openedx
diff --git a/‎.github/workflows/js-tests.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/js-tests.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/quality-checks.yml‎
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/quality-checks.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/static-assets-check.yml‎
Lines changed: 2 additions & 3 deletions b/‎.github/workflows/static-assets-check.yml‎
Lines changed: 2 additions & 3 deletions
diff --git a/‎.github/workflows/unit-tests.yml‎
Lines changed: 7 additions & 7 deletions b/‎.github/workflows/unit-tests.yml‎
Lines changed: 7 additions & 7 deletions
diff --git a/‎.gitignore‎
Lines changed: 1 addition & 0 deletions b/‎.gitignore‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎.readthedocs.yaml‎
Lines changed: 4 additions & 0 deletions b/‎.readthedocs.yaml‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎Makefile‎
Lines changed: 2 additions & 2 deletions b/‎Makefile‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎cms/djangoapps/contentstore/models.py‎
Lines changed: 2 additions & 5 deletions b/‎cms/djangoapps/contentstore/models.py‎
Lines changed: 2 additions & 5 deletions
diff --git a/‎cms/djangoapps/contentstore/rest_api/v0/tests/test_advanced_settings.py‎
Lines changed: 112 additions & 0 deletions b/‎cms/djangoapps/contentstore/rest_api/v0/tests/test_advanced_settings.py‎
Lines changed: 112 additions & 0 deletions
diff --git a/‎cms/djangoapps/contentstore/rest_api/v0/views/advanced_settings.py‎
Lines changed: 3 additions & 3 deletions b/‎cms/djangoapps/contentstore/rest_api/v0/views/advanced_settings.py‎
Lines changed: 3 additions & 3 deletions
@@ -73,7 +73,7 @@ jobs:
           npm run test
 
       - name: Save Job Artifacts
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v7
         with:
           name: Build-Artifacts
           path: |
 
@@ -78,14 +78,14 @@ jobs:
           PIP_SRC: ${{ runner.temp }}
           TARGET_BRANCH: ${{ github.base_ref }}
         run: |
-            make pycodestyle
+            ruff check --output-format=github .
             make xsslint
             make pii_check
             make check_keywords
 
       - name: Save Job Artifacts
         if: always()
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v7
         with:
           name: Build-Artifacts
           path: |
 
@@ -98,7 +98,6 @@ jobs:
         env:
           LMS_CFG: lms/envs/minimal.yml
           CMS_CFG: lms/envs/minimal.yml
-          DJANGO_SETTINGS_MODULE: lms.envs.production
         run: |
-          ./manage.py lms collectstatic --noinput
-          ./manage.py cms collectstatic --noinput
+          DJANGO_SETTINGS_MODULE=lms.envs.production ./manage.py lms collectstatic --noinput
+          DJANGO_SETTINGS_MODULE=cms.envs.production ./manage.py cms collectstatic --noinput
@@ -131,7 +131,7 @@ jobs:
 
       - name: save pytest warnings json file
         if: success()
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v7
         with:
           name: pytest-warnings-json-${{ matrix.shard_name }}-${{ matrix.python-version }}-${{ matrix.django-version }}-${{ matrix.mongo-version }}-${{ matrix.os-version }}
           path: |
@@ -143,7 +143,7 @@ jobs:
           mv reports/.coverage reports/${{ matrix.shard_name }}_${{ matrix.python-version }}_${{ matrix.django-version }}_${{ matrix.mongo-version }}_${{ matrix.os-version }}.coverage
 
       - name: Upload coverage
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v7
         with:
           name: coverage-${{ matrix.shard_name }}-${{ matrix.python-version }}-${{ matrix.django-version }}-${{ matrix.mongo-version }}-${{ matrix.os-version }}
           path: reports/${{ matrix.shard_name }}_${{ matrix.python-version }}_${{ matrix.django-version }}_${{ matrix.mongo-version }}_${{ matrix.os-version }}.coverage
@@ -230,7 +230,7 @@ jobs:
     steps:
       - uses: actions/checkout@v6
       - name: collect pytest warnings files
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@v8
         with:
           pattern: pytest-warnings-json-*
           merge-multiple: true
@@ -245,7 +245,7 @@ jobs:
 
       - name: save warning report
         if: success()
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v7
         with:
           name: pytest-warning-report-html
           path: |
@@ -257,14 +257,14 @@ jobs:
     needs: [compile-warnings-report]
     steps:
       - name: Merge Pytest Warnings JSON Artifacts
-        uses: actions/upload-artifact/merge@v6
+        uses: actions/upload-artifact/merge@v7
         with:
           name: pytest-warnings-json
           pattern: pytest-warnings-json-*
           delete-merged: true
 
       - name: Merge Coverage Artifacts
-        uses: actions/upload-artifact/merge@v6
+        uses: actions/upload-artifact/merge@v7
         with:
           name: coverage
           pattern: coverage-*
@@ -289,7 +289,7 @@ jobs:
           python-version: ${{ matrix.python-version }}
 
