feat: Implemented team member assignments endpoint

Author: rodmgwgu

CHANGELOG.rst

@@ -14,6 +14,14 @@ Change Log
 Unreleased
 **********
 
+1.6.0 - 2026-04-09
+******************
+
+Added
+=====
+
+* Add the ``/api/authz/v1/users/<username>/assignments`` endpoint to get a list of role assignations for a user.
+
 1.5.0 - 2026-04-09
 ******************
 

openedx_authz/__init__.py

@@ -4,6 +4,6 @@
 
 import os
 
-__version__ = "1.5.0"
+__version__ = "1.6.0"
 
 ROOT_DIRECTORY = os.path.dirname(os.path.abspath(__file__))

openedx_authz/api/data.py

@@ -37,6 +37,7 @@
     "RoleData",
     "ScopeData",
     "SubjectData",
+    "SuperAdminAssignmentData",
     "UserData",
 ]
 
@@ -1101,6 +1102,19 @@ def __repr__(self):
         return f"{self.subject.namespaced_key} => [{role_keys}] @ {self.scope.namespaced_key}"
 
 
+@define
+class SuperAdminAssignmentData:
+    """Represents a superadmin entry in a team member assignment list.
+
+    Used alongside RoleAssignmentData in serializer contexts where a user is a
+    staff/superuser and their access is not derived from a specific role assignment.
+    """
+
+    subject: SubjectData = None
+    is_staff: bool = False
+    is_superuser: bool = False
+
+
 @define
 class UserAssignments:
     """A user with their role assignments"""

openedx_authz/api/users.py

@@ -9,12 +9,15 @@
 (e.g., 'user^john_doe').
 """
 
+from django.contrib.auth import get_user_model
+
 from openedx_authz.api.data import (
     ActionData,
     PermissionData,
     RoleAssignmentData,
     RoleData,
     ScopeData,
+    SuperAdminAssignmentData,
     UserAssignments,
     UserAssignmentsFilter,
     UserData,
@@ -36,6 +39,9 @@
 )
 from openedx_authz.api.utils import filter_user_assignments, get_user_assignment_map
 
+User = get_user_model()
+
+
 __all__ = [
     "assign_role_to_user_in_scope",
     "batch_assign_role_to_users_in_scope",
@@ -44,13 +50,15 @@
     "get_user_role_assignments",
     "get_user_role_assignments_in_scope",
     "get_user_role_assignments_for_role_in_scope",
+    "get_user_role_assignments_for_user_filtered",
     "get_user_role_assignments_filtered",
     "get_all_user_role_assignments_in_scope",
     "get_visible_role_assignments_for_user",
     "is_user_allowed",
     "get_scopes_for_user_and_permission",
     "get_users_for_role_in_scope",
     "unassign_all_roles_from_user",
+    "get_superadmins",
 ]
 
 
@@ -168,6 +176,42 @@ def get_user_role_assignments_for_role_in_scope(
     )
 
 
+def get_user_role_assignments_for_user_filtered(
+    user_external_key: str,
+    orgs: list[str] = None,
+    roles: list[str] = None,
+    allowed_for_user_external_key: str = None,
+) -> list[RoleAssignmentData]:
+    """
+    Get role assignments for a specific user, filtered by orgs and/or roles,
+    and only include assignments that the specified user has permission to view.
+
+    Args:
+        user_external_key: The user to get assignments for (e.g., 'john_doe').
+        orgs: Optional list of orgs to filter by (e.g., ['edX', 'MITx']).
+        roles: Optional list of roles to filter by (e.g., ['library_admin']).
+        allowed_for_user_external_key: The username to check permissions against (e.g., 'john_doe').
+
+    Returns:
+        list[RoleAssignmentData]: A list of role assignments for the user, filtered by orgs/roles and permissions.
+    """
+    user_role_assignments = get_user_role_assignments(user_external_key=user_external_key)
+    # Filter assignments based on the user's permissions
+    user_role_assignments = _filter_allowed_assignments(
+        user_external_key=allowed_for_user_external_key,
+        assignments=user_role_assignments,
+    )
+    if orgs:
+        # Filter by orgs
+        user_role_assignments = [a for a in user_role_assignments if a.scope.org in orgs]
+    if roles:
+        # Filter by roles
+        user_role_assignments = [
+            a for a in user_role_assignments if any(role.external_key in roles for role in a.roles)
+        ]
+    return user_role_assignments
+
+
 def get_user_role_assignments_filtered(
     *,
     user_external_key: str | None = None,
@@ -339,3 +383,30 @@ def unassign_all_roles_from_user(user_external_key: str) -> bool:
         bool: True if any roles were removed, False otherwise.
     """
     return unassign_subject_from_all_roles(UserData(external_key=user_external_key))
+
+
+def get_superadmins(user_external_keys: list[str] | None = None) -> list[SuperAdminAssignmentData]:
+    """Returns all superadmins as SuperAdminAssignmentData.
+
+    A superadmin is a User with a Django staff or superuser role.
+    Superadmins automatically are allowed to do any action.
+
+    Args:
+        user_external_keys (list[str] or None): To filter by usernames
+
+    Returns:
+        list[SuperAdminAssignmentData]: The superadmin data
+    """
+    # Retrieve user data to check if they are a superusers
+    requested_users = User.objects.filter(username__in=user_external_keys, is_active=True)
+    superadmin_assignments: list[SuperAdminAssignmentData] = []
+    for requested_user in requested_users:
+        if requested_user.is_staff or requested_user.is_superuser:
+            superadmin_assignments.append(
+                SuperAdminAssignmentData(
+                    subject=UserData(external_key=requested_user.username),
+                    is_staff=requested_user.is_staff,
+                    is_superuser=requested_user.is_superuser,
+                )
+            )
+    return superadmin_assignments

