refactor: extract scope/role validation into reusable helper in RoleScopeValidationMixin

ccantillo · ccantillo · commit 2d5ab84a1597 · 2026-04-16T12:49:41.000-05:00
diff --git a/openedx_authz/rest_api/v1/serializers.py b/openedx_authz/rest_api/v1/serializers.py
@@ -76,28 +76,17 @@ class PermissionValidationResponseSerializer(PermissionValidationSerializer):  #
 class RoleScopeValidationMixin(serializers.Serializer):  # pylint: disable=abstract-method
     """Mixin providing role and scope validation logic."""
 
-    def validate(self, attrs) -> dict:
-        """Validate that the specified role and scope are valid and that the role exists in the scope.
-
-        This method performs the following validations:
-        1. Validates that the scope is registered in the scope registry
-        2. Validates that the scope exists in the system
-        3. Validates that the role is defined into the roles assigned to the scope
+    def _validate_scope_and_role(self, scope_value: str, role_value: str) -> None:
+        """Validate that a single scope exists and the role is defined in it.
 
         Args:
-            attrs: Dictionary containing 'role' and 'scope' keys with their string values.
-
-        Returns:
-            dict: The validated data dictionary with 'role' and 'scope' keys.
+            scope_value: The scope string to validate.
+            role_value: The role string to validate against the scope.
 
         Raises:
             serializers.ValidationError: If the scope is not registered, doesn't exist,
                 or if the role is not defined in the scope.
         """
-        validated_data = super().validate(attrs)
-        scope_value = validated_data["scope"]
-        role_value = validated_data["role"]
-
         try:
             scope = api.ScopeData(external_key=scope_value)
         except ValueError as exc:
@@ -113,10 +102,31 @@ def validate(self, attrs) -> dict:
         if role not in role_definitions:
             raise serializers.ValidationError({"role": f"Role '{role_value}' does not exist in scope '{scope_value}'"})
 
+    def validate(self, attrs) -> dict:
+        """Validate that the specified role and scope are valid and that the role exists in the scope.
+
+        This method performs the following validations:
+        1. Validates that the scope is registered in the scope registry
+        2. Validates that the scope exists in the system
+        3. Validates that the role is defined into the roles assigned to the scope
+
+        Args:
+            attrs: Dictionary containing 'role' and 'scope' keys with their string values.
+
+        Returns:
+            dict: The validated data dictionary with 'role' and 'scope' keys.
+
+        Raises:
+            serializers.ValidationError: If the scope is not registered, doesn't exist,
+                or if the role is not defined in the scope.
+        """
+        validated_data = super().validate(attrs)
+        self._validate_scope_and_role(validated_data["scope"], validated_data["role"])
         return validated_data
 
 
 class AddUsersToRoleWithScopeSerializer(
+    RoleScopeValidationMixin,
     RoleMixin,
     ScopeMixin,
 ):  # pylint: disable=abstract-method
@@ -136,15 +146,15 @@ class AddUsersToRoleWithScopeSerializer(
     users = serializers.ListField(child=serializers.CharField(max_length=255), allow_empty=False)
 
     def validate_users(self, value) -> list[str]:
-        """Eliminate duplicates preserving order"""
+        """Eliminate duplicates preserving order."""
         return list(dict.fromkeys(value))
 
     def validate(self, attrs) -> dict:
         """Validate that exactly one of 'scope'/'scopes' is provided and that every
         scope exists in the registry, exists in the system, and supports the role.
         Returns validated data with a unified ``scopes`` list of strings.
         """
-        validated_data = super().validate(attrs)
+        validated_data = super(RoleScopeValidationMixin, self).validate(attrs)
         scope = validated_data.get("scope")
         scopes = validated_data.get("scopes")
         role_value = validated_data["role"]
@@ -161,22 +171,7 @@ def validate(self, attrs) -> dict:
             )
 
         for scope_value in scopes_list:
-            try:
-                scope_obj = api.ScopeData(external_key=scope_value)
-            except ValueError as exc:
-                raise serializers.ValidationError({"scope": str(exc)}) from exc
-
-            if not scope_obj.exists():
-                raise serializers.ValidationError({"scope": f"Scope '{scope_value}' does not exist"})
-
-            role_obj = api.RoleData(external_key=role_value)
-            generic_scope = get_generic_scope(scope_obj)
-            role_definitions = api.get_role_definitions_in_scope(generic_scope)
-
-            if role_obj not in role_definitions:
-                raise serializers.ValidationError(
-                    {"role": f"Role '{role_value}' does not exist in scope '{scope_value}'"}
-                )
+            self._validate_scope_and_role(scope_value, role_value)
 
         validated_data.pop("scope", None)
         validated_data["scopes"] = scopes_list
