feat(page-and-resources): implement view and edit permission checks

[bra-i-am]

Description

Implements read-only access (RBAC) for the course_auditor role across the Pages and Resources and Advanced Settings sections.

This PR closes #2933 and additionally extends VIEW permissions to the Advanced Settings section, which was not originally scoped in the issue but required the same treatment for consistency.

What this PR does

Pages and Resources (closes #2933)

• Adds VIEW_PAGES_AND_RESOURCES permission constant to src/authz/constants.ts
• Creates getPagesAndResourcesPermissions helper in src/authz/permissionHelpers.ts to fetch user permissions from the authz backend
• Computes isEditable from resolved permissions: !isAuthzEnabled || !!canManagePagesAndResources
  • When Authz is disabled: isEditable = true — legacy behavior fully preserved
  • When Authz is enabled: isEditable is true only for users with MANAGE permission
• Propagates isEditable through PagesAndResourcesContext to all child components
• Applies disabled={!isEditable} to all interactive elements:
  • App cards (discussions, progress, etc.) in AppCard.jsx
  • "Next" button in AppListNextButton.jsx
  • App list in AppList.jsx
  • Page setting buttons in PageSettingButton.jsx
  • App settings modal controls in AppSettingsModal.jsx
  • Progress plugin settings in plugins/course-apps/progress/Settings.jsx
• Adds a unified PermissionDeniedAlert gate for users who lack both VIEW and MANAGE permissions

Advanced Settings (additional scope)

• Adds VIEW_ADVANCED_SETTINGS permission constant to src/authz/constants.ts
• Extends AdvancedSettings.tsx to fetch and respect the isEditable flag, disabling all setting cards and inputs when the user only has VIEW permission
• Updates SettingCard.tsx to accept and forward a disabled prop to its inner inputs

Role impact

Role	Pages & Resources	Advanced Settings
course_auditor	View only (all inputs disabled)	View only (all inputs disabled)
course_editor / course_staff / course_admin	Full access (no change)	Full access (no change)
Any role, Authz disabled	Full access — legacy behavior unchanged	Full access — legacy behavior unchanged

---

Dependencies

This PR is part of a 3-layer change and requires the following backend PRs to be merged first:

PR	Repo	What it does
openedx-authz#272	openedx-authz	Adds COURSES_VIEW_ADVANCED_SETTINGS permission constant; assigns it to course_auditor and course_editor roles in the policy engine
openedx-platform#38462	openedx-platform	Refactors check_course_advanced_settings_access() in student/auth.py to return full-access for MANAGE permission holders and read-only access for VIEW-only holders (auditors); preserves legacy fallback when AUTHZ_COURSE_AUTHORING_FLAG is disabled

---

Testing instructions

1. Enable the AUTHZ_COURSE_AUTHORING_FLAG feature flag.
2. Assign the course_auditor role to a test user for a specific course.
3. Log in as that user and navigate to Pages and Resources:
   • All toggle switches, "Save" buttons, and app cards must be non-interactive.
   • The "Next" button in the discussions app list must be disabled.
   • The "Hide Discussion Tab" switch must be disabled.
   • The Progress plugin settings form must be disabled.
4. Navigate to Advanced Settings:
   • All setting cards and their inputs must be disabled.
5. Log in as a course_editor and verify full write access is still present on both pages.
6. Disable AUTHZ_COURSE_AUTHORING_FLAG and verify the legacy fallback still works correctly.

Best Practices Checklist

• New files use TypeScript (src/authz/permissionHelpers.test.ts)
• Uses React Context (PagesAndResourcesContext) to propagate isEditable — no prop drilling
• No new Redux state added
• Uses existing patterns from the codebase

[openedx-webhooks]

Thanks for the pull request, @bra-i-am!

This repository is currently maintained by @bradenmacdonald.

Once you've gone through the following steps feel free to tag them in a comment and let them know that your changes are ready for engineering review.

🔘 Get product approval

If you haven't already, check this list to see if your contribution needs to go through the product review process.

• If it does, you'll need to submit a product proposal for your contribution, and have it reviewed by the Product Working Group.
  • This process (including the steps you'll need to take) is documented here.
• If it doesn't, simply proceed with the next step.

🔘 Provide context

To help your reviewers and other members of the community understand the purpose and larger context of your changes, feel free to add as much of the following information to the PR description as you can:

• Dependencies

  This PR must be merged before / after / at the same time as ...

• Blockers

  This PR is waiting for OEP-1234 to be accepted.

• Timeline information

  This PR must be merged by XX date because ...

• Partner information

  This is for a course on edx.org.

• Supporting documentation
• Relevant Open edX discussion forum threads

🔘 Get a green build

If one or more checks are failing, continue working on your changes until this is no longer the case and your build turns green.

Details

---

Where can I find more information?

If you'd like to get more details on all aspects of the review process for open source pull requests (OSPRs), check out the following resources:

• Overview of Review Process for Community Contributions
• Pull Request Status Guide
• Making changes to your pull request

When can I expect my changes to be merged?

Our goal is to get community contributions seen and reviewed as efficiently as possible.

However, the amount of time that it takes to review and merge a PR can vary significantly based on factors such as:

• The size and impact of the changes that it introduces
• The need for product review
• Maintenance status of the parent repository

💡 As a result it may take up to several weeks or months to complete a review and merge your PR.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 95.52%. Comparing base (3b4ae21) to head (fa1867f).
⚠️ Report is 8 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #3031      +/-   ##
==========================================
+ Coverage   95.47%   95.52%   +0.05%     
==========================================
  Files        1383     1392       +9     
  Lines       32597    32923     +326     
  Branches     7466     7578     +112     
==========================================
+ Hits        31121    31450     +329     
+ Misses       1407     1406       -1     
+ Partials       69       67       -2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[bra-i-am]

This change disables this:

[bra-i-am]

This change disables these inputs: