[FC-0099] feat: add openedx-authz to library apis user_can_create_library and require_permission_for_library_key (#37501)

* feat: add the authz check to the library api function

feat: add the authz publish check in rest_api blocks and containers

feat: add the authz checks in libraries and refactor

feat: add collections checks

feat: update enforcement in serializer file

refactor: refactor the permission check functions

fix: fix value error

fix: calling the queries twice

* test: add structure for test and apply feedback

refactor: refactor the tests and apply feedback

fix: apply feedback

Revert "refactor: refactor the tests and apply feedback"

This reverts commit aa0bd52.

refactor: use constants and avoid mapping

test: fix the test to have them in order

docs: about we rely on bridgekeeper and the old check for two cases

docs: update openedx/core/djangoapps/content_libraries/api/libraries.py

Co-authored-by: Maria Grimaldi (Majo) <[email protected]>

refactor: use global scope wildcard instead of *

refactor: allow receiving PermissionData objects

refactor: do not inherit from BaseRolesTestCase to favor CL setup methods

If both BaseRolesTestCase and ContentLibrariesRestApiTest define a method
with the same name (e.g., setUp()), Python will use the one found first
in the MRO, which is the one in BaseRolesTestCase because it is
listed first in the class definition leading to unexpected behavior.

refactor: remove unnecessary imports and indent

* chore: bump openedx-authz version

Author: MaferMazu

openedx/core/djangoapps/content_libraries/api/libraries.py

@@ -53,13 +53,11 @@
 from django.db import IntegrityError, transaction
 from django.db.models import Q, QuerySet
 from django.utils.translation import gettext as _
-from opaque_keys.edx.locator import (
-    LibraryLocatorV2,
-    LibraryUsageLocatorV2,
-)
-from openedx_events.content_authoring.data import (
-    ContentLibraryData,
-)
+from opaque_keys.edx.locator import LibraryLocatorV2, LibraryUsageLocatorV2
+from openedx_authz import api as authz_api
+from openedx_authz.api import assign_role_to_user_in_scope
+from openedx_authz.constants import permissions as authz_permissions
+from openedx_events.content_authoring.data import ContentLibraryData
 from openedx_events.content_authoring.signals import (
     CONTENT_LIBRARY_CREATED,
     CONTENT_LIBRARY_DELETED,
@@ -70,14 +68,14 @@
 from organizations.models import Organization
 from user_tasks.models import UserTaskArtifact, UserTaskStatus
 from xblock.core import XBlock
-from openedx_authz.api import assign_role_to_user_in_scope
 
 from openedx.core.types import User as UserType
 
 from .. import permissions, tasks
 from ..constants import ALL_RIGHTS_RESERVED
 from ..models import ContentLibrary, ContentLibraryPermission
 from .exceptions import LibraryAlreadyExists, LibraryPermissionIntegrityError
+from .permissions import LEGACY_LIB_PERMISSIONS
 
 log = logging.getLogger(__name__)
 
@@ -109,6 +107,7 @@
     "revert_changes",
     "get_backup_task_status",
     "assign_library_role_to_user",
+    "user_has_permission_across_lib_authz_systems",
 ]
 
 
@@ -245,7 +244,18 @@ def user_can_create_library(user: AbstractUser) -> bool:
     """
     Check if the user has permission to create a content library.
     """
-    return user.has_perm(permissions.CAN_CREATE_CONTENT_LIBRARY)
+    library_permission = permissions.CAN_CREATE_CONTENT_LIBRARY
+    lib_permission_in_authz = _transform_legacy_lib_permission_to_authz_permission(library_permission)
+    # The authz_api.is_user_allowed check only validates permissions within a specific library context. Since
+    # creating a library is not tied to an existing one, we use user.has_perm (via Bridgekeeper) to check if the user
+    # can create libraries, meaning they have the course creator role. In the future, this should rely on a global (*)
+    # role defined in the Authorization Framework for instance-level resource creation.
+    has_perms = user.has_perm(library_permission) or authz_api.is_user_allowed(
+        user,
+        lib_permission_in_authz,
+        authz_api.data.GLOBAL_SCOPE_WILDCARD,
+    )
+    return has_perms
 
 
 def get_libraries_for_user(user, org=None, text_search=None, order=None) -> QuerySet[ContentLibrary]:
@@ -336,7 +346,7 @@ def require_permission_for_library_key(library_key: LibraryLocatorV2, user: User
     library_obj = ContentLibrary.objects.get_by_key(library_key)
     # obj should be able to read any valid model object but mypy thinks it can only be
     # "User | AnonymousUser | None"
-    if not user.has_perm(permission, obj=library_obj):  # type:ignore[arg-type]
+    if not user_has_permission_across_lib_authz_systems(user, permission, library_obj):
         raise PermissionDenied
 
