fix: load all policy in permission class and remove from views

BryanttV · BryanttV · commit 6aa980cefef9 · 2025-10-30T08:38:43.000-05:00
diff --git a/openedx_authz/rest_api/v1/permissions.py b/openedx_authz/rest_api/v1/permissions.py
@@ -5,6 +5,7 @@
 from rest_framework.permissions import BasePermission
 
 from openedx_authz import api
+from openedx_authz.engine.enforcer import AuthzEnforcer
 
 
 class PermissionMeta(type(BasePermission)):
@@ -182,6 +183,7 @@ def has_permission(self, request, view) -> bool:
         """
         if request.user.is_superuser or request.user.is_staff:
             return True
+        AuthzEnforcer.get_enforcer().load_policy()
         return self._get_permission_instance(request).has_permission(request, view)
 
     def has_object_permission(self, request, view, obj) -> bool:
@@ -198,6 +200,7 @@ def has_object_permission(self, request, view, obj) -> bool:
         """
         if request.user.is_superuser or request.user.is_staff:
             return True
+        AuthzEnforcer.get_enforcer().load_policy()
         return self._get_permission_instance(request).has_object_permission(request, view, obj)
 
 
diff --git a/openedx_authz/rest_api/v1/views.py b/openedx_authz/rest_api/v1/views.py
@@ -16,7 +16,6 @@
 
 from openedx_authz import api
 from openedx_authz.constants import permissions
-from openedx_authz.engine.enforcer import AuthzEnforcer
 from openedx_authz.rest_api.data import RoleOperationError, RoleOperationStatus
 from openedx_authz.rest_api.decorators import authz_permissions, view_auth_classes
 from openedx_authz.rest_api.utils import (
@@ -257,8 +256,6 @@ def get(self, request: HttpRequest) -> Response:
         serializer.is_valid(raise_exception=True)
         query_params = serializer.validated_data
 
-        AuthzEnforcer.get_enforcer().load_policy()
-
         user_role_assignments = api.get_all_user_role_assignments_in_scope(query_params["scope"])
         usernames = {assignment.subject.username for assignment in user_role_assignments}
         context = {"user_map": get_user_map(usernames)}
@@ -286,8 +283,6 @@ def put(self, request: HttpRequest) -> Response:
         serializer.is_valid(raise_exception=True)
         data = serializer.validated_data
 
-        AuthzEnforcer.get_enforcer().load_policy()
-
         completed, errors = [], []
         for user_identifier in data["users"]:
             response_dict = {"user_identifier": user_identifier}
@@ -330,8 +325,6 @@ def put(self, request: HttpRequest) -> Response:
     @authz_permissions([permissions.MANAGE_LIBRARY_TEAM.identifier])
     def delete(self, request: HttpRequest) -> Response:
         """Remove multiple users from a specific role within a scope."""
-        AuthzEnforcer.get_enforcer().load_policy()
-
         serializer = RemoveUsersFromRoleWithScopeSerializer(data=request.query_params)
         serializer.is_valid(raise_exception=True)
         data = serializer.validated_data
@@ -438,8 +431,6 @@ def get(self, request: HttpRequest) -> Response:
         serializer.is_valid(raise_exception=True)
         query_params = serializer.validated_data
 
-        AuthzEnforcer.get_enforcer().load_policy()
-
         generic_scope = get_generic_scope(query_params["scope"])
         roles = api.get_role_definitions_in_scope(generic_scope)
         response_data = []
