openedx
diff --git a/‎src/authz-module/data/api.ts‎
Lines changed: 57 additions & 0 deletions b/‎src/authz-module/data/api.ts‎
Lines changed: 57 additions & 0 deletions
diff --git a/‎src/authz-module/data/hooks.test.tsx‎
Lines changed: 123 additions & 1 deletion b/‎src/authz-module/data/hooks.test.tsx‎
Lines changed: 123 additions & 1 deletion
diff --git a/‎src/authz-module/data/hooks.ts‎
Lines changed: 40 additions & 4 deletions b/‎src/authz-module/data/hooks.ts‎
Lines changed: 40 additions & 4 deletions
diff --git a/‎src/authz-module/libraries-manager/LibrariesUserManager.test.tsx‎
Lines changed: 77 additions & 0 deletions b/‎src/authz-module/libraries-manager/LibrariesUserManager.test.tsx‎
Lines changed: 77 additions & 0 deletions
diff --git a/‎src/authz-module/libraries-manager/LibrariesUserManager.tsx‎
Lines changed: 12 additions & 7 deletions b/‎src/authz-module/libraries-manager/LibrariesUserManager.tsx‎
Lines changed: 12 additions & 7 deletions
@@ -120,6 +120,63 @@ export const getPermissionsByRole = async (scope: string): Promise<PermissionsBy
   return camelCaseObject(data.results);
 };
 
+export interface ScopeItem {
+  externalKey: string;
+  displayName: string;
+  org: { id: number; name: string; shortName: string } | null;
+  description?: string; // synthetic field used only for aggregate items created on the frontend
+}
+
+export interface GetScopesResponse {
+  results: ScopeItem[];
+  count: number;
+  next: string | null;
+  previous: string | null;
+}
+
+export interface GetScopesParams {
+  scopeType?: string;
+  search?: string;
+  org?: string;
+  page?: number;
+  pageSize?: number;
+  managementPermissionOnly?: boolean;
+}
+
+export interface OrganizationItem {
+  id: number;
+  name: string;
+  shortName: string;
+  description: string;
+  logo: string | null;
+  active: boolean;
+}
+
+export interface GetOrganizationsResponse {
+  results: OrganizationItem[];
+  count: number;
+  next: string | null;
+  previous: string | null;
+}
+
+export const getScopes = async (params: GetScopesParams): Promise<GetScopesResponse> => {
+  const url = new URL(getApiUrl('/api/authz/v1/scopes/'));
+  if (params.scopeType) { url.searchParams.set('scope_type', params.scopeType); }
+  if (params.search) { url.searchParams.set('search', params.search); }
+  if (params.org) { url.searchParams.set('org', params.org); }
+  if (params.managementPermissionOnly) { url.searchParams.set('management_permission_only', 'true'); }
+  url.searchParams.set('page', (params.page ?? 1).toString());
+  url.searchParams.set('page_size', (params.pageSize ?? 10).toString());
+  const { data } = await getAuthenticatedHttpClient().get(url);
+  return camelCaseObject(data);
+};
+
+export const getOrganizations = async (): Promise<OrganizationItem[]> => {
+  const url = new URL(getApiUrl('/api/authz/v1/orgs/'));
+  const { data } = await getAuthenticatedHttpClient().get(url);
+  return camelCaseObject(data.results ?? data);
+};
+
 export const revokeUserRoles = async (
   data: RevokeUserRolesRequest,
 ): Promise<DeleteRevokeUserRolesResponse> => {
 
@@ -4,7 +4,7 @@ import { QueryClient, QueryClientProvider } from '@tanstack/react-query';
 import { getAuthenticatedHttpClient } from '@edx/frontend-platform/auth';
 import {
   useLibrary, usePermissionsByRole, useTeamMembers, useAssignTeamMembersRole, useRevokeUserRoles,
-  useValidateUsers,
+  useValidateUsers, useScopes, useOrganizations,
 } from './hooks';
 
 jest.mock('@edx/frontend-platform/auth', () => ({
@@ -346,6 +346,128 @@ describe('useValidateUsers', () => {
   });
 });
 
