to Textbooks. Admin, staff, and auditor should see the list. Admin and staff should be able to create, edit, and delete textbooks. Auditor should be denied on all write operations. A user with no role should not see the list at all.

Deadline

Verawood

Other information

Co-authored with Kiro.

@openedx-webhooks openedx-webhooks added open-source-contribution PR author is not from Axim or 2U core contributor PR author is a Core Contributor (who may or may not have write access to this repo). labels Apr 2, 2026
@openedx-webhooks
Copy link
Copy Markdown

openedx-webhooks commented Apr 2, 2026
edited
Loading

Thanks for the pull request, @wgu-taylor-payne!

This repository is currently maintained by @openedx/wg-maintenance-openedx-platform.

Once you've gone through the following steps feel free to tag them in a comment and let them know that your changes are ready for engineering review.

🔘 Get product approval

If you haven't already, check this list to see if your contribution needs to go through the product review process.

  • If it does, you'll need to submit a product proposal for your contribution, and have it reviewed by the Product Working Group.
    • This process (including the steps you'll need to take) is documented here.
  • If it doesn't, simply proceed with the next step.
🔘 Provide context

To help your reviewers and other members of the community understand the purpose and larger context of your changes, feel free to add as much of the following information to the PR description as you can:

  • Dependencies

    This PR must be merged before / after / at the same time as ...

  • Blockers

    This PR is waiting for OEP-1234 to be accepted.

  • Timeline information

    This PR must be merged by XX date because ...

  • Partner information

    This is for a course on edx.org.

  • Supporting documentation
  • Relevant Open edX discussion forum threads
🔘 Get a green build

If one or more checks are failing, continue working on your changes until this is no longer the case and your build turns green.

Details
Where can I find more information?

If you'd like to get more details on all aspects of the review process for open source pull requests (OSPRs), check out the following resources:

When can I expect my changes to be merged?

Our goal is to get community contributions seen and reviewed as efficiently as possible.

However, the amount of time that it takes to review and merge a PR can vary significantly based on factors such as:

  • The size and impact of the changes that it introduces
  • The need for product review
  • Maintenance status of the parent repository

💡 As a result it may take up to several weeks or months to complete a review and merge your PR.

@github-project-automation github-project-automation bot moved this to Needs Triage in Contributions Apr 2, 2026
@wgu-taylor-payne wgu-taylor-payne marked this pull request as draft April 2, 2026 15:12
@wgu-taylor-payne wgu-taylor-payne force-pushed the tpayne/authz-for-pages-and-resources branch 2 times, most recently from cea9487 to 15104f1 Compare April 3, 2026 22:16
@wgu-taylor-payne wgu-taylor-payne marked this pull request as ready for review April 3, 2026 22:24
@wgu-taylor-payne wgu-taylor-payne force-pushed the tpayne/authz-for-pages-and-resources branch from 15104f1 to a327768 Compare April 3, 2026 22:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mariajgrimaldi mariajgrimaldi Awaiting requested review from mariajgrimaldi

@rodmgwgu rodmgwgu Awaiting requested review from rodmgwgu

@bmtcril bmtcril Awaiting requested review from bmtcril

@dwong2708 dwong2708 Awaiting requested review from dwong2708

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

core contributor PR author is a Core Contributor (who may or may not have write access to this repo). open-source-contribution PR author is not from Axim or 2U

Projects

Contributions
Status: Needs Triage

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Task - RBAC AuthZ - Implement new permissions for pages & resources

2 participants

@wgu-taylor-payne @openedx-webhooks