feat(authz): add step 1 for the role assignment wizard

[bra-i-am]

Caution

This PR requires the validation endpoint introduced in the PR openedx/openedx-authz#245

This PR introduces Step 1 of the Role Assignment Wizard, replacing the previous modal-based approach for adding team members.

What's included:

• A new /assign-role route with a two-step Stepper component (AssignRoleWizardPage + AssignRoleWizard)
• Step 1 — Who and Role: users can enter one or more usernames/emails (comma-separated) and select a role. Invalid users are highlighted inline in red via HighlightedUsersInput, a custom textarea with a synchronized overlay layer
• User validation via a new POST /api/authz/v1/users/validate endpoint before advancing to Step 2
• Role options are filtered based on the current user's actual permissions (MANAGE_LIBRARY_TEAM / MANAGE_COURSE_TEAM), with course roles visible but disabled pending a future update
• Step 2 — Where it applies is scaffolded but not yet implemented; it will define the application scope in a follow-up PR
• Constants for library and course roles/permissions are centralized in authz-module/constants.ts and re-exported where needed
• The "Assign Role" button in LibrariesTeamManager now navigates to the wizard instead of opening a modal
  Not in scope for this PR: Step 2 implementation, course role assignment.

Additional Information

Resolves #91

Screenshots

How to test

1. Open the wizard from the home page

1. Navigate to /authz.
2. Click Assign Role in the top-right header.
3. Confirm you land on /authz/assign-role and the wizard Step 1 is shown.

2. Open the wizard pre-filled from the user audit view

1. Navigate to a library team page (/authz/libraries/<lib-id>).
2. Click Assign Role in the header → confirm the wizard opens at /authz/assign-role with the users input empty and from= pointing back to the team page.
3. Go back, click on any team member edit action to open their audit page (/authz/libraries/<lib-id>/<username>).
4. Click Assign Role in the header → confirm the wizard opens with that team member's username already filled in the users input.

3. Role selection

1. Confirm roles are grouped under Courses and Libraries.
2. Select a library role, then click a course role — confirm only one radio is checked at a time.
3. Confirm Course Editor and Course Auditor are visible but disabled (greyed out with a tooltip).

4. Users input — invalid user

1. Type a username that does not exist, select any role, click Next.
2. Confirm the invalid username is highlighted in red inside the input.
3. Confirm the message "X username(s) not associated with an account" appears below.
4. Edit the input → confirm the red highlight and error message both disappear immediately.

5. Advance to Step 2

1. Type a valid username, select a role, and click Next.
2. Confirm the wizard advances to Step 2.
3. Click Back → confirm you return to Step 1 with the username and role still selected.

6. Cancel and breadcrumb return to the originating view

1. Open the wizard from /authz, click Cancel → confirm you land on /authz.
2. Open the wizard from a user audit page, click Cancel → confirm you return to that user audit page, not /authz.
3. Repeat step 2 but click the breadcrumb link instead of Cancel.

AssignRoleWizard — Step 1 Test Coverage

Status	Test
✅	Cancel returns to the previous view
✅	opens with the user pre-populated when provided via initialUsers
❌	shows only course roles when user only has manage_course_team permission
❌	shows only library roles when user only has manage_library_team permission
✅	shows both course and library roles when user has both permissions
✅	selecting a different role replaces the previous selection
✅	blocks progression and highlights the unknown user
✅	advances to Step 2 when all users are valid
✅	shows a network error and blocks progression when the validation call fails
✅	clears the invalid user highlights when the input is edited

[openedx-webhooks]

Thanks for the pull request, @bra-i-am!

This repository is currently maintained by @openedx/committers-frontend.

Once you've gone through the following steps feel free to tag them in a comment and let them know that your changes are ready for engineering review.

🔘 Get product approval

If you haven't already, check this list to see if your contribution needs to go through the product review process.

• If it does, you'll need to submit a product proposal for your contribution, and have it reviewed by the Product Working Group.
  • This process (including the steps you'll need to take) is documented here.
• If it doesn't, simply proceed with the next step.