+describe('useScopes', () => {
+  beforeEach(() => {
+    jest.clearAllMocks();
+  });
+
+  const makeScopesResponse = (next: string | null = null) => ({
+    results: [{
+      externalKey: 'lib:testorg:testlib',
+      displayName: 'Test Library',
+      org: { id: 1, name: 'Test Org', slug: 'testorg' },
+    }],
+    count: 1,
+    next,
+    previous: null,
+  });
+
+  it('returns pages data on success', async () => {
+    getAuthenticatedHttpClient.mockReturnValue({
+      get: jest.fn().mockResolvedValue({ data: makeScopesResponse() }),
+    });
+
+    const { result } = renderHook(() => useScopes({}), { wrapper: createWrapper() });
+
+    await waitFor(() => expect(result.current.isSuccess).toBe(true));
+
+    expect(result.current.data?.pages).toHaveLength(1);
+    expect(result.current.data?.pages[0].results).toHaveLength(1);
+  });
+
+  it('hasNextPage is false when next is null', async () => {
+    getAuthenticatedHttpClient.mockReturnValue({
+      get: jest.fn().mockResolvedValue({ data: makeScopesResponse(null) }),
+    });
+
+    const { result } = renderHook(() => useScopes({}), { wrapper: createWrapper() });
+
+    await waitFor(() => expect(result.current.isSuccess).toBe(true));
+    expect(result.current.hasNextPage).toBe(false);
+  });
+
+  it('hasNextPage is true when next URL has page param', async () => {
+    getAuthenticatedHttpClient.mockReturnValue({
+      get: jest.fn().mockResolvedValue({
+        data: makeScopesResponse('http://localhost:8000/api/authz/v1/scopes/?page=2'),
+      }),
+    });
+
+    const { result } = renderHook(() => useScopes({}), { wrapper: createWrapper() });
+
+    await waitFor(() => expect(result.current.isSuccess).toBe(true));
+    expect(result.current.hasNextPage).toBe(true);
+  });
+
+  it('hasNextPage is false when next URL has no page param', async () => {
+    getAuthenticatedHttpClient.mockReturnValue({
+      get: jest.fn().mockResolvedValue({
+        data: makeScopesResponse('http://localhost:8000/api/authz/v1/scopes/'),
+      }),
+    });
+
+    const { result } = renderHook(() => useScopes({}), { wrapper: createWrapper() });
+
+    await waitFor(() => expect(result.current.isSuccess).toBe(true));
+    expect(result.current.hasNextPage).toBe(false);
+  });
+
+  it('hasNextPage is false when next is an invalid URL', async () => {
+    getAuthenticatedHttpClient.mockReturnValue({
+      get: jest.fn().mockResolvedValue({
+        data: makeScopesResponse('not-a-valid-url'),
+      }),
+    });
+
+    const { result } = renderHook(() => useScopes({}), { wrapper: createWrapper() });
+
+    await waitFor(() => expect(result.current.isSuccess).toBe(true));
+    expect(result.current.hasNextPage).toBe(false);
+  });
+
+  it('handles error when API call fails', async () => {
+    getAuthenticatedHttpClient.mockReturnValue({
+      get: jest.fn().mockRejectedValue(new Error('Network error')),
+    });
+
+    const { result } = renderHook(() => useScopes({}), { wrapper: createWrapper() });
+
+    await waitFor(() => expect(result.current.isError).toBe(true));
+    expect(result.current.error).toBeDefined();
+  });
+});
+
+describe('useOrganizations', () => {
+  beforeEach(() => {
+    jest.clearAllMocks();
+  });
+
+  const mockOrgs = [{
+    id: 1, name: 'Org One', shortName: 'org1', description: '', logo: null, active: true,
+  }];
+
+  it('returns organizations on success', async () => {
+    getAuthenticatedHttpClient.mockReturnValue({
+      get: jest.fn().mockResolvedValue({ data: { results: mockOrgs } }),
+    });
+
+    const { result } = renderHook(() => useOrganizations(), { wrapper: createWrapper() });
+
+    await waitFor(() => expect(result.current.isSuccess).toBe(true));
+    expect(result.current.data).toEqual(mockOrgs);
+  });
+
+  it('handles error when API fails', async () => {
+    getAuthenticatedHttpClient.mockReturnValue({
+      get: jest.fn().mockRejectedValue(new Error('Failed')),
+    });
+
+    const { result } = renderHook(() => useOrganizations(), { wrapper: createWrapper() });
+
+    await waitFor(() => expect(result.current.isError).toBe(true));
+  });
+});
+
 describe('useRevokeUserRoles', () => {
   beforeEach(() => {
     jest.clearAllMocks();
 
