[FC-0099] feat: add default policy and fix tests (openedx#92)

Author: MaferMazu

CHANGELOG.rst

@@ -16,6 +16,20 @@ Unreleased
 
 *
 
+0.5.0 - 2025-10-21
+******************
+
+Added
+=====
+
+* Default policy for Content Library roles and permissions.
+
+Fixed
+=====
+
+* Add plugin_settings in test settings.
+* Update permissions for RoleListView.
+
 0.4.1 - 2025-10-16
 ******************
 

openedx_authz/__init__.py

@@ -4,6 +4,6 @@
 
 import os
 
-__version__ = "0.4.1"
+__version__ = "0.5.0"
 
 ROOT_DIRECTORY = os.path.dirname(os.path.abspath(__file__))

openedx_authz/engine/config/authz.policy

@@ -9,52 +9,62 @@
 # For role definitions use: lib^*, course^*, org^* to specify the scope of the role
 
 # Library Admin Role Policies
-p, role^library_admin, act^delete_library, lib^*, allow
-p, role^library_admin, act^publish_library, lib^*, allow
-p, role^library_admin, act^manage_library_team, lib^*, allow
+p, role^library_admin, act^view_library, lib^*, allow
 p, role^library_admin, act^manage_library_tags, lib^*, allow
-p, role^library_admin, act^delete_library_content, lib^*, allow
+p, role^library_admin, act^delete_library, lib^*, allow
+p, role^library_admin, act^edit_library_content, lib^*, allow
 p, role^library_admin, act^publish_library_content, lib^*, allow
-p, role^library_admin, act^delete_library_collection, lib^*, allow
-p, role^library_admin, act^create_library, lib^*, allow
+p, role^library_admin, act^reuse_library_content, lib^*, allow
+p, role^library_admin, act^view_library_team, lib^*, allow
+p, role^library_admin, act^manage_library_team, lib^*, allow
 p, role^library_admin, act^create_library_collection, lib^*, allow
+p, role^library_admin, act^edit_library_collection, lib^*, allow
+p, role^library_admin, act^delete_library_collection, lib^*, allow
 
 # Library Author Role Policies
-p, role^library_author, act^delete_library_content, lib^*, allow
-p, role^library_author, act^publish_library_content, lib^*, allow
-p, role^library_author, act^edit_library, lib^*, allow
+p, role^library_author, act^view_library, lib^*, allow
 p, role^library_author, act^manage_library_tags, lib^*, allow
+p, role^library_author, act^edit_library_content, lib^*, allow
+p, role^library_author, act^publish_library_content, lib^*, allow
+p, role^library_author, act^reuse_library_content, lib^*, allow
+p, role^library_author, act^view_library_team, lib^*, allow
 p, role^library_author, act^create_library_collection, lib^*, allow
 p, role^library_author, act^edit_library_collection, lib^*, allow
 p, role^library_author, act^delete_library_collection, lib^*, allow
 
-# Library Collaborator Role Policies
-p, role^library_collaborator, act^edit_library, lib^*, allow
-p, role^library_collaborator, act^delete_library_content, lib^*, allow
-p, role^library_collaborator, act^manage_library_tags, lib^*, allow
-p, role^library_collaborator, act^create_library_collection, lib^*, allow
-p, role^library_collaborator, act^edit_library_collection, lib^*, allow
-p, role^library_collaborator, act^delete_library_collection, lib^*, allow
+# Library Contributor Role Policies
+p, role^library_contributor, act^view_library, lib^*, allow
+p, role^library_contributor, act^manage_library_tags, lib^*, allow
+p, role^library_contributor, act^edit_library_content, lib^*, allow
+p, role^library_contributor, act^reuse_library_content, lib^*, allow
+p, role^library_contributor, act^view_library_team, lib^*, allow
+p, role^library_contributor, act^create_library_collection, lib^*, allow
+p, role^library_contributor, act^edit_library_collection, lib^*, allow
+p, role^library_contributor, act^delete_library_collection, lib^*, allow
 
 # Library User Role Policies
 p, role^library_user, act^view_library, lib^*, allow
-p, role^library_user, act^view_library_team, lib^*, allow
 p, role^library_user, act^reuse_library_content, lib^*, allow
+p, role^library_user, act^view_library_team, lib^*, allow
 