🔘 Provide context

To help your reviewers and other members of the community understand the purpose and larger context of your changes, feel free to add as much of the following information to the PR description as you can:

• Dependencies

  This PR must be merged before / after / at the same time as ...

• Blockers

  This PR is waiting for OEP-1234 to be accepted.

• Timeline information

  This PR must be merged by XX date because ...

• Partner information

  This is for a course on edx.org.

• Supporting documentation
• Relevant Open edX discussion forum threads

🔘 Get a green build

If one or more checks are failing, continue working on your changes until this is no longer the case and your build turns green.

Details

---

Where can I find more information?

If you'd like to get more details on all aspects of the review process for open source pull requests (OSPRs), check out the following resources:

• Overview of Review Process for Community Contributions
• Pull Request Status Guide
• Making changes to your pull request

When can I expect my changes to be merged?

Our goal is to get community contributions seen and reviewed as efficiently as possible.

However, the amount of time that it takes to review and merge a PR can vary significantly based on factors such as:

• The size and impact of the changes that it introduces
• The need for product review
• Maintenance status of the parent repository

💡 As a result it may take up to several weeks or months to complete a review and merge your PR.

[codecov]

Codecov Report

❌ Patch coverage is 96.46465% with 7 lines in your changes missing coverage. Please review.
✅ Project coverage is 96.13%. Comparing base (78f78cc) to head (48da926).
⚠️ Report is 1 commits behind head on master.

Files with missing lines	Patch %	Lines
...odule/role-assignation-wizard/AssignRoleWizard.tsx	91.78%	6 Missing ⚠️
...-module/libraries-manager/LibrariesTeamManager.tsx	75.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #109      +/-   ##
==========================================
+ Coverage   95.88%   96.13%   +0.24%     
==========================================
  Files          70       76       +6     
  Lines        1602     1783     +181     
  Branches      337      385      +48     
==========================================
+ Hits         1536     1714     +178     
- Misses         64       67       +3     
  Partials        2        2              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[arbrandes]

What is the PR (or PRs) that introduces the required endpoints? Has it already merged?

[bra-i-am]

@arbrandes, sorry for not including it in the cover letter earlier. The PR is openedx/openedx-authz#245 and has already been merged.

[dcoa]

As a minor comment in the UI can we keep the space between the text area and the feedback?

The design

Currently

Also the background for the form section in the current implementation is white but the design presented in the issue is light - Nothing blocking but I mention it just in case.

[dcoa]

I'm not a big fan of this presentation of the error in terms of the service availability (network errors), because can be confused as a validation error.

I think is better having a separate component for it, maybe a alert on top or maybe the toast message (if still relevant for the redesign)

I would like to have others option including @maguilarUXUI

[maguilarUXUI]

When is happened this kind of error? In the proposal the error happen when the user click next and the user is not part of the initiative

[dcoa]

Yes, and the validation error is presented as is showing in the proposal design. I'm not discussing that.

What I am talking about is error 500, the validation service is not available. I think those ones should be presented in another way, such as Alert on top instead of the red border and red message at the bottom.

@maguilarUXUI

[maguilarUXUI]

In this case I think the best option is a toast with the retry option if is possible.

[bra-i-am]

thanks @dcoa and @maguilarUXUI ✨

I already added the toast:

[jesusbalderramawgu]

is this correct? here you are passing the same function as a retry handler

[bra-i-am]

@jesusbalderramawgu, yees, that's the expected behavior when there is an unexpected error (e.g. 5xx)

#109 (comment)

[jesusbalderramawgu]

not sure but I think you should add here a setValidatedUsers([])
because validateUsers becomes stale if user edits the input after validation

[bra-i-am]

this is already covered; the only way to reach step 2 (where Save is available and a stale validatedUsers really matters) is through validateUsersAndProceed, which always overwrites validatedUsers with the fresh list. Do you think it is better to change it?

