feat: update authorization policies and user permissions

BryanttV · BryanttV · commit 6ae65dd1c3fe · 2025-09-16T17:38:49.000-05:00
diff --git a/openedx_authz/management/commands/policy.csv b/openedx_authz/management/commands/policy.csv
@@ -1,17 +1,37 @@
+# ===== POLICIES =====
+# Platform-level permissions
 p, role:platform_admin, act:manage, *, allow
+# Organization-level permissions
 p, role:org_admin, act:manage, lib:*, allow
 p, role:org_editor, act:edit, lib:*, allow
+# Library-specific permissions
 p, role:library_author, act:edit, lib:*, allow
 p, role:library_reviewer, act:read, lib:*, allow
+p, role:editor, act:edit, lib:*, allow
+# Report permissions
+p, role:report_viewer, act:read, report:*, allow
+# Access restrictions and exceptions
 p, role:org_editor, act:edit, lib:restricted-content, deny
+p, role:org_admin, act:manage, lib:another-restricted-content, deny
 
+# ===== ROLE ASSIGNMENTS =====
+
+# Platform administrators
 g, user:admin, role:platform_admin, *
+# Organization administrators
 g, user:alice, role:org_admin, org:OpenedX
+# Organization editors
 g, user:bob, role:org_editor, org:MIT
+g, user:paul, role:editor, org:OpenedX
+# Library authors
 g, user:mary, role:library_author, lib:math-basics
 g, user:john, role:library_author, lib:science-101
+# Library reviewers
 g, user:sarah, role:library_reviewer, lib:math-basics
+# Report viewers
+g, user:maria, role:report_viewer, org:OpenedX
 
+# ===== ACTION INHERITANCE (g2) =====
 g2, act:manage, act:edit
 g2, act:manage, act:delete
 g2, act:edit, act:read
diff --git a/openedx_authz/management/commands/request.txt b/openedx_authz/management/commands/request.txt
@@ -1,67 +1,102 @@
-# ===== ADMIN GLOBAL PERMISSIONS =====
-user:admin, act:manage, lib:math-basics, org:OpenedX, True
-user:admin, act:delete, lib:science-101, org:MIT, True
-user:admin, act:read, lib:openedx-library, org:OpenedX, True
+# ===== PLATFORM ADMINISTRATORS =====
+# Platform admin (user:admin) - should have access to everything
+user:admin, act:manage, lib:math-basics, *, True
+user:admin, act:delete, lib:science-101, *, True
 user:admin, act:read, lib:any-library, *, True
 user:admin, act:write, lib:any-library, *, True
 user:admin, act:delete, lib:any-library, *, True
 
-# ===== ORG ADMIN PERMISSIONS =====
+# ===== ORGANIZATION ADMINISTRATORS =====
+# Alice - OpenedX org admin (should have access within OpenedX scope)
 user:alice, act:manage, lib:openedx-library, org:OpenedX, True
 user:alice, act:delete, lib:openedx-content, org:OpenedX, True
 user:alice, act:write, lib:math-basics, org:OpenedX, True
 user:alice, act:read, lib:openedx-test, org:OpenedX, True
 user:alice, act:write, lib:openedx-test, org:OpenedX, True
 user:alice, act:delete, lib:openedx-test, org:OpenedX, True
+user:alice, act:manage, lib:math-basics, org:OpenedX, True
+user:alice, act:manage, lib:science-101, org:OpenedX, True
+user:alice, act:edit, lib:science-101, org:OpenedX, True
+
+# Alice - Cross-org access (should be denied)
 user:alice, act:manage, lib:mit-library, org:MIT, False
 user:alice, act:read, lib:mit-content, org:MIT, False
+user:alice, act:manage, lib:openedx-lib, *, False
+
+# Alice - Restricted content access (should be denied)
+user:alice, act:manage, lib:another-restricted-content, org:OpenedX, False
+user:alice, act:edit, lib:another-restricted-content, org:OpenedX, False
+user:alice, act:read, lib:another-restricted-content, org:OpenedX, False
+user:alice, act:write, lib:another-restricted-content, org:OpenedX, False
+user:alice, act:delete, lib:another-restricted-content, org:OpenedX, False
 