       - name: Download all artifacts
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@v8
         with:
           pattern: coverage-*
           merge-multiple: true
 
@@ -13,6 +13,7 @@ lms/envs/private.py
 cms/envs/private.py
 .venv/
 CLAUDE.md
+.claude/
 AGENTS.md
 # end-noclean
 
 
@@ -10,6 +10,10 @@ sphinx:
 
 python:
   install:
+    # Need to install this to set the correct version of steuptools for now
+    # because it is needed by fs
+    # See https://github.com/openedx/openedx-platform/issues/38068 for details.
+  - requirements: "requirements/pip-tools.txt"
   - requirements: "requirements/edx/doc.txt"
   - method: pip
     path: .
@@ -171,8 +171,8 @@ xsslint: ## check xss for quality issuest
 	--config=scripts.xsslint_config \
 	--thresholds=scripts/xsslint_thresholds.json
 
-pycodestyle: ## check python files for quality issues
-	pycodestyle .
+ruff: ## check python files with ruff
+	ruff check .
 
 ## Re-enable --lint flag when this issue https://github.com/openedx/edx-platform/issues/35775 is resolved
 pii_check: ## check django models for pii annotations
 
@@ -97,9 +97,9 @@ class EntityLinkBase(models.Model):
     )
     # A downstream entity can only link to single upstream entity
     # whereas an entity can be upstream for multiple downstream entities.
-    downstream_usage_key = UsageKeyField(max_length=255, unique=True)
+    downstream_usage_key = UsageKeyField(unique=True)
     # Search by course/downstream key
-    downstream_context_key = CourseKeyField(max_length=255, db_index=True)
+    downstream_context_key = CourseKeyField(db_index=True)
     # This is present if the creation of this link is a consequence of
     # importing a container that has one or more levels of children.
     # This represents the parent (container) in the top level
@@ -152,7 +152,6 @@ class ComponentLink(EntityLinkBase):
         blank=True,
     )
     upstream_usage_key = UsageKeyField(
-        max_length=255,
         help_text=_(
             "Upstream block usage key, this value cannot be null"
             " and useful to track upstream library blocks that do not exist yet"
@@ -324,7 +323,6 @@ class ContainerLink(EntityLinkBase):
         blank=True,
     )
     upstream_container_key = ContainerKeyField(
-        max_length=255,
         help_text=_(
             "Upstream block key (e.g. lct:...), this value cannot be null "
             "and is useful to track upstream library blocks that do not exist yet "
@@ -564,7 +562,6 @@ class LearningContextLinksStatus(models.Model):
     course or a learning context.
     """
     context_key = CourseKeyField(
-        max_length=255,
         # Single entry for a learning context or course
         unique=True,
         help_text=_("Linking status for course context key"),
 
@@ -2,13 +2,23 @@
 Tests for the course advanced settings API.
 """
 import json
+import pkg_resources
+from unittest.mock import patch
 
+import casbin
 import ddt
 from django.test import override_settings
 from django.urls import reverse
 from milestones.tests.utils import MilestonesTestCaseMixin
+from rest_framework.test import APIClient
 
 from cms.djangoapps.contentstore.tests.utils import CourseTestCase
+from common.djangoapps.student.tests.factories import UserFactory
+from openedx.core import toggles as core_toggles
+from openedx_authz.api.users import assign_role_to_user_in_scope
+from openedx_authz.constants.roles import COURSE_STAFF
+from openedx_authz.engine.enforcer import AuthzEnforcer
+from openedx_authz.engine.utils import migrate_policy_between_enforcers
 
