squash!: Support specifying multiple admin view and manage permissions on scope data

Author: rodmgwgu

openedx_authz/api/data.py

@@ -355,31 +355,37 @@ def validate_external_key(cls, _: str) -> bool:
 
     @classmethod
     @abstractmethod
-    def get_admin_view_permission(cls) -> PermissionData:
-        """Get the permission required to view this scope
+    def get_admin_view_permissions(cls) -> list[PermissionData]:
+        """Get the permissions required to view this scope.
 
         This method should be implemented on every ScopeData subclass to define
-        which permission to check against when a user tries to see assignations
+        which permissions to check against when a user tries to see assignations
         related to this scope in the Admin Console.
 
+        The consumer uses OR logic: if the user has any one of the returned
+        permissions, access is granted. An empty list means access is denied.
+
         Returns:
-            PermissionData: The permission required to view this scope in the admin console.
+            list[PermissionData]: The permissions required to view this scope in the admin console.
         """
-        raise NotImplementedError("Subclasses must implement get_admin_view_permission method.")
+        raise NotImplementedError("Subclasses must implement get_admin_view_permissions method.")
 
     @classmethod
     @abstractmethod
-    def get_admin_manage_permission(cls) -> PermissionData:
-        """Get the permission required to manage this scope
+    def get_admin_manage_permissions(cls) -> list[PermissionData]:
+        """Get the permissions required to manage this scope.
 
         This method should be implemented on every ScopeData subclass to define
-        which permission to check against when a user tries to manage assignations
+        which permissions to check against when a user tries to manage assignations
         related to this scope in the Admin Console.
 
+        The consumer uses OR logic: if the user has any one of the returned
+        permissions, access is granted. An empty list means access is denied.
+
         Returns:
-            PermissionData: The permission required to manage this scope in the admin console.
+            list[PermissionData]: The permissions required to manage this scope in the admin console.
         """
-        raise NotImplementedError("Subclasses must implement get_admin_manage_permission method.")
+        raise NotImplementedError("Subclasses must implement get_admin_manage_permissions method.")
 
     @abstractmethod
     def get_object(self) -> Any | None:
@@ -452,28 +458,28 @@ def validate_external_key(cls, external_key: str) -> bool:
         return external_key == GLOBAL_SCOPE_WILDCARD
 
     @classmethod
-    def get_admin_view_permission(cls) -> PermissionData:
-        """No admin view permission for the global scope.
+    def get_admin_view_permissions(cls) -> list[PermissionData]:
+        """Get the permissions required to view the global scope.
 
-        Global scope assignments are managed exclusively by superadmins
-        at the REST API layer, so no granular permission is needed.
+        Since the global scope spans all resource types, a user needs any one
+        of the scope-specific view permissions to be granted access.
 
         Returns:
-            None
+            list[PermissionData]: VIEW_LIBRARY_TEAM or COURSES_VIEW_COURSE_TEAM (OR logic).
         """
-        return VIEW_LIBRARY_TEAM
+        return [VIEW_LIBRARY_TEAM, COURSES_VIEW_COURSE_TEAM]
 
     @classmethod
-    def get_admin_manage_permission(cls) -> PermissionData:
-        """No admin manage permission for the global scope.
+    def get_admin_manage_permissions(cls) -> list[PermissionData]:
+        """No manage permissions for the global scope.
 
-        Global scope assignments are managed exclusively by superadmins
-        at the REST API layer, so no granular permission is needed.
+        Global scope management is restricted to superadmins at the REST API
+        layer, so no granular permission grants access.
 
         Returns:
-            None
+            list[PermissionData]: Empty list — access is always denied via permissions.
         """
-        return None
+        return []
 
     def get_object(self) -> None:
         """The global wildcard scope does not map to a concrete domain object.
@@ -566,22 +572,22 @@ def validate_external_key(cls, external_key: str) -> bool:
             return False
 
     @classmethod
-    def get_admin_view_permission(cls) -> PermissionData:
-        """Get the permission required to view this scope
+    def get_admin_view_permissions(cls) -> list[PermissionData]:
+        """Get the permissions required to view this scope.
 
