feat: refactor role and permission constants for better organization and context handling

Author: bra-i-am

src/authz-module/constants.ts

@@ -1,3 +1,9 @@
+import {
+  libraryRolesMetadata,
+  libraryResourceTypes,
+  libraryPermissions,
+} from '@src/authz-module/roles-permissions/libraries/constants';
+
 export const ROUTES = {
   LIBRARIES_TEAM_PATH: '/libraries/:libraryId',
   LIBRARIES_USER_PATH: '/libraries/:libraryId/:username',
@@ -12,65 +18,6 @@ export enum RoleOperationErrorStatus {
   ROLE_REMOVAL_ERROR = 'role_removal_error',
 }
 
-// Content Library Permission Keys
-export const CONTENT_LIBRARY_PERMISSIONS = {
-  DELETE_LIBRARY: 'content_libraries.delete_library',
-  MANAGE_LIBRARY_TAGS: 'content_libraries.manage_library_tags',
-  VIEW_LIBRARY: 'content_libraries.view_library',
-
-  EDIT_LIBRARY_CONTENT: 'content_libraries.edit_library_content',
-  PUBLISH_LIBRARY_CONTENT: 'content_libraries.publish_library_content',
-  REUSE_LIBRARY_CONTENT: 'content_libraries.reuse_library_content',
-
-  CREATE_LIBRARY_COLLECTION: 'content_libraries.create_library_collection',
-  EDIT_LIBRARY_COLLECTION: 'content_libraries.edit_library_collection',
-  DELETE_LIBRARY_COLLECTION: 'content_libraries.delete_library_collection',
-
-  MANAGE_LIBRARY_TEAM: 'content_libraries.manage_library_team',
-  VIEW_LIBRARY_TEAM: 'content_libraries.view_library_team',
-};
-
-// Note: this information will eventually come from the backend API
-// but for the MVP we decided to manage it in the frontend
-export const libraryRolesMetadata = [
-  {
-    role: 'library_admin', name: 'Library Admin', description: 'Can create and manage content libraries, including access and structure.', contextType: 'library',
-  },
-  {
-    role: 'library_author', name: 'Library Author', description: 'Can create and edit library content, but cannot manage access.', contextType: 'library',
-  },
-  {
-    role: 'library_contributor', name: 'Library Contributor', description: 'Can contribute and update library content shared with them.', contextType: 'library',
-  },
-  {
-    role: 'library_user', name: 'Library User', description: 'Can view and use library content, but cannot edit it.', contextType: 'library',
-  },
-];
-
-export const libraryResourceTypes = [
-  { key: 'library', label: 'Library', description: 'Permissions related to the library as a whole.' },
-  { key: 'library_content', label: 'Content', description: 'Permissions to create, edit, delete, and publish individual content items within the library.' },
-  { key: 'library_collection', label: 'Collection', description: 'Permissions to create, edit, and delete content collections within the library.' },
-  { key: 'library_team', label: 'Team', description: 'Permissions to manage user access and roles within the library.' },
-];
-
-export const libraryPermissions = [
-  { key: CONTENT_LIBRARY_PERMISSIONS.DELETE_LIBRARY, resource: 'library', description: 'Allows the user to delete the library and all its contents.' },
-  { key: CONTENT_LIBRARY_PERMISSIONS.MANAGE_LIBRARY_TAGS, resource: 'library', description: 'Add or remove tags from content.' },
-  { key: CONTENT_LIBRARY_PERMISSIONS.VIEW_LIBRARY, resource: 'library', description: 'View content, search, filter, and sort within the library.' },
-
-  { key: CONTENT_LIBRARY_PERMISSIONS.EDIT_LIBRARY_CONTENT, resource: 'library_content', description: 'Edit content in draft mode' },
-  { key: CONTENT_LIBRARY_PERMISSIONS.PUBLISH_LIBRARY_CONTENT, resource: 'library_content', description: 'Publish content, making it available for reuse' },
-  { key: CONTENT_LIBRARY_PERMISSIONS.REUSE_LIBRARY_CONTENT, resource: 'library_content', description: 'Reuse published content within a course.' },
-
-  { key: CONTENT_LIBRARY_PERMISSIONS.CREATE_LIBRARY_COLLECTION, resource: 'library_collection', description: 'Create new collections within a library.' },
-  { key: CONTENT_LIBRARY_PERMISSIONS.EDIT_LIBRARY_COLLECTION, resource: 'library_collection', description: 'Add or remove content from existing collections.' },
-  { key: CONTENT_LIBRARY_PERMISSIONS.DELETE_LIBRARY_COLLECTION, resource: 'library_collection', description: 'Delete entire collections from the library.' },
-
-  { key: CONTENT_LIBRARY_PERMISSIONS.MANAGE_LIBRARY_TEAM, resource: 'library_team', description: 'Add, remove, and assign roles to users within the library.' },
-  { key: CONTENT_LIBRARY_PERMISSIONS.VIEW_LIBRARY_TEAM, resource: 'library_team', description: 'View the list of users who have access to the library.' },
-];
-
 // Course Permission Keys
 export const COURSE_PERMISSIONS = {
   // View permissions (Course Auditor)

src/authz-module/libraries-manager/LibrariesTeamManager.tsx

@@ -12,7 +12,7 @@ import AuthZLayout from '../components/AuthZLayout';
 import RoleCard from '../components/RoleCard';
 import PermissionTable from '../components/PermissionTable';
 import { useLibraryAuthZ } from './context';
-import { buildPermissionMatrixByResource, buildPermissionMatrixByRole } from './utils';
+import { buildPermissionMatrixByResource, buildPermissionMatrixByRole } from '@src/authz-module/roles-permissions/libraries/utils';
 
 import messages from './messages';
 

src/authz-module/libraries-manager/components/TeamTable/index.test.tsx

@@ -4,7 +4,7 @@ import { renderWrapper } from '@src/setupTest';
 import { useTeamMembers } from '@src/authz-module/data/hooks';
 import { useLibraryAuthZ } from '@src/authz-module/libraries-manager/context';
 import { ToastManagerProvider } from '@src/authz-module/libraries-manager/ToastManagerContext';
-import { CONTENT_LIBRARY_PERMISSIONS } from '@src/authz-module/constants';
+import { CONTENT_LIBRARY_PERMISSIONS } from '@src/authz-module/roles-permissions/libraries/constants';
 import TeamTable from './index';
 
 const mockNavigate = jest.fn();

src/authz-module/libraries-manager/constants.ts

@@ -1,16 +1,9 @@
-import {
-  CONTENT_LIBRARY_PERMISSIONS,
-  libraryRolesMetadata,
-  libraryResourceTypes,
-  libraryPermissions,
-} from '../constants';
-
 export {
   CONTENT_LIBRARY_PERMISSIONS,
   libraryRolesMetadata,
   libraryResourceTypes,
   libraryPermissions,
-};
+} from '@src/authz-module/roles-permissions/libraries/constants';
 
 export const DEFAULT_TOAST_DELAY = 5000;
 export const RETRY_TOAST_DELAY = 120_000; // 2 minutes

src/authz-module/libraries-manager/context.tsx

@@ -9,7 +9,7 @@ import { PermissionMetadata, ResourceMetadata, Role } from 'types';
 import { CustomErrors } from '@src/constants';
 import {
   CONTENT_LIBRARY_PERMISSIONS, libraryPermissions, libraryResourceTypes, libraryRolesMetadata,
-} from './constants';
+} from '@src/authz-module/roles-permissions/libraries/constants';
 