openedx_authz/rest_api/data.py

@@ -20,6 +20,14 @@ class SortField(BaseEnum):
     EMAIL = "email"
 
 
+class AssignmentSortField(BaseEnum):
+    """Enum for the role assignment fields to sort by."""
+
+    ROLE = "role"
+    ORG = "org"
+    SCOPE = "scope"
+
+
 class SortOrder(BaseEnum):
     """Enum for the order to sort by."""
 

openedx_authz/rest_api/utils.py

@@ -2,9 +2,10 @@
 
 from openedx_authz.api.data import (
     GLOBAL_SCOPE_WILDCARD,
+    RoleAssignmentData,
     ScopeData,
 )
-from openedx_authz.rest_api.data import SearchField, SortField, SortOrder
+from openedx_authz.rest_api.data import AssignmentSortField, SearchField, SortField, SortOrder
 
 
 def get_generic_scope(scope: ScopeData) -> ScopeData:
@@ -93,3 +94,37 @@ def filter_users(users: list[dict], search: str | None, roles: list[str] | None)
         filtered_users.append(user)
 
     return filtered_users
+
+
+def sort_assignments(
+    assignments: list[RoleAssignmentData],
+    sort_by: AssignmentSortField = AssignmentSortField.ROLE,
+    order: SortOrder = SortOrder.ASC,
+) -> list[RoleAssignmentData]:
+    """
+    Sort role assignments by a given field and order.
+
+    Args:
+        assignments (list[RoleAssignmentData]): The assignments to sort.
+        sort_by (SortField, optional): The field to sort by. Defaults to AssignmentSortField.ROLE.
+        order (SortOrder, optional): The order to sort by. Defaults to SortOrder.ASC.
+
+    Raises:
+        ValueError: If the sort field is invalid.
+        ValueError: If the sort order is invalid.
+
+    Returns:
+        list[RoleAssignmentData]: The sorted assignments.
+    """
+    if sort_by not in AssignmentSortField.values():
+        raise ValueError(f"Invalid field: '{sort_by}'. Must be one of {AssignmentSortField.values()}")
+
+    if order not in SortOrder.values():
+        raise ValueError(f"Invalid order: '{order}'. Must be one of {SortOrder.values()}")
+
+    sorted_assignments = sorted(
+        assignments,
+        key=lambda assignment: (assignment.get(sort_by) or "").lower(),
+        reverse=order == SortOrder.DESC,
+    )
+    return sorted_assignments

openedx_authz/rest_api/v1/filters.py

@@ -2,8 +2,8 @@
 
 from rest_framework.filters import BaseFilterBackend
 
-from openedx_authz.rest_api.data import SortField, SortOrder
-from openedx_authz.rest_api.utils import filter_users, sort_users
+from openedx_authz.rest_api.data import AssignmentSortField, SortField, SortOrder
+from openedx_authz.rest_api.utils import filter_users, sort_assignments, sort_users
 
