Library role permission inconsistencies for clipboard paste and tag management

[BryanttV]

Description

While testing library role permissions in the MFE, I found two inconsistencies between backend capabilities and UI behavior.

1. A library user cannot paste clipboard content from the UI

Assuming that a user with the Library User role is allowed to reuse library content, it is unclear how this permission should be applied through the UI.

During testing:

• A Library User can copy content to the clipboard.
• However, there is no visible way in the UI to paste that content into a library.

The paste option only appears for users with other roles (e.g., Library Admin, Library Author, Library Contributor) through [+ New] → [Paste From Clipboard]

For Library User, this option does not appear.

However, when calling the API directly:

POST {studio_domain}/api/libraries/v2/{lib_key}/paste_clipboard/

The content can be successfully pasted, which suggests that the backend permission is correct and the issue is likely limited to the UI.

Question / Expected behavior

If Library Users are allowed to reuse library content, should the UI display the [+ New] → [Paste From Clipboard] option for them as well, possibly restricting it to only that action?

2. A Library Contributor/Author cannot properly manage tags

A user with the Library Contributor or Library Author role should be able to manage content tags.

However, I observed inconsistent behavior between the API and the UI.

API behavior

When attempting to update tags using:

PUT {studio_domain}/api/content_tagging/v1/object_tags/{object_id}/

For content in a library, the request fails with a permission error. This issue is already addressed by this PR.

UI behavior

From the UI:

• It is possible to add tags.
• It is not possible to remove tags, because the remove ("x") control is not displayed.

Expected behavior

Library Contributors and Library Authors should be able to both add and remove tags through the UI and the API.

[bradenmacdonald]

Library users should not be allowed to paste content. The permission for "can paste" should be exactly the same as for "can create content" in all contexts - libraries and courses. So if they don't have permission to create content (which they don't, because "library user" is a read-only role), they should not have permission to paste.

This is a bug that should be fixed on the backend.

[BryanttV]

Thanks for the context @bradenmacdonald ! I have two questions:

1. What does the Reuse Library Content permission refer to, which all Library roles are supposed to have?
2. If a Library User cannot paste content, why does the UI allow it to be copied?

[bradenmacdonald]

@BryanttV

"Reuse Library Content" means that you find (read-only) content in a library, and then use it in a course. You can do this in two ways:

1. Copy from the library (where you have read-only permission as a "Library User"), and paste it into any course where you have write access. It will be copied into the course, and receive updates if the library version gets updated.
2. From any course where you have write access, click on "Add content from library...", select the library, and then select content to use in the course. It will be copied into the course, and receive updates if the library version gets updated.

If a Library User cannot paste content, why does the UI allow it to be copied?

Because you could paste it into a course or another library, where you do have permission. You just cannot paste it into the same library.

[BryanttV]

Perfect, everything is much clearer now, thanks!

I ran some additional tests, and it seems that the inconsistencies are only on the backend side. I will be fixing them in the openedx-platform PR. For now, I think we can close this issue.