     return library_obj
@@ -754,3 +764,90 @@ def get_backup_task_status(
         result['file'] = artifact.file
 
     return result
+
+
+def _transform_legacy_lib_permission_to_authz_permission(permission: str) -> str:
+    """
+    Transform a legacy content library permission to an openedx-authz permission.
+    """
+    # There is no dedicated permission or role for can_create_content_library in openedx-authz yet,
+    # so we reuse the same permission to rely on user.has_perm via Bridgekeeper.
+    return {
+        permissions.CAN_CREATE_CONTENT_LIBRARY: permissions.CAN_CREATE_CONTENT_LIBRARY,
+        permissions.CAN_DELETE_THIS_CONTENT_LIBRARY: authz_permissions.DELETE_LIBRARY.identifier,
+        permissions.CAN_EDIT_THIS_CONTENT_LIBRARY: authz_permissions.EDIT_LIBRARY_CONTENT.identifier,
+        permissions.CAN_EDIT_THIS_CONTENT_LIBRARY_TEAM: authz_permissions.MANAGE_LIBRARY_TEAM.identifier,
+        permissions.CAN_VIEW_THIS_CONTENT_LIBRARY: authz_permissions.VIEW_LIBRARY.identifier,
+        permissions.CAN_VIEW_THIS_CONTENT_LIBRARY_TEAM: authz_permissions.VIEW_LIBRARY_TEAM.identifier,
+    }.get(permission, permission)
+
+
+def _transform_authz_permission_to_legacy_lib_permission(permission: str) -> str:
+    """
+    Transform an openedx-authz permission to a legacy content library permission.
+    """
+    return {
+        authz_permissions.PUBLISH_LIBRARY_CONTENT.identifier: permissions.CAN_EDIT_THIS_CONTENT_LIBRARY,
+        authz_permissions.CREATE_LIBRARY_COLLECTION.identifier: permissions.CAN_EDIT_THIS_CONTENT_LIBRARY,
+        authz_permissions.EDIT_LIBRARY_COLLECTION.identifier: permissions.CAN_EDIT_THIS_CONTENT_LIBRARY,
+        authz_permissions.DELETE_LIBRARY_COLLECTION.identifier: permissions.CAN_EDIT_THIS_CONTENT_LIBRARY,
+    }.get(permission, permission)
+
+
+def user_has_permission_across_lib_authz_systems(
+    user: UserType,
+    permission: str | authz_api.data.PermissionData,
+    library_obj: ContentLibrary,
+) -> bool:
+    """
+    Check whether a user has a given permission on a content library across both the
+    legacy edx-platform permission system and the newer openedx-authz system.
+
+    The provided permission name is normalized to both systems (legacy and authz), and
+    authorization is granted if either:
+    - the user holds the legacy object-level permission on the ContentLibrary instance, or
+    - the openedx-authz API allows the user for the corresponding permission on the library.
+
+    **Note:**
+    Temporary: this function uses Bridgekeeper-based logic for cases not yet modeled in openedx-authz.
+
+    Current gaps covered here:
+    - CAN_CREATE_CONTENT_LIBRARY: we call user.has_perm via Bridgekeeper to verify the user is a course creator.
+    - CAN_VIEW_THIS_CONTENT_LIBRARY: we respect the allow_public_read flag via Bridgekeeper.
+
+    Replace these with authz_api.is_user_allowed once openedx-authz supports
+    these conditions natively (including global (*) roles).
+
+    Args:
+        user: The Django user (or user-like object) to check.
+        permission: The permission identifier (either a legacy codename or an openedx-authz name).
+        library_obj: The ContentLibrary instance to check against.
+
+    Returns:
+        bool: True if the user is authorized by either system; otherwise False.
+    """
+    if isinstance(permission, authz_api.data.PermissionData):
+        permission = permission.identifier
+    if _is_legacy_permission(permission):
+        legacy_permission = permission
+        authz_permission = _transform_legacy_lib_permission_to_authz_permission(permission)
+    else:
+        authz_permission = permission
+        legacy_permission = _transform_authz_permission_to_legacy_lib_permission(permission)
+    return (
+        # Check both the legacy and the new openedx-authz permissions
+        user.has_perm(perm=legacy_permission, obj=library_obj)
+        or authz_api.is_user_allowed(
+            user,
+            authz_permission,
+            str(library_obj.library_key),
+        )
+    )
+
+
+def _is_legacy_permission(permission: str) -> bool:
+    """
+    Determine if the specified library permission is part of the legacy
+    or the new openedx-authz system.
+    """
+    return permission in LEGACY_LIB_PERMISSIONS