         Returns:
-            PermissionData: The permission required to view this scope in the admin console.
+            list[PermissionData]: The permissions required to view this scope in the admin console.
         """
-        return VIEW_LIBRARY_TEAM
+        return [VIEW_LIBRARY_TEAM]
 
     @classmethod
-    def get_admin_manage_permission(cls) -> PermissionData:
-        """Get the permission required to manage this scope
+    def get_admin_manage_permissions(cls) -> list[PermissionData]:
+        """Get the permissions required to manage this scope.
 
         Returns:
-            PermissionData: The permission required to manage this scope in the admin console.
+            list[PermissionData]: The permissions required to manage this scope in the admin console.
         """
-        return MANAGE_LIBRARY_TEAM
+        return [MANAGE_LIBRARY_TEAM]
 
     def get_object(self) -> ContentLibrary | None:
         """Retrieve the ContentLibrary instance associated with this scope.
@@ -697,22 +703,22 @@ def validate_external_key(cls, external_key: str) -> bool:
             return False
 
     @classmethod
-    def get_admin_view_permission(cls) -> PermissionData:
-        """Get the permission required to view this scope
+    def get_admin_view_permissions(cls) -> list[PermissionData]:
+        """Get the permissions required to view this scope.
 
         Returns:
-            PermissionData: The permission required to view this scope in the admin console.
+            list[PermissionData]: The permissions required to view this scope in the admin console.
         """
-        return COURSES_VIEW_COURSE_TEAM
+        return [COURSES_VIEW_COURSE_TEAM]
 
     @classmethod
-    def get_admin_manage_permission(cls) -> PermissionData:
-        """Get the permission required to manage this scope
+    def get_admin_manage_permissions(cls) -> list[PermissionData]:
+        """Get the permissions required to manage this scope.
 
         Returns:
-            PermissionData: The permission required to manage this scope in the admin console.
+            list[PermissionData]: The permissions required to manage this scope in the admin console.
         """
-        return COURSES_MANAGE_COURSE_TEAM
+        return [COURSES_MANAGE_COURSE_TEAM]
 
     def get_object(self) -> CourseOverview | None:
         """Retrieve the CourseOverview instance associated with this scope.
@@ -821,13 +827,13 @@ def validate_external_key(cls, external_key: str) -> bool:
         return True
 
     @classmethod
-    def get_admin_view_permission(cls) -> PermissionData:
-        """Get the permission required to view this scope
+    def get_admin_view_permissions(cls) -> list[PermissionData]:
+        """Get the permissions required to view this scope.
 
         Returns:
-            PermissionData: The permission required to view this scope in the admin console.
+            list[PermissionData]: The permissions required to view this scope in the admin console.
         """
-        raise NotImplementedError("Subclasses must implement get_admin_view_permission method.")
+        raise NotImplementedError("Subclasses must implement get_admin_view_permissions method.")
 
     @classmethod
     def build_external_key(cls, org: str) -> str:
@@ -848,13 +854,13 @@ def build_external_key(cls, org: str) -> str:
         return f"{cls.NAMESPACE}{EXTERNAL_KEY_SEPARATOR}{org}{cls.ID_SEPARATOR}{GLOBAL_SCOPE_WILDCARD}"
 
     @classmethod
-    def get_admin_manage_permission(cls) -> PermissionData:
-        """Get the permission required to manage this scope
+    def get_admin_manage_permissions(cls) -> list[PermissionData]:
+        """Get the permissions required to manage this scope.
 
         Returns:
-            PermissionData: The permission required to manage this scope in the admin console.
+            list[PermissionData]: The permissions required to manage this scope in the admin console.
         """
-        raise NotImplementedError("Subclasses must implement get_admin_manage_permission method.")
+        raise NotImplementedError("Subclasses must implement get_admin_manage_permissions method.")
 
     @classmethod
     def get_org(cls, external_key: str) -> str | None:
@@ -946,22 +952,22 @@ class OrgContentLibraryGlobData(OrgGlobData):
     ID_SEPARATOR: ClassVar[str] = ":"
 
     @classmethod
-    def get_admin_view_permission(cls) -> PermissionData:
-        """Get the permission required to view this scope
+    def get_admin_view_permissions(cls) -> list[PermissionData]:
+        """Get the permissions required to view this scope.
 