-# ===== ORG EDITOR PERMISSIONS =====
+# ===== ORGANIZATION EDITORS =====
+# Bob - MIT org editor (should have edit access within MIT scope)
 user:bob, act:edit, lib:mit-course, org:MIT, True
 user:bob, act:read, lib:mit-content, org:MIT, True
 user:bob, act:write, lib:mit-data, org:MIT, True
+user:bob, act:read, lib:mit-test, org:MIT, True
+user:bob, act:write, lib:mit-test, org:MIT, True
+
+# Bob - Higher privilege access (should be denied)
 user:bob, act:delete, lib:mit-course, org:MIT, False
 user:bob, act:manage, lib:mit-course, org:MIT, False
+user:bob, act:delete, lib:mit-test, org:MIT, False
+
+# Bob - Restricted content access (should be denied)
+user:bob, act:edit, lib:restricted-content, org:MIT, False
+user:bob, act:read, lib:restricted-content, org:MIT, False
+user:bob, act:write, lib:restricted-content, org:MIT, False
+
+# Bob - Scope isolation tests (should be denied)
+user:bob, act:edit, lib:mit-course, lib:mit-course, False
 
-# ===== LIBRARY AUTHOR PERMISSIONS =====
+# Paul - OpenedX editor with wildcard access
+user:paul, act:edit, lib:openedx-lib, org:OpenedX, True
+user:paul, act:edit, lib:mit-lib, org:MIT, False
+
+# ===== LIBRARY AUTHORS =====
+# Mary - math-basics library author
 user:mary, act:edit, lib:math-basics, lib:math-basics, True
 user:mary, act:read, lib:math-basics, lib:math-basics, True
 user:mary, act:write, lib:math-basics, lib:math-basics, True
+
+# Mary - Higher privilege access (should be denied)
 user:mary, act:delete, lib:math-basics, lib:math-basics, False
 user:mary, act:manage, lib:math-basics, lib:math-basics, False
+
+# Mary - Cross-library access (should be denied)
 user:mary, act:edit, lib:science-101, lib:science-101, False
+user:mary, act:read, lib:science-101, lib:science-101, False
+
+# Mary - Scope isolation (should be denied)
+user:mary, act:edit, lib:math-basics, org:OpenedX, False
+
+# John - science-101 library author
 user:john, act:edit, lib:science-101, lib:science-101, True
 user:john, act:read, lib:science-101, lib:science-101, True
+
+# John - Cross-library access (should be denied)
 user:john, act:edit, lib:math-basics, lib:math-basics, False
 
-# ===== LIBRARY REVIEWER PERMISSIONS =====
+# ===== LIBRARY REVIEWERS =====
+# Sarah - math-basics library reviewer (read-only access)
 user:sarah, act:read, lib:math-basics, lib:math-basics, True
+
+# Sarah - Higher privilege access (should be denied)
 user:sarah, act:write, lib:math-basics, lib:math-basics, False
 user:sarah, act:edit, lib:math-basics, lib:math-basics, False
 user:sarah, act:delete, lib:math-basics, lib:math-basics, False
 
-# ===== ACTION INHERITANCE TESTS =====
-user:alice, act:read, lib:openedx-test, org:OpenedX, True
-user:alice, act:write, lib:openedx-test, org:OpenedX, True
-user:alice, act:delete, lib:openedx-test, org:OpenedX, True
-user:bob, act:read, lib:mit-test, org:MIT, True
-user:bob, act:write, lib:mit-test, org:MIT, True
-user:bob, act:delete, lib:mit-test, org:MIT, False
+# ===== REPORT VIEWERS =====
+# Maria - report viewer for OpenedX
+user:maria, act:read, report:openedx-usage-2025, org:OpenedX, True
 
-# ===== DENY RULES TESTS =====
-user:bob, act:edit, lib:restricted-content, org:MIT, False
-user:bob, act:read, lib:restricted-content, org:MIT, False
-
-# ===== SCOPE ISOLATION TESTS =====
-user:alice, act:manage, lib:openedx-lib, *, False
-user:mary, act:edit, lib:math-basics, org:OpenedX, False
-user:bob, act:edit, lib:mit-course, lib:mit-course, False
-
-# ===== UNAUTHORIZED ACCESS TESTS =====
+# ===== UNAUTHORIZED USERS =====
+# Unknown user - should be denied access
 user:unknown, act:read, lib:math-basics, lib:math-basics, False
-user:mary, act:read, lib:science-101, lib:science-101, False
 
-# ===== SPECIAL CASE TESTS =====
+# ====== SPECIAL CASE ======
 # This should be False, but it's returning True. This is a
 # special case, and we can prevent it from the Open edX layer
 user:mary, act:read, lib:science-101, lib:math-basics, False
