refactor: Use RequestCache for RBAC admin matcher

By using the RequestCache instead of the Django cache we are able to
have a thread-local memory copy of the user's superuser / staff state
that exists only for the length of the request. This will save a large
number of round trips to the cache backend.

Author: Tycho Hob

Makefile

@@ -37,6 +37,7 @@ PIP_COMPILE = pip-compile $(PIP_COMPILE_OPTS)
 
 compile-requirements: ## compile the requirements/*.txt files with the latest packages satisfying requirements/*.in
 	pip install -qr requirements/pip-tools.txt
+	pip install -qr requirements/pip.txt
 	pip-compile -v ${COMPILE_OPTS} --allow-unsafe --rebuild -o requirements/pip.txt requirements/pip.in
 	pip-compile -v ${COMPILE_OPTS} -o requirements/pip-tools.txt requirements/pip-tools.in
 	pip install -qr requirements/pip.txt

openedx_authz/engine/matcher.py

@@ -1,14 +1,11 @@
 """Custom condition checker. Note only used for data_library scope"""
 
 from django.contrib.auth import get_user_model
-from django.core.cache import cache
+from edx_django_utils.cache import RequestCache
 
 from openedx_authz.api.data import ContentLibraryData, ScopeData, UserData
 from openedx_authz.rest_api.utils import get_user_by_username_or_email
 
-RBAC_ADMIN_CACHE_KEY_FMT = "rbac_is_admin_or_superuser_{username}"
-RBAC_ADMIN_CACHE_TIMEOUT_SECS = 2
-
 User = get_user_model()
 
 
@@ -33,26 +30,23 @@ def is_admin_or_superuser_check(request_user: str, request_action: str, request_
 
     scope = ScopeData(namespaced_key=request_scope)
     username = UserData(namespaced_key=request_user).external_key
+    request_cache = RequestCache("rbac_is_admin_or_superuser")
 
     # TODO: This special case for superuser and staff users is currently only for
     # content libraries. See: https://github.com/openedx/openedx-authz/issues/87
     if not isinstance(scope, ContentLibraryData):
         return False
 
-    cache_key = RBAC_ADMIN_CACHE_KEY_FMT.format(username=username)
-    is_allowed = cache.get(cache_key)
-
-    if is_allowed is not None:
-        return is_allowed
+    cached_response = request_cache.get_cached_response(username)
+    if cached_response.is_found:
+        return cached_response.value
 
     try:
         user = get_user_by_username_or_email(username)
     except User.DoesNotExist:
         return False
 
     is_allowed = user.is_staff or user.is_superuser
-
-    # TODO: Make this cache timeout configurable
-    cache.set(cache_key, is_allowed, RBAC_ADMIN_CACHE_TIMEOUT_SECS)
+    request_cache.set(username, is_allowed)
 
     return is_allowed

openedx_authz/settings/test.py

@@ -44,6 +44,7 @@ def plugin_settings(settings):  # pylint: disable=unused-argument
     "django.contrib.sessions.middleware.SessionMiddleware",
     "django.contrib.auth.middleware.AuthenticationMiddleware",
     "django.contrib.messages.middleware.MessageMiddleware",
+    "edx_django_utils.cache.middleware.RequestCacheMiddleware",
 ]
 
 TEMPLATES = [

requirements/base.in

@@ -9,4 +9,5 @@ pycasbin                    # Authorization library for implementing access cont
 casbin-django-orm-adapter   # Adapter for Django ORM for Casbin
 edx-opaque-keys             # Opaque keys for resource identification
 edx-api-doc-tools           # Tools for API documentation
+edx-django-utils            # Used for RequestCache
 edx-drf-extensions          # Extensions for Django Rest Framework used by Open edX

requirements/base.txt

@@ -19,7 +19,9 @@ cffi==2.0.0
 charset-normalizer==3.4.3
     # via requests
 click==8.3.0
-    # via edx-django-utils
+    # via
+    #   -c requirements/constraints.txt
+    #   edx-django-utils
 cryptography==46.0.2
     # via pyjwt
 django==4.2.24
@@ -57,7 +59,9 @@ drf-yasg==1.21.11
 edx-api-doc-tools==2.1.0
     # via -r requirements/base.in
 edx-django-utils==8.0.1
-    # via edx-drf-extensions
+    # via
+    #   -r requirements/base.in
+    #   edx-drf-extensions
 edx-drf-extensions==10.6.0
     # via -r requirements/base.in
 edx-opaque-keys==3.0.0

requirements/constraints.txt

@@ -10,3 +10,6 @@
 
 # Common constraints for edx repos
 -c https://raw.githubusercontent.com/edx/edx-lint/master/edx_lint/files/common_constraints.txt
+
+# Different packages want different versions of click, we force the most compatible one here
+click==8.3.0

requirements/dev.txt

@@ -45,6 +45,7 @@ charset-normalizer==3.4.3
     #   requests
 click==8.3.0
     # via
+    #   -c requirements/constraints.txt
     #   -r requirements/pip-tools.txt
     #   -r requirements/quality.txt
     #   click-log
@@ -196,7 +197,7 @@ packaging==25.0
     #   tox
 path==16.16.0
     # via edx-i18n-tools
-pip-tools==7.5.1
+pip-tools==7.5.2
     # via -r requirements/pip-tools.txt
 platformdirs==4.4.0
     # via

requirements/doc.txt

@@ -41,6 +41,7 @@ charset-normalizer==3.4.3
     #   requests
 click==8.3.0
     # via
+    #   -c requirements/constraints.txt
     #   -r requirements/test.txt
     #   code-annotations
     #   edx-django-utils

requirements/pip-tools.txt

@@ -7,10 +7,12 @@
 build==1.3.0
     # via pip-tools
 click==8.3.0
-    # via pip-tools
+    # via
+    #   -c requirements/constraints.txt
+    #   pip-tools
 packaging==25.0
     # via build
-pip-tools==7.5.1
+pip-tools==7.5.2
     # via -r requirements/pip-tools.in
 pyproject-hooks==1.2.0
     # via

requirements/pip.txt

@@ -9,6 +9,8 @@ wheel==0.45.1
 
 # The following packages are considered to be unsafe in a requirements file:
 pip==25.2
-    # via -r requirements/pip.in
+    # via
+    #   -c https://raw.githubusercontent.com/edx/edx-lint/master/edx_lint/files/common_constraints.txt
+    #   -r requirements/pip.in
 setuptools==80.9.0
     # via -r requirements/pip.in