fixup! feat: introduce authz_permission_required decorator

Author: dwong2708

cms/djangoapps/contentstore/api/views/course_quality.py

@@ -6,6 +6,7 @@
 from edxval.api import get_course_videos_qset
 from rest_framework.generics import GenericAPIView
 from rest_framework.response import Response
+from openedx.core.djangoapps.authz.constants import LegacyPermission
 from scipy import stats
 from openedx_authz.constants.permissions import COURSES_VIEW_COURSE
 
@@ -84,7 +85,7 @@ class CourseQualityView(DeveloperErrorViewMixin, GenericAPIView):
     # does not specify a serializer class.
     swagger_schema = None
 
-    @authz_permission_required(COURSES_VIEW_COURSE.identifier, legacy_permission="read")
+    @authz_permission_required(COURSES_VIEW_COURSE.identifier, LegacyPermission.READ)
     def get(self, request, course_key):
         """
         Returns validation information for the given course.

cms/djangoapps/contentstore/api/views/course_validation.py

@@ -9,6 +9,7 @@
 from rest_framework import serializers, status
 from rest_framework.generics import GenericAPIView
 from rest_framework.response import Response
+from openedx.core.djangoapps.authz.constants import LegacyPermission
 from user_tasks.models import UserTaskStatus
 from user_tasks.views import StatusViewSet
 from openedx_authz.constants.permissions import COURSES_VIEW_COURSE
@@ -82,7 +83,7 @@ class CourseValidationView(DeveloperErrorViewMixin, GenericAPIView):
     # does not specify a serializer class.
     swagger_schema = None
 
-    @authz_permission_required(COURSES_VIEW_COURSE.identifier, legacy_permission="read")
+    @authz_permission_required(COURSES_VIEW_COURSE.identifier, LegacyPermission.READ)
     def get(self, request, course_key):
         """
         Returns validation information for the given course.

cms/envs/common.py

@@ -904,6 +904,9 @@ def make_lms_template_path(settings):
     # alternative swagger generator for CMS API
     'drf_spectacular',
 
+    # Authz
+    'openedx.core.djangoapps.authz',
+
     'openedx_events',
 
     # Core models to represent courses

lms/envs/common.py

@@ -2019,7 +2019,7 @@
     'openedx.core.djangoapps.notifications',
 
     # Authz
-    'openedx.core.djangoapps.authz.apps.AuthzConfig',
+    'openedx.core.djangoapps.authz',
 
     'openedx_events',
 

openedx/core/djangoapps/authz/apps.py

@@ -4,6 +4,13 @@
 
 
 class AuthzConfig(AppConfig):
+    """Django application configuration for the Open edX Authorization (AuthZ) app.
+
+    This app provides a centralized location for integrations with the
+    openedx-authz library, including permission helpers, decorators,
+    and other utilities used to enforce RBAC-based authorization across
+    the platform."""
+
     default_auto_field = 'django.db.models.BigAutoField'
     name = 'openedx.core.djangoapps.authz'
-    verbose_name = "Authz"
+    verbose_name = "Open edX Authorization Framework"

openedx/core/djangoapps/authz/constants.py

@@ -0,0 +1,15 @@
+"""Constants used by the Open edX Authorization (AuthZ) framework."""
+
+from common.djangoapps.student.auth import has_studio_read_access, has_studio_write_access
+from openedx.core.lib.teams_config import Enum
+
+
+class LegacyPermission(Enum):
+    READ = "read"
+    WRITE = "write"
+
+
+LEGACY_PERMISSION_HANDLER_MAP = {
+    LegacyPermission.READ: has_studio_read_access,
+    LegacyPermission.WRITE: has_studio_write_access,
+}

openedx/core/djangoapps/authz/decorators.py

@@ -1,29 +1,32 @@
 """Decorators for AuthZ-based permissions enforcement."""
 import logging
 from functools import wraps
+from collections.abc import Callable
 
+from django.contrib.auth.models import AbstractUser
 from opaque_keys import InvalidKeyError
 from opaque_keys.edx.keys import CourseKey, UsageKey
+from openedx.core.djangoapps.authz.constants import LEGACY_PERMISSION_HANDLER_MAP, LegacyPermission
 from openedx_authz import api as authz_api
 from rest_framework import status
 
-from common.djangoapps.student.auth import has_studio_write_access, has_studio_read_access
 from openedx.core import toggles as core_toggles
 from openedx.core.lib.api.view_utils import DeveloperErrorViewMixin
 
 log = logging.getLogger(__name__)
 
 
-legacy_permission_handler_map = {
-    "read": has_studio_read_access,
-    "write": has_studio_write_access,
-}
-
-
-def authz_permission_required(authz_permission, legacy_permission=None):
+def authz_permission_required(authz_permission: str, legacy_permission: LegacyPermission | None = None) -> Callable:
     """
     Decorator enforcing course author permissions via AuthZ
     with optional legacy fallback.
+
+    This decorator checks if the requesting user has the specified AuthZ permission for the course.
+    If AuthZ is not enabled for the course, and a legacy_permission is provided, it falls back to checking
+    the legacy permission.
+
+    Raises:
+        DeveloperErrorResponseException: If the user does not have the required permissions.
     """
 
     def decorator(view_func):
@@ -40,8 +43,8 @@ def _wrapped_view(self, request, course_id, *args, **kwargs):
             ):
                 raise DeveloperErrorViewMixin.api_error(
                     status_code=status.HTTP_403_FORBIDDEN,
-                    developer_message="The requesting user does not have course author permissions.",
-                    error_code="user_permissions",
+                    developer_message="You do not have permission to perform this action.",
+                    error_code="permission_denied",
                 )
 
             return view_func(self, request, course_key, *args, **kwargs)
@@ -51,9 +54,15 @@ def _wrapped_view(self, request, course_id, *args, **kwargs):
     return decorator
 
 
-def user_has_course_permission(user, authz_permission, course_key, legacy_permission=None):
+def user_has_course_permission(
+    user: AbstractUser,
+    authz_permission: str,
+    course_key: CourseKey,
+    legacy_permission: LegacyPermission | None = None,
+) -> bool:
     """
-    Core authorization logic.
+    Checks if the user has the specified AuthZ permission for the course,
+    with optional fallback to legacy permissions.
     """
     if core_toggles.enable_authz_course_authoring(course_key):
         # If AuthZ is enabled for this course, check the permission via AuthZ only.
@@ -70,7 +79,7 @@ def user_has_course_permission(user, authz_permission, course_key, legacy_permis
 
     # If AuthZ is not enabled for this course, fall back to legacy course author
     # access check if legacy_permission is provided.
-    has_legacy_permission = legacy_permission_handler_map.get(legacy_permission)
+    has_legacy_permission: Callable | None = LEGACY_PERMISSION_HANDLER_MAP.get(legacy_permission)
     if legacy_permission and has_legacy_permission and has_legacy_permission(user, course_key):
         log.info(
             "AuthZ fallback used",
@@ -94,7 +103,7 @@ def user_has_course_permission(user, authz_permission, course_key, legacy_permis
     return False
 
 
-def get_course_key(course_id):
+def get_course_key(course_id: str) -> CourseKey:
     """
     Given a course_id string, attempts to parse it as a CourseKey.
     If that fails, attempts to parse it as a UsageKey and extract the course key from it.

openedx/core/djangoapps/authz/tests/test_decorators.py

@@ -4,6 +4,7 @@
 from django.test import RequestFactory, TestCase
 from opaque_keys.edx.locator import BlockUsageLocator, CourseLocator
 
+from openedx.core.djangoapps.authz.constants import LegacyPermission
 from openedx.core.djangoapps.authz.decorators import authz_permission_required, get_course_key
 from openedx.core.lib.api.view_utils import DeveloperErrorResponseException
 
@@ -62,12 +63,12 @@ def test_view_executes_when_legacy_fallback_read(self):
             "openedx.core.djangoapps.authz.decorators.authz_api.is_user_allowed",
             return_value=True,  # Should not be used when AuthZ is disabled, but set to True just in case
         ), patch(
-            "openedx.core.djangoapps.authz.decorators.has_studio_read_access",
+            "openedx.core.djangoapps.authz.constants.has_studio_read_access",
             return_value=True,
         ):
             decorated = authz_permission_required(
                 "courses.view",
-                legacy_permission="read"
+                legacy_permission=LegacyPermission.READ
             )(mock_view)
 
             result = decorated(self.view_instance, request, str(self.course_key))
@@ -88,12 +89,12 @@ def test_view_executes_when_legacy_fallback_write(self):
             "openedx.core.djangoapps.authz.decorators.authz_api.is_user_allowed",
             return_value=True,  # Should not be used when AuthZ is disabled, but set to True just in case
         ), patch(
-            "openedx.core.djangoapps.authz.decorators.has_studio_write_access",
+            "openedx.core.djangoapps.authz.constants.has_studio_write_access",
             return_value=True,
         ):
             decorated = authz_permission_required(
                 "courses.edit",
-                legacy_permission="write"
+                legacy_permission=LegacyPermission.WRITE
             )(mock_view)
 
             result = decorated(self.view_instance, request, str(self.course_key))