@@ -1,12 +1,13 @@
 import {
-  useMutation, useQuery, useQueryClient, useSuspenseQuery,
+  useInfiniteQuery, useMutation, useQuery, useQueryClient, useSuspenseQuery,
 } from '@tanstack/react-query';
 import { appId } from '@src/constants';
 import { LibraryMetadata } from '@src/types';
 import {
-  assignTeamMembersRole, AssignTeamMembersRoleRequest, getLibrary, getPermissionsByRole, getTeamMembers,
-  GetTeamMembersResponse, PermissionsByRole, QuerySettings, revokeUserRoles, RevokeUserRolesRequest,
-  validateUsers, ValidateUsersRequest,
+  assignTeamMembersRole, AssignTeamMembersRoleRequest, getLibrary, getOrganizations,
+  getPermissionsByRole, getScopes, GetScopesParams, GetScopesResponse, getTeamMembers,
+  GetTeamMembersResponse, OrganizationItem, PermissionsByRole, QuerySettings, revokeUserRoles,
+  RevokeUserRolesRequest, validateUsers, ValidateUsersRequest,
 } from './api';
 
 const authzQueryKeys = {
@@ -106,6 +107,41 @@ export const useValidateUsers = () => useMutation({
   }) => validateUsers(data),
 });
 
+/**
+ * React Query hook to fetch a paginated, searchable list of scopes (courses or libraries).
+ * Uses infinite query to support infinite scroll.
+ *
+ * @param params - Filter params: contextType, search, org, pageSize
+ */
+export const useScopes = (params: Omit<GetScopesParams, 'page'>) => useInfiniteQuery<GetScopesResponse, Error>({
+  queryKey: [...authzQueryKeys.all, 'scopes', params],
+  queryFn: ({ pageParam }) => getScopes({ ...params, page: pageParam as number }),
+  getNextPageParam: (lastPage) => {
+    if (!lastPage.next) { return undefined; }
+    try {
+      const nextUrl = new URL(lastPage.next);
+      const page = nextUrl.searchParams.get('page');
+      return page ? parseInt(page, 10) : undefined;
+    } catch {
+      return undefined;
+    }
+  },
+  initialPageParam: 1,
+  staleTime: 1000 * 60 * 5,
+});
+
+/**
+ * React Query hook to fetch the list of organizations for a given context type.
+ * Used to populate the Organization filter dropdown in the scope selector.
+ *
+ * @param contextType - 'course' | 'library'
+ */
+export const useOrganizations = () => useQuery<OrganizationItem[], Error>({
+  queryKey: [...authzQueryKeys.all, 'organizations'],
+  queryFn: () => getOrganizations(),
+  staleTime: 1000 * 60 * 30,
+});
+
 /**
  * React Query hook to remove roles for a specific team member within a scope.
  *
 
@@ -11,9 +11,12 @@ jest.mock('@edx/frontend-platform/logging', () => ({
   logError: jest.fn(),
 }));
 
+const mockNavigate = jest.fn();
+
 jest.mock('react-router-dom', () => ({
   ...jest.requireActual('react-router-dom'),
   useParams: jest.fn(),
+  useNavigate: () => mockNavigate,
 }));
 
 jest.mock('./context', () => ({
@@ -162,6 +165,80 @@ describe('LibrariesUserManager', () => {
     expect(navLinkLibraryTeamManagement).toHaveAttribute('href', '/authz/libraries/lib:123');
   });
 
