refactor: use is instance instead of matching per namespace

mariajgrimaldi · mariajgrimaldi · commit aeda00c2bc24 · 2026-04-09T15:37:44.000+02:00
diff --git a/openedx_authz/api/roles.py b/openedx_authz/api/roles.py
@@ -530,20 +530,21 @@ def unassign_subject_from_all_roles(subject: SubjectData) -> bool:
     return enforcer.remove_filtered_grouping_policy(GroupingPolicyIndex.SUBJECT.value, subject.namespaced_key)
 
 
-def get_all_role_assignments_per_scope_type(scope_type: type[ScopeData]) -> list[RoleAssignmentData]:
-    """Get all role assignments for a specific scope type.
+def get_all_role_assignments_per_scope_type(scope_types: list[type[ScopeData]]) -> list[RoleAssignmentData]:
+    """Get all role assignments matching any of the given scope types.
 
     Loads all grouping policies from the enforcer and filters in Python. Casbin policies
     store full scope keys (e.g., 'course-v1^course-v1:Org+Course+Run'), so there is no
     way to query by scope type directly so the filtering must happen here.
 
     Args:
-        scope_type: A ScopeData subclass (not an instance) used to match by NAMESPACE.
+        scope_types: A list of ScopeData subclasses (not instances). Assignments matching
+            any of the given types are returned.
 
     Returns:
-        list[RoleAssignmentData]: All assignments whose scope matches the given scope type.
+        list[RoleAssignmentData]: All assignments whose scope is an instance of any of the given scope types.
     """
     return [
         role_assignment for role_assignment in get_role_assignments()
-        if role_assignment.scope.NAMESPACE == scope_type.NAMESPACE
+        if isinstance(role_assignment.scope, tuple(scope_types))
     ]
diff --git a/openedx_authz/engine/utils.py b/openedx_authz/engine/utils.py
@@ -307,11 +307,9 @@ def migrate_authz_to_legacy_course_roles(
             "At least one of course_id_list or org_id must be provided to limit the scope of the rollback migration."
         )
 
-    # CourseOverviewData and OrgCourseOverviewGlobData share the same NAMESPACE ("course-v1"),
-    # and get_all_role_assignments_per_scope_type matches by NAMESPACE. Passing CourseOverviewData
-    # therefore captures both course-level and org-level glob assignments. The exact scope type
-    # is narrowed per-assignment via isinstance checks in the loop below.
-    role_assignments = get_all_role_assignments_per_scope_type(scope_type=CourseOverviewData)
+    role_assignments = get_all_role_assignments_per_scope_type(
+        scope_types=[CourseOverviewData, OrgCourseOverviewGlobData]
+    )
 
     # Two cases here:
     # 1. org_id provided: filter by org — includes org-level glob and course-level scopes for that org.