openedx/core/djangoapps/content_libraries/api/permissions.py

@@ -12,3 +12,13 @@
     CAN_VIEW_THIS_CONTENT_LIBRARY,
     CAN_VIEW_THIS_CONTENT_LIBRARY_TEAM
 )
+
+LEGACY_LIB_PERMISSIONS = frozenset({
+    CAN_CREATE_CONTENT_LIBRARY,
+    CAN_DELETE_THIS_CONTENT_LIBRARY,
+    CAN_EDIT_THIS_CONTENT_LIBRARY,
+    CAN_EDIT_THIS_CONTENT_LIBRARY_TEAM,
+    CAN_LEARN_FROM_THIS_CONTENT_LIBRARY,
+    CAN_VIEW_THIS_CONTENT_LIBRARY,
+    CAN_VIEW_THIS_CONTENT_LIBRARY_TEAM,
+})

openedx/core/djangoapps/content_libraries/rest_api/blocks.py

@@ -9,6 +9,7 @@
 from django.utils.decorators import method_decorator
 from drf_yasg.utils import swagger_auto_schema
 from opaque_keys.edx.locator import LibraryLocatorV2, LibraryUsageLocatorV2
+from openedx_authz.constants import permissions as authz_permissions
 from openedx_learning.api import authoring as authoring_api
 from rest_framework import status
 from rest_framework.exceptions import NotFound, ValidationError
@@ -238,7 +239,7 @@ def post(self, request, usage_key_str):
         api.require_permission_for_library_key(
             key.lib_key,
             request.user,
-            permissions.CAN_EDIT_THIS_CONTENT_LIBRARY
+            authz_permissions.PUBLISH_LIBRARY_CONTENT
         )
         api.publish_component_changes(key, request.user)
         return Response({})

openedx/core/djangoapps/content_libraries/rest_api/collections.py

@@ -13,6 +13,7 @@
 from rest_framework.status import HTTP_204_NO_CONTENT
 
 from opaque_keys.edx.locator import LibraryLocatorV2
+from openedx_authz.constants import permissions as authz_permissions
 from openedx_learning.api import authoring as authoring_api
 from openedx_learning.api.authoring_models import Collection
 
@@ -56,7 +57,6 @@ def get_content_library(self) -> ContentLibrary:
             if self.request.method in ['OPTIONS', 'GET']
             else permissions.CAN_EDIT_THIS_CONTENT_LIBRARY
         )
-
         self._content_library = api.require_permission_for_library_key(
             library_key,
             self.request.user,
@@ -110,6 +110,11 @@ def create(self, request: RestRequest, *args, **kwargs) -> Response:
         Create a Collection that belongs to a Content Library
         """
         content_library = self.get_content_library()
+        api.require_permission_for_library_key(
+            content_library.library_key,
+            request.user,
+            authz_permissions.CREATE_LIBRARY_COLLECTION
+        )
         create_serializer = ContentLibraryCollectionUpdateSerializer(data=request.data)
         create_serializer.is_valid(raise_exception=True)
 
@@ -144,6 +149,11 @@ def partial_update(self, request: RestRequest, *args, **kwargs) -> Response:
         Update a Collection that belongs to a Content Library
         """
         content_library = self.get_content_library()
+        api.require_permission_for_library_key(
+            content_library.library_key,
+            request.user,
+            authz_permissions.EDIT_LIBRARY_COLLECTION
+        )
         collection_key = kwargs["key"]
 
         update_serializer = ContentLibraryCollectionUpdateSerializer(
@@ -165,6 +175,12 @@ def destroy(self, request: RestRequest, *args, **kwargs) -> Response:
         """
         Soft-deletes a Collection that belongs to a Content Library
         """
+        content_library = self.get_content_library()
+        api.require_permission_for_library_key(
+            content_library.library_key,
+            request.user,
+            authz_permissions.DELETE_LIBRARY_COLLECTION
+        )
         collection = super().get_object()
         assert collection.learning_package_id
         authoring_api.delete_collection(
@@ -181,6 +197,11 @@ def restore(self, request: RestRequest, *args, **kwargs) -> Response:
         Restores a soft-deleted Collection that belongs to a Content Library
         """
         content_library = self.get_content_library()
+        api.require_permission_for_library_key(
+            content_library.library_key,
+            request.user,
+            authz_permissions.EDIT_LIBRARY_COLLECTION
+        )
         assert content_library.learning_package_id
         collection_key = kwargs["key"]
         authoring_api.restore_collection(
@@ -198,6 +219,11 @@ def update_items(self, request: RestRequest, *args, **kwargs) -> Response:
         Collection and items must all be part of the given library/learning package.
         """
         content_library = self.get_content_library()
+        api.require_permission_for_library_key(
+            content_library.library_key,
+            request.user,
+            authz_permissions.EDIT_LIBRARY_COLLECTION
+        )
         collection_key = kwargs["key"]
 