+  describe('Navigation guards', () => {
+    it('redirects to team path when canManageTeam is false', () => {
+      (useLibraryAuthZ as jest.Mock).mockReturnValue({
+        ...defaultMockData,
+        canManageTeam: false,
+      });
+
+      renderComponent();
+
+      expect(mockNavigate).toHaveBeenCalledWith('/authz/libraries/lib:123');
+    });
+
+    it('redirects to team path when user is not found after loading completes', async () => {
+      (useTeamMembers as jest.Mock).mockReturnValue({
+        data: { results: [] },
+        isLoading: false,
+        isFetching: false,
+      });
+
+      renderComponent();
+
+      await waitFor(() => {
+        expect(mockNavigate).toHaveBeenCalledWith('/authz/libraries/lib:123');
+      });
+    });
+
+    it('does not redirect while member data is still fetching', () => {
+      (useTeamMembers as jest.Mock).mockReturnValue({
+        data: undefined,
+        isLoading: true,
+        isFetching: true,
+      });
+
+      renderComponent();
+
+      // navigate should only be called for canManageTeam=true case (not at all here)
+      expect(mockNavigate).not.toHaveBeenCalled();
+    });
+  });
+
+  describe('Loading state', () => {
+    it('renders skeleton while loading team member data', () => {
+      (useTeamMembers as jest.Mock).mockReturnValue({
+        data: undefined,
+        isLoading: true,
+        isFetching: true,
+      });
+
+      renderComponent();
+
+      // Just verify the component renders without crashing in loading state
+      expect(screen.queryByText('Admin')).not.toBeInTheDocument();
+    });
+  });
+
+  describe('Assign role button', () => {
+    it('navigates to assign-role wizard when Assign Role button is clicked', async () => {
+      const user = userEvent.setup();
+      renderComponent();
+
+      // There are two "Assign Role" elements: the mocked AssignNewRoleTrigger and the real Button
+      // The real Button navigates; use getAllByText and click the one that is a <button>
+      const assignRoleButtons = screen.getAllByText('Assign Role');
+      const realButton = assignRoleButtons.find(
+        (el) => el.tagName === 'BUTTON' || el.closest('button[class*="btn-primary"]') !== null,
+      );
+      await user.click(realButton || assignRoleButtons[0]);
+
+      expect(mockNavigate).toHaveBeenCalledWith(
+        '/authz/assign-role?scope=lib:123&users=testuser',
+      );
+    });
+  });
+
   describe('Revoking User Role Flow', () => {
     it('opens confirmation modal when delete role button is clicked', async () => {
       const user = userEvent.setup();
 
@@ -1,14 +1,14 @@
 import { useEffect, useMemo, useState } from 'react';
 import { useNavigate, useParams } from 'react-router-dom';
 import { useIntl } from '@edx/frontend-platform/i18n';
-import { Container, Skeleton } from '@openedx/paragon';
+import { Button, Container, Skeleton } from '@openedx/paragon';
+import { Plus } from '@openedx/paragon/icons';
 import { ROUTES } from '@src/authz-module/constants';
 import { Role } from 'types';
 import { useToastManager } from '@src/authz-module/libraries-manager/ToastManagerContext';
 import AuthZLayout from '../components/AuthZLayout';
 import { useLibraryAuthZ } from './context';
 import RoleCard from '../components/RoleCard';
-import { AssignNewRoleTrigger } from './components/AssignNewRoleModal';
 import ConfirmDeletionModal from './components/ConfirmDeletionModal';
 import { useLibrary, useRevokeUserRoles, useTeamMembers } from '../data/hooks';
 import { buildPermissionMatrixByRole } from './utils';
@@ -154,11 +154,16 @@ const LibrariesUserManager = () => {
         pageTitle={user?.username || ''}
         pageSubtitle={user?.email || ''}
         actions={user && canManageTeam
-          ? [<AssignNewRoleTrigger
-              username={user.username}
-              libraryId={libraryId}
-              currentUserRoles={userRoles.map(role => role.role)}
-          />]
+          ? [
+            <Button
+              key="assign-role-wizard-trigger"
+              iconBefore={Plus}
+              variant="primary"
+              onClick={() => navigate(`/authz/assign-role?scope=${libraryId}&users=${encodeURIComponent(user.username)}`)}
+            >
+              {intl.formatMessage(messages['library.authz.manage.add.role.button'])}
+            </Button>,
+          ]
           : []}
       >
         <Container className="bg-light-200 p-5">