feat: authorize tags and taxonomies endpoints via openedx-authz when …#38292
feat: authorize tags and taxonomies endpoints via openedx-authz when …#38292wgu-taylor-payne wants to merge 1 commit intoopenedx:masterfrom
Conversation
openedx-webhooks
added
open-source-contribution
|
Thanks for the pull request, @wgu-taylor-payne! This repository is currently maintained by Once you've gone through the following steps feel free to tag them in a comment and let them know that your changes are ready for engineering review. 🔘 Get product approvalIf you haven't already, check this list to see if your contribution needs to go through the product review process.
🔘 Provide contextTo help your reviewers and other members of the community understand the purpose and larger context of your changes, feel free to add as much of the following information to the PR description as you can:
🔘 Get a green buildIf one or more checks are failing, continue working on your changes until this is no longer the case and your build turns green. 🔘 Update the status of your PRYour PR is currently marked as a draft. After completing the steps above, update its status by clicking "Ready for Review", or removing "WIP" from the title, as appropriate. Where can I find more information?If you'd like to get more details on all aspects of the review process for open source pull requests (OSPRs), check out the following resources: When can I expect my changes to be merged?Our goal is to get community contributions seen and reviewed as efficiently as possible. However, the amount of time that it takes to review and merge a PR can vary significantly based on factors such as:
💡 As a result it may take up to several weeks or months to complete a review and merge your PR. |
wgu-taylor-payne
force-pushed
the
tpayne/authz-for-taxonomies
branch
2 times, most recently
from
d1ae95c to
c26f972
Compare
mphilbrick211
added
the
mao-onboarding
|
@wgu-taylor-payne we discussed this in the Weekly meeting and the decision is that for M1 we will only focus on implementing the courses.manage_tags permission on course-related endpoints. So no taxonomies-related changes for now. |
wgu-taylor-payne
force-pushed
the
tpayne/authz-for-taxonomies
branch
3 times, most recently
from
7ef84c8 to
93083cc
Compare
…bled
Add courses.manage_tags permission check on PUT /object_tags/{course_id}/
behind the AUTHZ_COURSE_AUTHORING_FLAG feature flag. When the flag is
enabled for a course, the endpoint enforces the permission via
openedx-authz. When the flag is off, the existing legacy django-rules
checks are used.
Co-authored-by: Kiro <kiro-noreply@amazon.com>
wgu-taylor-payne
force-pushed
the
tpayne/authz-for-taxonomies
branch
from
93083cc to
55ae268
Compare
4 participants
Description
Adds
courses.manage_tagspermission check via openedx-authz to the course-scoped content tagging endpoints, behind the existingAUTHZ_COURSE_AUTHORING_FLAGfeature flag. When the flag is off, behavior is unchanged — all endpoints use the existing legacydjango-rulespermission checks.Taxonomy management endpoints are not course-scoped (
/taxonomies/CRUD, import, export, manage orgs) and will not be included in this PR. Those endpoints will be addressed another time.What this PR does:
PUT /object_tags/{object_id}/— enforcescourses.manage_tagswhen the flag is enabled for the course. Extracts the course key from any content key type (course, block, unit, collection, container) viaget_context_key_from_key_string, so tagging at any level within a flagged course goes through authz. Library content is unaffected (falls through to legacy).GET /object_tags/{object_id}/— patchescan_tag_objectin the response to reflect the authz permission when the flag is enabled. This ensures the frontend correctly shows/hides the "Add tags" button without any frontend changes.GET /object_tags/{context_id}/export/— already had authz viahas_view_object_tags_access(checkscourses.export_tags). No changes needed.Endpoint → permission mapping:
PUT /object_tags/{object_id}/courses.manage_tagsGET /object_tags/{object_id}/can_tag_objectpatched)GET /object_tags/{context_id}/export/courses.export_tags(existing, unchanged)Roles and permissions (from Casbin policy):
manage_tagsexport_tagscourse_admincourse_staffcourse_editorcourse_auditorSupporting information
Testing instructions
Flag OFF (legacy behavior unchanged):
authz.enable_course_authoringwaffle flag is inactiveGET /object_tags/{course_id}/returns correctcan_tag_objectvaluesFlag ON per-course:
authz.enable_course_authoringfor a specific course → Force Oncourse_staffauthz role for that course:PUT /object_tags/{course_id}/should succeedcourse_auditorrole: should return403403GET /object_tags/{course_id}/should returncan_tag_object: trueforcourse_staff/course_editor/course_admin,falseforcourse_auditorand unauthorizedOther information