         serializer = ContentLibraryItemKeysSerializer(data=request.data)

openedx/core/djangoapps/content_libraries/rest_api/containers.py

@@ -12,6 +12,7 @@
 from drf_yasg import openapi
 
 from opaque_keys.edx.locator import LibraryLocatorV2, LibraryContainerLocator
+from openedx_authz.constants import permissions as authz_permissions
 from openedx_learning.api import authoring as authoring_api
 from rest_framework.generics import GenericAPIView
 from rest_framework.response import Response
@@ -379,7 +380,7 @@ def post(self, request: RestRequest, container_key: LibraryContainerLocator) ->
         api.require_permission_for_library_key(
             container_key.lib_key,
             request.user,
-            permissions.CAN_EDIT_THIS_CONTENT_LIBRARY,
+            authz_permissions.PUBLISH_LIBRARY_CONTENT
         )
         api.publish_container_changes(container_key, request.user.id)
         # If we need to in the future, we could return a list of all the child containers/components that were

openedx/core/djangoapps/content_libraries/rest_api/libraries.py

@@ -82,6 +82,7 @@
 from user_tasks.models import UserTaskStatus
 
 from opaque_keys.edx.locator import LibraryLocatorV2, LibraryUsageLocatorV2
+from openedx_authz.constants import permissions as authz_permissions
 from organizations.api import ensure_organization
 from organizations.exceptions import InvalidOrganizationException
 from organizations.models import Organization
@@ -219,7 +220,7 @@ def post(self, request):
         """
         Create a new content library.
         """
-        if not request.user.has_perm(permissions.CAN_CREATE_CONTENT_LIBRARY):
+        if not api.user_can_create_library(request.user):
             raise PermissionDenied
         serializer = ContentLibraryMetadataSerializer(data=request.data)
         serializer.is_valid(raise_exception=True)
@@ -479,7 +480,11 @@ def post(self, request, lib_key_str):
         descendants.
         """
         key = LibraryLocatorV2.from_string(lib_key_str)
-        api.require_permission_for_library_key(key, request.user, permissions.CAN_EDIT_THIS_CONTENT_LIBRARY)
+        api.require_permission_for_library_key(
+            key,
+            request.user,
+            authz_permissions.PUBLISH_LIBRARY_CONTENT
+        )
         api.publish_changes(key, request.user.id)
         return Response({})
 
@@ -838,7 +843,7 @@ def post(self, request):
         """
         Restore a library from a backup file.
         """
-        if not request.user.has_perm(permissions.CAN_CREATE_CONTENT_LIBRARY):
+        if not api.user_can_create_library(request.user):
             raise PermissionDenied
 
         serializer = LibraryRestoreFileSerializer(data=request.data)

openedx/core/djangoapps/content_libraries/rest_api/serializers.py

@@ -14,6 +14,7 @@
 from user_tasks.models import UserTaskStatus
 
 from openedx.core.djangoapps.content_libraries.tasks import LibraryRestoreTask
+from openedx.core.djangoapps.content_libraries import api
 from openedx.core.djangoapps.content_libraries.api.containers import ContainerType
 from openedx.core.djangoapps.content_libraries.constants import ALL_RIGHTS_RESERVED, LICENSE_OPTIONS
 from openedx.core.djangoapps.content_libraries.models import (
@@ -75,7 +76,8 @@ def get_can_edit_library(self, obj):
             return False
 
         library_obj = ContentLibrary.objects.get_by_key(obj.key)
-        return user.has_perm(permissions.CAN_EDIT_THIS_CONTENT_LIBRARY, obj=library_obj)
+        return api.user_has_permission_across_lib_authz_systems(
+            user, permissions.CAN_EDIT_THIS_CONTENT_LIBRARY, library_obj)
 
 
 class ContentLibraryUpdateSerializer(serializers.Serializer):