squash!: Use MANAGE_*_TEAM instead of VIEW permissions to filter assignments that a user can view

Author: rodmgwgu

openedx_authz/api/users.py

@@ -39,7 +39,7 @@
     unassign_subject_from_all_roles,
 )
 from openedx_authz.api.utils import filter_user_assignments, get_user_assignment_map
-from openedx_authz.constants.permissions import COURSES_VIEW_COURSE, VIEW_LIBRARY
+from openedx_authz.constants.permissions import COURSES_MANAGE_COURSE_TEAM, MANAGE_LIBRARY_TEAM
 
 __all__ = [
     "assign_role_to_user_in_scope",
@@ -226,9 +226,9 @@ def _filter_allowed_assignments(
 
         # For CourseOverviewData and ContentLibraryData, check for the view permission
         if isinstance(assignment.scope, (CourseOverviewData, OrgCourseOverviewGlobData)):
-            permission = COURSES_VIEW_COURSE.identifier
+            permission = COURSES_MANAGE_COURSE_TEAM.identifier
         elif isinstance(assignment.scope, (ContentLibraryData, OrgContentLibraryGlobData)):
-            permission = VIEW_LIBRARY.identifier
+            permission = MANAGE_LIBRARY_TEAM.identifier
 
         if permission and is_user_allowed(
             user_external_key=user_external_key,

openedx_authz/tests/rest_api/test_views.py

@@ -868,9 +868,10 @@ class TestTeamMembersAPIView(ViewTestMixin):
     (admin_1..3 are staff/superuser; regular_1..8 are plain users)
 
     Visibility via filter_allowed_assignments:
-        - Staff/superuser: sees all 11 users (is_admin_or_superuser_check grants VIEW_LIBRARY on lib scopes)
-        - regular_1 (library_user in Org1:LIB1): VIEW_LIBRARY granted → sees Org1 members (3)
-        - regular_3 (library_user in Org2:LIB2): VIEW_LIBRARY granted → sees Org2 members (3)
+        - Staff/superuser: sees all 11 users (is_admin_or_superuser_check grants MANAGE_LIBRARY_TEAM on lib scopes)
+        - regular_5 (library_admin in Org3:LIB3): MANAGE_LIBRARY_TEAM granted → sees Org3 members (5)
+        - regular_1 (library_user in Org1:LIB1): no MANAGE_LIBRARY_TEAM → sees 0
+        - regular_3 (library_user in Org2:LIB2): no MANAGE_LIBRARY_TEAM → sees 0
         - regular_9 (no assignments): sees 0 users
     """
 
@@ -892,21 +893,23 @@ def setUp(self):
     @data(
         # Staff/superuser sees all users across all scopes
         ("admin_1", 11),
-        # regular_1 has LIBRARY_USER in lib:Org1:LIB1 (VIEW_LIBRARY granted) → sees only Org1 members
-        ("regular_1", 3),
-        # regular_3 has LIBRARY_USER in lib:Org2:LIB2 → sees only Org2 members
-        ("regular_3", 3),
+        # regular_5 has LIBRARY_ADMIN in lib:Org3:LIB3 (MANAGE_LIBRARY_TEAM granted) → sees only Org3 members
+        ("regular_5", 5),
+        # regular_1 has LIBRARY_USER in lib:Org1:LIB1 (no MANAGE_LIBRARY_TEAM) → sees nothing
+        ("regular_1", 0),
+        # regular_3 has LIBRARY_USER in lib:Org2:LIB2 (no MANAGE_LIBRARY_TEAM) → sees nothing
+        ("regular_3", 0),
         # regular_9 has no assignments → sees nothing
         ("regular_9", 0),
     )
     @unpack
     def test_visibility_limited_to_accessible_scopes(self, username: str, expected_count: int):
-        """Calling user only sees assignments for scopes it has view access to.
+        """Calling user only sees assignments for scopes it has MANAGE_*_TEAM access to.
 
         Expected result:
             - Staff/superuser sees all users across all scopes.
-            - Regular users only see members of scopes they can view.
-            - Users with no assignments see no results.
+            - Regular users only see members of scopes they can manage the team for.
+            - Users without MANAGE_*_TEAM permission see no results.
         """
         user = User.objects.get(username=username)
         self.client.force_authenticate(user=user)