feat: support organization-level scopes for course list [authz]

[MaferMazu]

Description

This change addresses openedx/openedx-authz#243 by enabling the retrieval of course listings based on organization-level permissions for authz.

Previously, users with course roles via authz were limited to viewing only explicitly assigned courses in the CMS, as organization scopes were not considered during the lookup.

With this update, users with organization-wide permissions will now correctly see all courses in their organization in their course listing.

Supporting information

Resolves: openedx/openedx-authz#243

Testing instructions

The tests added are only unit tests. If you want to check an end-to-end test, follow the following instructions:

Requirements:

• Have an environment with this code.
• Add the flag "authz.enable_course_authoring" in the Django Admin (/admin/waffle/flag/) (Set Everyone: Yes)
• Create a new user without special permissions.
• Assigns the user a course role with org-level scope.
  • For example, I create a registry in the Django Admin Casbin table like this: g user^student1 role^course_staff course-v1^course-v1:openedx+* (in this case, the org is openedx)

Test:

• Log in with the user and enter http://apps.local.openedx.io:2001/authoring/home
• You should be able to see all the courses from the org that the user has permission for.

Deadline

Verawood

[openedx-webhooks]

Thanks for the pull request, @MaferMazu!

This repository is currently maintained by @openedx/wg-maintenance-openedx-platform.

Once you've gone through the following steps feel free to tag them in a comment and let them know that your changes are ready for engineering review.

🔘 Get product approval

If you haven't already, check this list to see if your contribution needs to go through the product review process.

• If it does, you'll need to submit a product proposal for your contribution, and have it reviewed by the Product Working Group.
  • This process (including the steps you'll need to take) is documented here.
• If it doesn't, simply proceed with the next step.

🔘 Provide context

To help your reviewers and other members of the community understand the purpose and larger context of your changes, feel free to add as much of the following information to the PR description as you can:

• Dependencies

  This PR must be merged before / after / at the same time as ...

• Blockers

  This PR is waiting for OEP-1234 to be accepted.

• Timeline information

  This PR must be merged by XX date because ...

• Partner information

  This is for a course on edx.org.

• Supporting documentation
• Relevant Open edX discussion forum threads

🔘 Get a green build

If one or more checks are failing, continue working on your changes until this is no longer the case and your build turns green.

Details

---

Where can I find more information?

If you'd like to get more details on all aspects of the review process for open source pull requests (OSPRs), check out the following resources:

• Overview of Review Process for Community Contributions
• Pull Request Status Guide
• Making changes to your pull request

When can I expect my changes to be merged?

Our goal is to get community contributions seen and reviewed as efficiently as possible.

However, the amount of time that it takes to review and merge a PR can vary significantly based on factors such as:

• The size and impact of the changes that it introduces
• The need for product review
• Maintenance status of the parent repository

💡 As a result it may take up to several weeks or months to complete a review and merge your PR.

[dwong2708]

Looks good overall! Just a couple of comments, thanks.

[Copilot]

Pull request overview

Adds organization-level AuthZ scope handling to Studio’s course listing so users with org-wide permissions can see all courses in their org (addressing openedx-authz#243), rather than only explicitly-scoped courses.

Changes:

• Extend _get_authz_accessible_courses_list to expand OrgCourseOverviewGlobData scopes into course keys for the org and apply the per-course authoring toggle.
• Add unit tests covering org-scope inclusion and toggle filtering behavior.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
cms/djangoapps/contentstore/views/course.py	Expands AuthZ course listing to include org-scoped permissions by querying org courses and filtering by the waffle flag.
cms/djangoapps/contentstore/tests/test_course_listing.py	Adds tests for org-scope behavior and toggle-respecting filtering.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[rodmgwgu]

Looking good overall, just some comments. Thanks!

[dwong2708]

@MaferMazu just a minor comment, could you add something like the following to the PR description?

Resolves: openedx/openedx-authz#243

This helps link the task to the PR. I noticed you already included the link, but keywords like “Resolves” or “Closes” are needed for it to work properly.

[MaferMazu]

This is ready for re-review @mariajgrimaldi @dwong2708 @rodmgwgu 🙌

[rodmgwgu]

Tested in my local and works as described, thanks!

[dwong2708]

LGTM! Thanks.

[bmtcril]

LGTM, thanks!