 
 class TeamMemberSearchFilter(BaseFilterBackend):
@@ -21,3 +21,12 @@ def filter_queryset(self, request, queryset, view):
         sort_by = request.query_params.get("sort_by", SortField.USERNAME)
         order = request.query_params.get("order", SortOrder.ASC)
         return sort_users(users=queryset, sort_by=sort_by, order=order)
+
+
+class TeamMemberAssignmentsOrderingFilter(BaseFilterBackend):
+    """Sort team member assignments by a given field and order."""
+
+    def filter_queryset(self, request, queryset, view):
+        sort_by = request.query_params.get("sort_by", AssignmentSortField.ROLE)
+        order = request.query_params.get("order", SortOrder.ASC)
+        return sort_assignments(assignments=queryset, sort_by=sort_by, order=order)

openedx_authz/rest_api/v1/serializers.py

@@ -5,7 +5,7 @@
 
 from openedx_authz import api
 from openedx_authz.api.data import UserAssignments
-from openedx_authz.rest_api.data import SortField, SortOrder
+from openedx_authz.rest_api.data import AssignmentSortField, SortField, SortOrder
 from openedx_authz.rest_api.utils import get_generic_scope
 from openedx_authz.rest_api.v1.fields import (
     CaseSensitiveCommaSeparatedListField,
@@ -259,3 +259,66 @@ def get_email(self, obj: UserAssignments) -> str:
     def get_assignation_count(self, obj: UserAssignments) -> int:
         """Get the assignation count for the given role assignment."""
         return len(obj.assignments)
+
+
+class ListTeamMemberAssignmentsSerializer(serializers.Serializer):  # pylint: disable=abstract-method
+    """Serializer for listing team member assignments."""
+
+    orgs = CaseSensitiveCommaSeparatedListField(required=False, default=[])
+    roles = CaseSensitiveCommaSeparatedListField(required=False, default=[])
+    sort_by = serializers.ChoiceField(
+        required=False,
+        choices=[(e.value, e.name) for e in AssignmentSortField],
+        default=AssignmentSortField.ROLE,
+    )
+    order = serializers.ChoiceField(
+        required=False,
+        choices=[(e.value, e.name) for e in SortOrder],
+        default=SortOrder.ASC,
+    )
+
+
+class TeamMemberAssignmentSerializer(serializers.Serializer):  # pylint: disable=abstract-method
+    """Serializer for team member assignments."""
+
+    is_superadmin = serializers.SerializerMethodField()
+    role = serializers.SerializerMethodField()
+    org = serializers.SerializerMethodField()
+    scope = serializers.SerializerMethodField()
+    permission_count = serializers.SerializerMethodField()
+
+    def get_is_superadmin(self, obj: api.RoleAssignmentData | api.SuperAdminAssignmentData) -> bool:
+        """Get whether this assignment entry is for a superadmin."""
+        return isinstance(obj, api.SuperAdminAssignmentData)
+
+    def get_role(self, obj: api.RoleAssignmentData | api.SuperAdminAssignmentData) -> str:
+        """Get the role for the given role assignment."""
+        match obj:
+            case api.SuperAdminAssignmentData():
+                return "django.superuser" if obj.is_superuser else "django.staff"
+            case api.RoleAssignmentData():
+                return obj.roles[0].external_key if obj.roles else ""
+
+    def get_org(self, obj: api.RoleAssignmentData | api.SuperAdminAssignmentData) -> str:
+        """Get the org for the given role assignment."""
+        match obj:
+            case api.SuperAdminAssignmentData():
+                return "*"
+            case api.RoleAssignmentData():
+                return getattr(obj.scope, "org", None)
+
+    def get_scope(self, obj: api.RoleAssignmentData | api.SuperAdminAssignmentData) -> str:
+        """Get the scope for the given role assignment."""
+        match obj:
+            case api.SuperAdminAssignmentData():
+                return "*"
+            case api.RoleAssignmentData():
+                return obj.scope.external_key
+
+    def get_permission_count(self, obj: api.RoleAssignmentData | api.SuperAdminAssignmentData) -> int | None:
+        """Get the permission count for the given role assignment."""
+        match obj:
+            case api.SuperAdminAssignmentData():
+                return None
+            case api.RoleAssignmentData():
+                return len(obj.roles[0].permissions) if obj.roles else 0

openedx_authz/rest_api/v1/urls.py

@@ -14,4 +14,5 @@
     path("roles/users/", views.RoleUserAPIView.as_view(), name="role-user-list"),
     path("orgs/", views.AdminConsoleOrgsAPIView.as_view(), name="orgs-list"),
     path("users/", views.TeamMembersAPIView.as_view(), name="user-list"),
+    path("users/<str:username>/assignments", views.TeamMemberAssignmentsAPIView.as_view(), name="user-assignment-list"),
 ]