 const LIBRARY_TEAM_PERMISSIONS = [
   CONTENT_LIBRARY_PERMISSIONS.VIEW_LIBRARY_TEAM,

src/authz-module/libraries-manager/utils.ts

@@ -1,157 +1 @@
-import { IntlShape } from '@edx/frontend-platform/i18n';
-import { actionKeys } from '@src/authz-module/components/RoleCard/constants';
-import {
-  EnrichedPermission, PermissionMetadata, PermissionsResourceGrouped,
-  PermissionsRoleGrouped, ResourceMetadata, Role, RoleResourceGroup,
-} from '@src/types';
-import actionMessages from '../components/RoleCard/messages';
-
-/**
- * Derives the localized label and action key for a given permission.
- *
- * This function enhance the permissions metadata mapping the key to a list of prefefined actions
- * to add visual elemments (icons) and a localized label.
- * If a label is already defined in the permission metadata, that is returned as-is.
- *
- * Special handling is applied for action keys like `'tag'` and `'team'`, which are
- * normalized to `'manage'` and given a custom resource string for translation.
- *
- * @param permission - The permission metadata, typically containing a key and optional label.
- * @param intl - The `IntlShape` object used to generate localized labels.
- *
- * @returns An object containing:
- * - `label`: The human-readable, localized label for the permission.
- * - `actionKey`: A string representing icon to be displayed (e.g., `'Read'`, `'Edit'`), or '' if not matched.
- */
-const getPermissionMetadata = (permission: PermissionMetadata, intl: IntlShape): EnrichedPermission => {
-  const actionKey = actionKeys.find(action => permission.key.includes(action)) || '';
-  let messageKey = `authz.permissions.actions.${actionKey}`;
-  let messageResource = '';
-
-  if (actionKey === 'tag' || actionKey === 'team') {
-    messageKey = 'authz.permissions.actions.manage';
-    messageResource = actionKey === 'tag' ? 'Tags' : '';
-  }
-
-  const messageDescriptor = actionMessages[messageKey];
-  const label = permission.label || (messageDescriptor
-    ? intl.formatMessage(messageDescriptor, { resource: messageResource })
-    : permission.key);
-
-  return { ...permission, label, actionKey };
-};
-
-type BuildPermissionsMatrixProps = {
-  roles: Role[];
-  permissions: PermissionMetadata[];
-  resources: ResourceMetadata[];
-  intl: IntlShape;
-};
-
-/**
- * Builds a permission matrix from the given roles, permissions, and resources.
- *
- * The matrix groups permissions under their respective resources and maps
- * each permission to which roles have access to it.
- *
- * @param roles - List of roles, each containing a list of granted permission keys.
- * @param permissions - Metadata describing each permission, including its associated resource.
- * @param resources - List of resource metadata used to group permissions.
- * @param intl - The internationalization object used to localize permission labels.
- *
- * @returns A permission matrix grouped by resource, with role mappings per permission.
- */
-const buildPermissionMatrixByResource = ({
-  roles, permissions, resources, intl,
-}: BuildPermissionsMatrixProps): PermissionsResourceGrouped[] => {
-  const enrichedPermissions = permissions.reduce((acc, perm) => {
-    acc[perm.key] = getPermissionMetadata(perm, intl);
-    return acc;
-  }, {} as Record<string, EnrichedPermission>);
-
-  const permissionsByResource = permissions.reduce<Record<string, PermissionMetadata[]>>((acc, perm) => {
-    if (!acc[perm.resource]) { acc[perm.resource] = []; }
-    acc[perm.resource].push(perm);
-    return acc;
-  }, {});
-
-  return resources.map(resource => {
-    const perms = permissionsByResource[resource.key] || [];
-
-    const permissionRows = perms.map(permission => {
-      const enriched = enrichedPermissions[permission.key];
-      const rolesMap = roles.reduce((acc, role) => {
-        acc[role.name] = role.permissions.includes(permission.key);
-        return acc;
-      }, {} as Record<string, boolean>);
-
-      return {
-        ...enriched,
-        roles: rolesMap,
-      };
-    });
-
-    return {
-      ...resource,
-      permissions: permissionRows,
-    };
-  });
-};
-
-/**
- * Builds a permission matrix for grouped by roles.
- *
- * Builds a permission matrix grouped by resource, mapping each action to its display label
- * and enabled/disabled state based on the role's allowed permissions.
- *
- * @param roles - Array of roles metadata.
- * @param permissions - Permissions metadata.
- * @param resources - Resources metadata.
- * @param intl - the i18n function to enable label translations.
- * @returns An array of permission groupings by role and resource with action-level details.
- */
-const buildPermissionMatrixByRole = ({
-  roles, permissions, resources, intl,
-}: BuildPermissionsMatrixProps): PermissionsRoleGrouped[] => {
-  const enrichedPermissions = permissions.reduce((acc, perm) => {
-    acc[perm.key] = getPermissionMetadata(perm, intl);
-    return acc;
-  }, {} as Record<string, EnrichedPermission>);
-
-  return roles.map(role => {
-    const allowed = new Set(role.permissions);
-    const permissionsGroupedByResource: Record<string, RoleResourceGroup> = {};
-
-    permissions.forEach(permission => {
-      const enriched = enrichedPermissions[permission.key];
-      const { resource } = permission;
-
-      if (!enriched.actionKey) { return; }
-
-      if (!permissionsGroupedByResource[resource]) {
-        const resourceInfo = resources.find(r => r.key === resource);
-        if (!resourceInfo) { return; }
-
-        permissionsGroupedByResource[resource] = {
-          key: resourceInfo.key,
-          label: resourceInfo.label,
-          description: resourceInfo.description,
-          permissions: [],
-        };
-      }
-
-      permissionsGroupedByResource[resource].permissions.push({
-        ...enriched,
-        description: permission.description,
-        disabled: !allowed.has(permission.key),
-      });
-    });
-
-    return {
-      ...role,
-      resources: Object.values(permissionsGroupedByResource),
-    };
-  });
-};
-
-export { buildPermissionMatrixByResource, buildPermissionMatrixByRole };
+export { buildPermissionMatrixByResource, buildPermissionMatrixByRole } from '@src/authz-module/roles-permissions/libraries/utils';