[jesusbalderramawgu]

this will trigger on any error change even unrelates one, don't you need to refine it a little bit?
something like
if ((invalidUsers.length > 0 || validationError) && usersInputRef.current)

[jesusbalderramawgu]

here if we have a string "a,,," it passes right?
maybe you could do something like

const parsed = parseUsers(users);
const canProceed = parsed.length > 0 && !!selectedRole;

[jesusbalderramawgu]

this is recreated on every render, I don't see any dependency so you could jus hoist it outside

[jesusbalderramawgu]

missing ARIA attributes

[jesusbalderramawgu]

also, wouldn't be better to use the textarea from paragon? instead of this?

[bra-i-am]

not here... this component deliberately uses a raw <textarea> because it needs pixel-perfect alignment between the textarea and the overlay div for the individual usernames red highlighting. Paragon's Form.Control wraps the textarea in extra markup and applies its own styles, which would break that alignment :(

[jesusbalderramawgu]

for styling you should add paragon classes or if you need custom css, you should add it to the scss files

[jesusbalderramawgu]

please check my comment above about styles

[jesusbalderramawgu]

this has a performance issue, it runs on every render.
you could wrap it in useMemo using roles as dependency

[jesusbalderramawgu]

I suggest this to be safer
(rolesByContext[context] || []).map()

[jesusbalderramawgu]

you could move this outside the component

[jesusbalderramawgu]

the form is missing ARIA attributes

[rodmgwgu]

Tested in my local and functionality looks good, I'll approve once Jesus' comments are addressed. Thanks!

[jacobo-dominguez-wgu]

I do not see where this message is being used.

[jacobo-dominguez-wgu]

Is this TODO still pending?

[bra-i-am]

yep, this handleSave is addressed in the Step 2 PR

[jacobo-dominguez-wgu]

In the figma design, when there is an error, an error icon is shown on the step number, I do not see it implemented.

Figma design:

Actual UI:

[jacobo-dominguez-wgu]

I would suggest a more descriptive name for this folder, like role-assignation-wizard or assign-role-wizard, role-assignation.

[jacobo-dominguez-wgu]

And try to keep the main component files on the root of this folder and for the rest of the components create a /components folder

[rodmgwgu]

Suggested by Claude: In AssignRoleWizardPage.tsx, there's a check raw.startsWith('/') to prevent external URLs. However, //evil.com also starts with / and would be treated as a protocol-relative URL if ever used in an or
window.location. While navigate() from react-router likely handles this safely, the validation should be stricter:

// Current
const returnTo = raw.startsWith('/') ? raw : ROUTES.HOME_PATH;

// Safer — reject protocol-relative URLs
const returnTo = (raw.startsWith('/') && !raw.startsWith('//')) ? raw : ROUTES.HOME_PATH;

The test covers https://evil.com but not //evil.com.

[rodmgwgu]

Perhaps we should guard here and check for validateUsersMutation.isPending, to avoid double invocation which can happen when the user clicks quickly, which could happen even if we are disabling the button (there is a delay while React re-renders the button as disabled), or when this is called on the retry toast.

[rodmgwgu]

This is also defined in src/authz-module/constants.ts, I think we should keep just one.

[rodmgwgu]

I don't see this being used in this PR, can we remove?

[bra-i-am]

@rodmgwgu, @jesusbalderramawgu, @jacobo-dominguez-wgu thank you for your help reviewing this — I’ve addressed the feedback you shared. Please let me know if there’s anything else that should be resolved.

I’ll let the tests run, and I’ll take care of any issues tomorrow morning if anything comes up.

[jacobo-dominguez-wgu]

Thank you so much! I have tested it with manual valid and invalid usernames and emails input and with a preset user everything seems to be working well.

[jacobo-dominguez-wgu]

Lets wait til tomorrow for @rodmgwgu´s comments before merging.

[jacobo-dominguez-wgu]

Just a nit in this component, so many local states can be better handled with a useReducer or even use react context, but lets do that in an upcoming issue.

[arbrandes]

Thank for the test instructions, everything works exactly as described!

[rodmgwgu]

Thanks!