 # Action Inheritance (g2) - format: g2 = granted_action, implied_action
 # Higher-level permissions automatically grant lower-level permissions
 # If a user has the granted_action, they also have the implied_action
 # Example: g2, act^delete_library, act^view_library means delete permission includes view permission
-g2, act^delete_library, act^view_library
-g2, act^edit_library, act^view_library
-g2, act^create_library, act^view_library
-g2, act^publish_library, act^view_library
+# Library
+g2, act^manage_library_tags, act^edit_library_content
+g2, act^delete_library, act^edit_library_content
+
+# Content
+g2, act^publish_library_content, act^edit_library_content
+g2, act^edit_library_content, act^view_library
+g2, act^reuse_library_content, act^view_library
+g2, act^publish_library_content, act^view_library
+
+# Team
 g2, act^manage_library_team, act^view_library_team
-g2, act^manage_library_tags, act^view_library_tags
+
+# Collections
 g2, act^delete_library_collection, act^edit_library_collection
-g2, act^edit_library_collection, act^view_library_collection
 g2, act^create_library_collection, act^edit_library_collection
-g2, act^edit_library_content, act^view_library_content
-g2, act^delete_library_content, act^edit_library_content
-g2, act^publish_library_content, act^view_library_content
-g2, act^reuse_library_content, act^view_library_content
+g2, act^edit_library_collection, act^view_library

openedx_authz/management/commands/load_policies.py

@@ -9,6 +9,7 @@
 import os
 
 import casbin
+import click
 from django.core.management.base import BaseCommand
 
 from openedx_authz import ROOT_DIRECTORY
@@ -49,6 +50,11 @@ def add_arguments(self, parser) -> None:
             default=None,
             help="Path to the Casbin model configuration file",
         )
+        parser.add_argument(
+            "--clear-existing",
+            action="store_true",
+            help="Flag to clear existing policies before loading new ones",
+        )
 
     def handle(self, *args, **options):
         """Execute the policy loading command.
@@ -73,8 +79,21 @@ def handle(self, *args, **options):
                 ROOT_DIRECTORY, "engine", "config", "model.conf"
             )
 
+        target_enforcer = AuthzEnforcer.get_enforcer()
+
+        if options.get("clear_existing"):
+            target_enforcer.load_policy()
+            if click.confirm(click.style('Do you want to delete existing roles? '
+                                         '(This will also delete the assignments related to those roles)',
+                                         fg='yellow', bold=True), default=False):
+                self._delete_existing_roles(target_enforcer)
+
+            if click.confirm(click.style('Do you want to delete existing permissions inheritance?',
+                                         fg='yellow', bold=True), default=False):
+                self._delete_permissions_inheritance(target_enforcer)
+
         source_enforcer = casbin.Enforcer(model_file_path, policy_file_path)
-        self.migrate_policies(source_enforcer, AuthzEnforcer.get_enforcer())
+        self.migrate_policies(source_enforcer, target_enforcer)
 
     def migrate_policies(self, source_enforcer, target_enforcer):
         """Migrate policies from the source enforcer to the target enforcer.
@@ -88,3 +107,27 @@ def migrate_policies(self, source_enforcer, target_enforcer):
             target_enforcer: The Casbin enforcer instance to migrate policies to.
         """
         migrate_policy_between_enforcers(source_enforcer, target_enforcer)
+
+    def _delete_existing_roles(self, target_enforcer):
+        """Delete existing roles from the target enforcer.
+
+        Args:
+            target_enforcer: The Casbin enforcer instance to delete roles from.
+        """
+        list_of_roles = target_enforcer.get_all_subjects()
+        for role in list_of_roles:
+            result = target_enforcer.delete_role(role)
+            if result:
+                click.echo(f"Deleted role: {role}")
+
+    def _delete_permissions_inheritance(self, target_enforcer):
+        """Delete existing permissions inheritance from the target enforcer.
+
+        Args:
+            target_enforcer: The Casbin enforcer instance to delete permissions inheritance from.
+        """
+        list_of_permissions = target_enforcer.get_named_grouping_policy("g2")
+        for permission in list(list_of_permissions):
+            result = target_enforcer.remove_named_grouping_policy("g2", *permission)
+            if result:
+                click.echo(f"Deleted permission inheritance: {permission}")