feat: add validation of list of scopes must have homogeneous namespaces

Author: MaferMazu

openedx_authz/rest_api/v1/permissions.py

@@ -59,6 +59,11 @@ class BaseScopePermission(BasePermission, metaclass=PermissionMeta):
     def get_scope_value(self, request) -> str | None:
         """Extract the scope value from the request.
 
+        When a ``scopes`` list is provided, returns only the first element.
+        This is intentional: bulk requests are expected to be homogeneous
+        (all scopes must share the same namespace). Actual per-scope permission
+        validation for bulk requests is handled in ``DynamicScopePermission``.
+
         Args:
             request: The Django REST framework request object.
 
@@ -92,6 +97,12 @@ def get_scope_namespace(self, request) -> str:
             >>> permission.get_scope_namespace(request)
             'global'
         """
+        scopes_list = request.data.get("scopes")
+        if scopes_list and isinstance(scopes_list, list):
+            if not self._scopes_have_homogeneous_namespaces(scopes_list):
+                raise ValueError(
+                    f"Mixed scope namespaces in bulk request are not allowed: {scopes_list}"
+                )
         scope_value = self.get_scope_value(request)
         if not scope_value:
             return self.NAMESPACE
@@ -100,6 +111,22 @@ def get_scope_namespace(self, request) -> str:
         except ValueError:
             return self.NAMESPACE
 
+    def _scopes_have_homogeneous_namespaces(self, scopes_list: list[str]) -> bool:
+        """Check that all scopes in the list share the same namespace.
+
+        Args:
+            scopes_list: List of scope values to check.
+        Returns:
+            bool: True if all scopes share the same namespace, False otherwise.
+        """
+        namespaces = set()
+        for scope in scopes_list:
+            try:
+                namespaces.add(api.ScopeData(external_key=scope).NAMESPACE)
+            except ValueError:
+                pass
+        return len(namespaces) <= 1
+
     def has_permission(self, request, view) -> bool:
         """Fallback permission check (deny by default).
 
@@ -146,6 +173,9 @@ class DynamicScopePermission(BaseScopePermission):
 
     Note:
         Superusers and staff members always have permission regardless of scope.
+        Bulk requests (``scopes`` list) must be homogeneous — all scopes must share
+        the same namespace (e.g., all ``course-v1:`` or all ``lib:``). Mixed namespaces
+        will raise a ``ValueError`` during namespace resolution.
     """
 
     NAMESPACE: ClassVar[None] = None

openedx_authz/tests/rest_api/test_permissions.py

@@ -61,6 +61,26 @@ def test_scope_is_string_returns_value(self):
         self.assertEqual(self.perm.get_scope_value(request), "lib:Org:A")
 
 
+class TestGetScopeNamespaceMixedScopes(TestCase):
+    """Test that get_scope_namespace enforces namespace homogeneity for bulk scopes."""
+
+    def setUp(self):
+        self.perm = BaseScopePermission()
+
+    def test_mixed_namespaces_raises_value_error(self):
+        """Passing scopes from different namespaces in a single bulk request raises ValueError."""
+        request = _make_request(data={"scopes": ["lib:Org:A", "course-v1:Org1+C1+2024"]})
+        with self.assertRaises(ValueError):
+            self.perm.get_scope_namespace(request)
+
+    def test_homogeneous_namespaces_does_not_raise(self):
+        """Passing scopes that all share the same namespace does not raise."""
+        request = _make_request(data={"scopes": ["lib:Org:A", "lib:Org:B"]})
+        # Should not raise — just verify it completes without error
+        namespace = self.perm.get_scope_namespace(request)
+        self.assertEqual(namespace, "lib")
+
+
 class TestDynamicScopePermissionBulkScopes(TestCase):
     """Test bulk-scopes path in DynamicScopePermission.has_permission."""