         Returns:
-            PermissionData: The permission required to view this scope in the admin console.
+            list[PermissionData]: The permissions required to view this scope in the admin console.
         """
-        return VIEW_LIBRARY_TEAM
+        return [VIEW_LIBRARY_TEAM]
 
     @classmethod
-    def get_admin_manage_permission(cls) -> PermissionData:
-        """Get the permission required to manage this scope
+    def get_admin_manage_permissions(cls) -> list[PermissionData]:
+        """Get the permissions required to manage this scope.
 
         Returns:
-            PermissionData: The permission required to manage this scope in the admin console.
+            list[PermissionData]: The permissions required to manage this scope in the admin console.
         """
-        return MANAGE_LIBRARY_TEAM
+        return [MANAGE_LIBRARY_TEAM]
 
 
 @define
@@ -1004,22 +1010,22 @@ class OrgCourseOverviewGlobData(OrgGlobData):
     ID_SEPARATOR: ClassVar[str] = "+"
 
     @classmethod
-    def get_admin_view_permission(cls) -> PermissionData:
-        """Get the permission required to view this scope
+    def get_admin_view_permissions(cls) -> list[PermissionData]:
+        """Get the permissions required to view this scope.
 
         Returns:
-            PermissionData: The permission required to view this scope in the admin console.
+            list[PermissionData]: The permissions required to view this scope in the admin console.
         """
-        return COURSES_VIEW_COURSE_TEAM
+        return [COURSES_VIEW_COURSE_TEAM]
 
     @classmethod
-    def get_admin_manage_permission(cls) -> PermissionData:
-        """Get the permission required to manage this scope
+    def get_admin_manage_permissions(cls) -> list[PermissionData]:
+        """Get the permissions required to manage this scope.
 
         Returns:
-            PermissionData: The permission required to manage this scope in the admin console.
+            list[PermissionData]: The permissions required to manage this scope in the admin console.
         """
-        return COURSES_MANAGE_COURSE_TEAM
+        return [COURSES_MANAGE_COURSE_TEAM]
 
 
 class CCXCourseOverviewData(CourseOverviewData):

openedx_authz/api/users.py

@@ -272,21 +272,24 @@ def _filter_allowed_assignments(
 ) -> list[RoleAssignmentData]:
     """
     Filter the given role assignments to only include those that the user has permission to view.
+
+    Uses OR logic: if the user has any one of the scope's admin view permissions, the
+    assignment is included.
     """
     if not user_external_key:
         # If no user is specified, return all assignments
         return assignments
     allowed_assignments: list[RoleAssignmentData] = []
     for assignment in assignments:
-        permission = None
-
-        # Get the permission needed to view the specific scope in the admin console
-        permission = assignment.scope.get_admin_view_permission().identifier
+        view_permissions = assignment.scope.get_admin_view_permissions()
 
-        if permission and is_user_allowed(
-            user_external_key=user_external_key,
-            action_external_key=permission,
-            scope_external_key=assignment.scope.external_key,
+        if view_permissions and any(
+            is_user_allowed(
+                user_external_key=user_external_key,
+                action_external_key=perm.identifier,
+                scope_external_key=assignment.scope.external_key,
+            )
+            for perm in view_permissions
         ):
             allowed_assignments.append(assignment)
 

openedx_authz/rest_api/v1/views.py

@@ -781,7 +781,7 @@ def _get_allowed_scope_queryset(
         username: str,
         scope_cls: type,
         glob_cls: type,
-        get_permission: callable,
+        get_permissions: callable,
         queryset_builder: callable,
         extract_ids: callable,
         search: str = "",
@@ -790,15 +790,15 @@ def _get_allowed_scope_queryset(
         """Resolve allowed scopes from Casbin and return a filtered queryset.
 
         This helper encapsulates the shared pattern of:
-        1. Fetching allowed scopes for a user and permission.
+        1. Fetching allowed scopes for a user across any of the scope's permissions (OR logic).
         2. Partitioning them into specific IDs vs org-level globs.
         3. Delegating to the appropriate queryset builder.
 