 
 @ddt.ddt
@@ -91,3 +101,105 @@ def test_disabled_fetch_all_query_param(self, setting, excluded_field):
         with override_settings(FEATURES={setting: False}):
             resp = self.client.get(self.url, {"fetch_all": 0})
             assert excluded_field not in resp.data
+
+
+@patch.object(core_toggles.AUTHZ_COURSE_AUTHORING_FLAG, 'is_enabled', return_value=True)
+class AdvancedSettingsAuthzTest(CourseTestCase):
+    """
+    Tests for AdvancedCourseSettingsView authorization with openedx-authz.
+
+    These tests enable the AUTHZ_COURSE_AUTHORING_FLAG by default.
+    """
+
+    def setUp(self):
+        super().setUp()
+        self._seed_database_with_policies()
+        self.url = reverse(
+            "cms.djangoapps.contentstore:v0:course_advanced_settings",
+            kwargs={"course_id": self.course.id},
+        )
+
+        # Create test users
+        self.authorized_user = UserFactory()
+        self.unauthorized_user = UserFactory()
+
+        # Assign role to authorized user
+        assign_role_to_user_in_scope(
+            self.authorized_user.username,
+            COURSE_STAFF.external_key,
+            str(self.course.id)
+        )
+        AuthzEnforcer.get_enforcer().load_policy()
+
+        # Create API clients and force_authenticate
+        self.authorized_client = APIClient()
+        self.authorized_client.force_authenticate(user=self.authorized_user)
+        self.unauthorized_client = APIClient()
+        self.unauthorized_client.force_authenticate(user=self.unauthorized_user)
+
+    def tearDown(self):
+        super().tearDown()
+        AuthzEnforcer.get_enforcer().clear_policy()
+
+    @classmethod
+    def _seed_database_with_policies(cls):
+        """Seed the database with policies from the policy file."""
+        global_enforcer = AuthzEnforcer.get_enforcer()
+        global_enforcer.load_policy()
+        model_path = pkg_resources.resource_filename("openedx_authz.engine", "config/model.conf")
+        policy_path = pkg_resources.resource_filename("openedx_authz.engine", "config/authz.policy")
+        migrate_policy_between_enforcers(
+            source_enforcer=casbin.Enforcer(model_path, policy_path),
+            target_enforcer=global_enforcer,
+        )
+
+    def test_authorized_for_specific_course(self, mock_flag):
+        """User authorized for specific course can access."""
+        response = self.authorized_client.get(self.url)
+        self.assertEqual(response.status_code, 200)
+
+    def test_unauthorized_for_specific_course(self, mock_flag):
+        """User without authorization for specific course cannot access."""
+        response = self.unauthorized_client.get(self.url)
+        self.assertEqual(response.status_code, 403)
+
+    def test_unauthorized_for_different_course(self, mock_flag):
+        """User authorized for one course cannot access another course."""
+        other_course = self.store.create_course("OtherOrg", "OtherCourse", "Run", self.user.id)
+        other_url = reverse(
+            "cms.djangoapps.contentstore:v0:course_advanced_settings",
+            kwargs={"course_id": other_course.id},
+        )
+        response = self.authorized_client.get(other_url)
+        self.assertEqual(response.status_code, 403)
+
+    def test_staff_authorized_by_default(self, mock_flag):
+        """Staff users are authorized by default."""
+        response = self.client.get(self.url)
+        self.assertEqual(response.status_code, 200)
+
+    def test_superuser_authorized_by_default(self, mock_flag):
+        """Superusers are authorized by default."""
+        superuser = UserFactory(is_superuser=True, is_staff=False)
+        superuser_client = APIClient()
+        superuser_client.force_authenticate(user=superuser)
+        response = superuser_client.get(self.url)
+        self.assertEqual(response.status_code, 200)
+
+    def test_patch_authorized_for_specific_course(self, mock_flag):
+        """User authorized for specific course can PATCH."""
+        response = self.authorized_client.patch(
+            self.url,
+            {"display_name": {"value": "Test"}},
+            content_type="application/json"
+        )
+        self.assertEqual(response.status_code, 200)
+
+    def test_patch_unauthorized_for_specific_course(self, mock_flag):
+        """User without authorization for specific course cannot PATCH."""
+        response = self.unauthorized_client.patch(
+            self.url,
+            {"display_name": {"value": "Test"}},
+            content_type="application/json"
+        )
+        self.assertEqual(response.status_code, 403)
@@ -11,7 +11,7 @@
 
 from cms.djangoapps.models.settings.course_metadata import CourseMetadata
 from cms.djangoapps.contentstore.api.views.utils import get_bool_param
-from common.djangoapps.student.auth import has_studio_read_access, has_studio_write_access
+from common.djangoapps.student.auth import check_course_advanced_settings_access
 from openedx.core.lib.api.view_utils import DeveloperErrorViewMixin, verify_course_exists, view_auth_classes
 from ..serializers import CourseAdvancedSettingsSerializer
 from ....views.course import update_course_advanced_settings
@@ -115,7 +115,7 @@ def get(self, request: Request, course_id: str):
         if not filter_query_data.is_valid():
             raise ValidationError(filter_query_data.errors)
         course_key = CourseKey.from_string(course_id)
-        if not has_studio_read_access(request.user, course_key):
+        if not check_course_advanced_settings_access(request.user, course_key, access_type='read'):
             self.permission_denied(request)
         course_block = modulestore().get_course(course_key)
         fetch_all = get_bool_param(request, 'fetch_all', True)
@@ -184,7 +184,7 @@ def patch(self, request: Request, course_id: str):
         along with all the course's settings similar to a ``GET`` request.
         """
         course_key = CourseKey.from_string(course_id)
-        if not has_studio_write_access(request.user, course_key):
+        if not check_course_advanced_settings_access(request.user, course_key, access_type='write'):
             self.permission_denied(request)
         course_block = modulestore().get_course(course_key)
         updated_data = update_course_advanced_settings(course_block, request.data, request.user)