refactor: address PR reviews

Author: mariajgrimaldi

openedx_authz/engine/config/model.conf

@@ -92,4 +92,4 @@ e = some(where (p.eft == allow)) && !some(where (p.eft == deny))
 # 1. Subject must have role in scope OR global role
 # 2. Scope must match pattern
 # 3. Action must match OR inherit via action grouping
-m = custom_check(r.sub, r.act, r.scope) || (g(r.sub, p.sub, r.scope) || g(r.sub, p.sub, "*")) && keyMatch(r.scope, p.scope) && (r.act == p.act || g2(p.act, r.act))
+m = is_staff_or_superuser(r.sub, r.act, r.scope) || (g(r.sub, p.sub, r.scope) || g(r.sub, p.sub, "*")) && keyMatch(r.scope, p.scope) && (r.act == p.act || g2(p.act, r.act))

openedx_authz/engine/enforcer.py

@@ -22,7 +22,7 @@
 from django.conf import settings
 
 from openedx_authz.engine.adapter import ExtendedAdapter
-
+from openedx_authz.engine.matcher import is_admin_or_superuser_check
 
 def libraries_v2_enabled() -> bool:
     """Dummy toggle that is always enabled."""
@@ -182,9 +182,6 @@ def _initialize_enforcer(cls) -> SyncedEnforcer:
         Returns:
             SyncedEnforcer: Configured Casbin enforcer with adapter and auto-sync
         """
-        # Avoid circular import
-        from openedx_authz.engine.matcher import check_custom_conditions  # pylint: disable=import-outside-toplevel
-
         db_alias = getattr(settings, "CASBIN_DB_ALIAS", "default")
 
         try:
@@ -198,6 +195,6 @@ def _initialize_enforcer(cls) -> SyncedEnforcer:
 
         adapter = ExtendedAdapter()
         enforcer = SyncedEnforcer(settings.CASBIN_MODEL, adapter)
-        enforcer.add_function("custom_check", check_custom_conditions)
+        enforcer.add_function("is_staff_or_superuser", is_admin_or_superuser_check)
 
         return enforcer

openedx_authz/engine/matcher.py

@@ -8,7 +8,7 @@
 User = get_user_model()
 
 
-def check_custom_conditions(request_user: str, request_action: str, request_scope: str) -> bool:  # pylint: disable=unused-argument
+def is_admin_or_superuser_check(request_user: str, request_action: str, request_scope: str) -> bool:  # pylint: disable=unused-argument
     """
     Evaluates custom, non-role-based conditions for authorization checks.
 

openedx_authz/tests/test_enforcement.py

@@ -16,7 +16,7 @@
 
 from openedx_authz import ROOT_DIRECTORY
 from openedx_authz.constants import roles
-from openedx_authz.engine.matcher import check_custom_conditions
+from openedx_authz.engine.matcher import is_admin_or_superuser_check
 from openedx_authz.tests.test_utils import (
     make_action_key,
     make_library_key,
@@ -71,7 +71,7 @@ def setUpClass(cls) -> None:
             raise FileNotFoundError(f"Model file not found: {model_file}")
 
         cls.enforcer = casbin.Enforcer(model_file)
-        cls.enforcer.add_function("custom_check", check_custom_conditions)
+        cls.enforcer.add_function("is_staff_or_superuser", is_admin_or_superuser_check)
 
     def _load_policy(self, policy: list[str]) -> None:
         """
@@ -586,10 +586,10 @@ def test_wildcard_library_access(self, scope: str, expected_result: bool):
 @ddt
 class StaffSuperuserAccessTests(CasbinEnforcementTestCase):
     """
-    Tests for staff and superuser automatic permission grants via custom_check.
+    Tests for staff and superuser automatic permission grants via is_staff_or_superuser.
 
     This test class verifies that staff members and superusers are automatically
-    granted access to ContentLibrary scopes through the check_custom_conditions function,
+    granted access to ContentLibrary scopes through the is_admin_or_superuser_check function,
     without requiring explicit role assignments.
     """
 
@@ -646,7 +646,7 @@ def test_staff_superuser_guaranteed_permissions(self, subject: str, action: str,
         - Staff users automatically have access to all library scopes without role assignments
         - Superusers automatically have access to all library scopes without role assignments
         - Regular users require explicit role assignments to access libraries
-        - Access is granted through the custom_check matcher function
+        - Access is granted through the is_staff_or_superuser matcher function
 
         Expected result:
             - Staff and superusers can perform any action on any ContentLibrary scope