         Args:
             username: The username to check permissions for.
             scope_cls: The concrete scope data class (e.g., CourseOverviewData).
             glob_cls: The org-level glob class (e.g., OrgCourseOverviewGlobData).
-            get_permission: Callable that returns the permission for a scope class.
+            get_permissions: Callable that returns a list of permissions for a scope class.
             queryset_builder: Callable that builds the filtered queryset (e.g., _get_courses_queryset).
             extract_ids: Callable that extracts specific IDs from non-glob scopes.
             search: Optional search term to filter by display name.
@@ -807,10 +807,19 @@ def _get_allowed_scope_queryset(
         Returns:
             QuerySet: The filtered queryset projected to the unified scope shape.
         """
-        allowed_scopes = get_scopes_for_user_and_permission(username, get_permission(scope_cls).identifier)
-        specific_scopes = [s for s in allowed_scopes if not isinstance(s, glob_cls)]
+        # Collect allowed scopes across all permissions (OR logic)
+        all_allowed_scopes = []
+        seen = set()
+        for perm in get_permissions(scope_cls):
+            for scope in get_scopes_for_user_and_permission(username, perm.identifier):
+                key = scope.namespaced_key
+                if key not in seen:
+                    seen.add(key)
+                    all_allowed_scopes.append(scope)
+
+        specific_scopes = [s for s in all_allowed_scopes if not isinstance(s, glob_cls)]
         allowed_ids = extract_ids(specific_scopes)
-        allowed_orgs = {s.org for s in allowed_scopes if isinstance(s, glob_cls)}
+        allowed_orgs = {s.org for s in all_allowed_scopes if isinstance(s, glob_cls)}
         return queryset_builder(allowed_ids, allowed_orgs, search=search, org=org)
 
     def _build_queryset(self, courses_qs: QuerySet | None, libraries_qs: QuerySet | None) -> QuerySet:
@@ -852,9 +861,11 @@ def get_queryset(self) -> QuerySet:
 
         management_only = params_serializer.validated_data["management_permission_only"]
 
-        # Determine which permission to check based on the query parameter.
-        def get_permission(scope_cls):
-            return scope_cls.get_admin_manage_permission() if management_only else scope_cls.get_admin_view_permission()
+        # Determine which permissions to check based on the query parameter.
+        def get_permissions(scope_cls):
+            return (
+                scope_cls.get_admin_manage_permissions() if management_only else scope_cls.get_admin_view_permissions()
+            )
 
         # Resolve allowed scopes from Casbin and build filtered querysets.
         courses_qs = None
@@ -863,7 +874,7 @@ def get_permission(scope_cls):
                 username=user.username,
                 scope_cls=CourseOverviewData,
                 glob_cls=OrgCourseOverviewGlobData,
-                get_permission=get_permission,
+                get_permissions=get_permissions,
                 queryset_builder=self._get_courses_queryset,
                 extract_ids=lambda scopes: {s.external_key for s in scopes},
                 search=search,
@@ -876,7 +887,7 @@ def get_permission(scope_cls):
                 username=user.username,
                 scope_cls=ContentLibraryData,
                 glob_cls=OrgContentLibraryGlobData,
-                get_permission=get_permission,
+                get_permissions=get_permissions,
                 queryset_builder=self._get_libraries_queryset,
                 extract_ids=lambda scopes: {
                     (s.external_key.split(":")[1], s.external_key.split(":")[2]) for s in scopes

openedx_authz/tests/api/test_data.py

@@ -370,7 +370,7 @@ def test_scope_validate_external_key(self, external_key, expected_valid, expecte
         "unknown:DemoX:*",
     )
     def test_get_subclass_by_external_key_unknown_scope_raises_value_error(self, external_key):
-        """Inknown namespace should raise ValueError, including wildcard keys."""
+        """Unknown namespace should raise ValueError, including wildcard keys."""
         with self.assertRaises(ValueError):
             ScopeMeta.get_subclass_by_external_key(external_key)
 
@@ -410,7 +410,7 @@ def exists(self) -> bool:
                     return False
 
                 @classmethod
-                def get_admin_view_permission(cls):
+                def get_admin_view_permissions(cls):
                     raise NotImplementedError("Not implemented for TempScope")
 
             # Metaclass should have recreated the registries on the class