- Add authz_migrate_course_authoring command to migrate legacy CourseAccessRole data to the new Authz (Casbin-based) system
- Add authz_rollback_course_authoring command to rollback Authz roles back to legacy CourseAccessRole
- Support optional --delete flag for controlled cleanup of source permissions after successful migration
- Add migrate_legacy_course_roles_to_authz and migrate_authz_to_legacy_course_roles service functions
- Add unit tests to verify migration and command behavior
- ADR on the AuthZ for Course Authoring implementation plan.
- ADR on the AuthZ for Course Authoring Feature Flag Implementation Details.
- Defined courses roles and permissions mappings, including legacy compatible permissions.
- Add course staff role, permission to manage advanced course settings, and introduce course scope
- Add configurable logging level for Casbin enforcer via
CASBIN_LOG_LEVELsetting (defaults to WARNING).
- Use a RequestCache for is_admin_or_superuser matcher to improve performance.
- Use short_name instead of name from organization when building library key.
- Handle cache invalidation via a uuid in the database to ensure policy reloads occur only when necessary.
- Migration to transfer legacy permissions from ContentLibraryPermission to the new Casbin-based authorization model.
- Avoid circular import of AuthzEnforcer.
- Signal to clear policies associated to a user when they are retired.
- BREAKING: Update permission format to include app namespace prefix.
- Register
CasbinRulemodel in the Django admin. - Register
ExtendedCasbinRulemodel in the Django admin as an inline model ofCasbinRule.
- ExtendedCasbinRule model to extend the base CasbinRule model for additional metadata, and cascade delete support.
- Implement custom matcher to check for staff and superuser status.
- Avoid duplicates when getting scopes for given user and permissions.
- Add support for global scopes instead of generic sc scope to support instance-level permissions.
- Load authorization policies in permission class.
- Consider Content Library V2 toggle only in CMS service variant.
- Refactor to get permissions' scopes instead of role.
- Use correct content library toggle to check if Content Library V2 is enabled.
- Disable auto-save and auto-load of policies if Content Library V2 is disabled.
- Fix constants and test class to be able to use it outside this app.
- New
get_object()method in ScopeData to retrieve underlying domain objects - Implementation of
get_object()for ContentLibraryData with canonical key validation
- Refactor
ContentLibraryData.exists()to useget_object()internally
- Fix role user count to accurately filter users assigned to roles within specific scopes instead of across all scopes.
- Function API to retrieve scopes for a given role and subject.
- Allow disabling auto-load and auto-save of policies by setting CASBIN_AUTO_LOAD_POLICY_INTERVAL to -1.
- Migrate from using pycodestyle and isort to ruff for code quality checks and formatting.
- Enhance enforcement command with dual operational modes (database and file mode).
- Initial migration to establish dependency on casbin_adapter for automatic CasbinRule table creation.
- Use a SyncedEnforcer with default auto load policy.
- Remove Casbin Redis watcher from engine configuration.
- Default policy for Content Library roles and permissions.
- Add plugin_settings in test settings.
- Update permissions for RoleListView.
- Load policy before adding policies in the loading script to avoid duplicates.
- Initialize enforcer when application is ready to avoid access errors.
- Implementation of REST API for roles and permissions management.
- ADRs for key design decisions.
- Casbin model (CONF) and engine layer for authorization.
- Implementation of public API for roles and permissions management.
- Basic repo structure and initial setup.