src/authz-module/roles-permissions/libraries/constants.ts

@@ -26,10 +26,10 @@ export const CONTENT_LIBRARY_PERMISSIONS = {
 // Note: this information will eventually come from the backend API
 // but for the MVP we decided to manage it in the frontend
 export const libraryRolesMetadata: RoleMetadata[] = [
-  { role: 'library_admin', name: 'Library Admin', description: 'The Library Admin has full control over the library, including managing users, modifying content, and handling publishing workflows. They ensure content is properly maintained and accessible as needed.' },
-  { role: 'library_author', name: 'Library Author', description: 'The Library Author is responsible for creating, editing, and publishing content within a library. They can manage tags and collections but cannot delete libraries or manage users.' },
-  { role: 'library_contributor', name: 'Library Contributor', description: 'The Library Contributor can create and edit content within a library but cannot publish it. They support the authoring process while leaving final publishing to Authors or Admins.' },
-  { role: 'library_user', name: 'Library User', description: 'The Library User can view and reuse content but cannot edit or delete any resource.' },
+  { role: 'library_admin', name: 'Library Admin', description: 'The Library Admin has full control over the library, including managing users, modifying content, and handling publishing workflows. They ensure content is properly maintained and accessible as needed.', contextType: 'library' },
+  { role: 'library_author', name: 'Library Author', description: 'The Library Author is responsible for creating, editing, and publishing content within a library. They can manage tags and collections but cannot delete libraries or manage users.', contextType: 'library' },
+  { role: 'library_contributor', name: 'Library Contributor', description: 'The Library Contributor can create and edit content within a library but cannot publish it. They support the authoring process while leaving final publishing to Authors or Admins.', contextType: 'library' },
+  { role: 'library_user', name: 'Library User', description: 'The Library User can view and reuse content but cannot edit or delete any resource.', contextType: 'library' },
 ];
 
 export const libraryResourceTypes: ResourceMetadata[] = [

src/authz-module/roles-permissions/libraries/utils.ts

@@ -27,13 +27,15 @@ const getPermissionMetadata = (permission: PermissionMetadata, intl: IntlShape):
   const actionKey = actionKeys.find(action => permission.key.includes(action)) || '';
   let messageKey = `authz.permissions.actions.${actionKey}`;
 
-  if (actionKey === 'team') {
+  let messageResource = '';
+  if (actionKey === 'tag' || actionKey === 'team') {
     messageKey = 'authz.permissions.actions.manage';
+    messageResource = actionKey === 'tag' ? 'Tags' : '';
   }
 
   const messageDescriptor = actionMessages[messageKey];
   const label = permission.label || (messageDescriptor
-    ? intl.formatMessage(messageDescriptor, { resource: '' })
+    ? intl.formatMessage(messageDescriptor, { resource: messageResource })
     : permission.key);
 
   return { ...permission, label, actionKey };

src/authz-module/wizard/AssignRoleWizard.tsx

@@ -9,9 +9,8 @@ import { SpinnerSimple } from '@openedx/paragon/icons';
 import SelectUsersAndRoleStep from './SelectUsersAndRoleStep';
 import DefineApplicationScopeStep from './DefineApplicationScopeStep';
 import { useValidateUsers } from '../data/hooks';
-import {
-  CONTENT_LIBRARY_PERMISSIONS, COURSE_PERMISSIONS, courseRolesMetadata, libraryRolesMetadata,
-} from '../constants';
+import { CONTENT_LIBRARY_PERMISSIONS, libraryRolesMetadata } from '../roles-permissions/libraries/constants';
+import { COURSE_PERMISSIONS, courseRolesMetadata } from '../constants';
 import { useValidateUserPermissions } from '../../data/hooks';
 import messages from './messages';
 

src/types.ts

@@ -28,6 +28,7 @@ export interface RoleMetadata {
   role: string;
   name: string;
   description: string;
+  contextType?: string;
 }
 export interface Role extends RoleMetadata {
   userCount: number;