squash!: Add permission validation for orgs endpoint

Author: rodmgwgu

openedx_authz/rest_api/v1/permissions.py

@@ -259,6 +259,32 @@ def validate_permissions(self, request, permissions: list[str], scope_value: str
         return True
 
 
+class AnyScopePermission(MethodPermissionMixin, BaseScopePermission):
+    """Permission handler for endpoints that are not tied to a specific scope.
+
+    Grants access if the user has at least one of the required permissions in any scope.
+    """
+
+    # Not a namespace-specific handler; set to None to avoid registration in PermissionMeta.
+    NAMESPACE: ClassVar[None] = None
+
+    def has_permission(self, request, view) -> bool:
+        """Check if the user has any of the required permissions across all scopes.
+
+        Superusers and staff are automatically granted access. For other users,
+        grants access if the user has at least one required permission in any scope.
+
+        Returns:
+            bool: True if the user has at least one required permission in any scope.
+        """
+        if request.user.is_superuser or request.user.is_staff:
+            return True
+        required = self.get_required_permissions(request, view)
+        if not required:
+            return False
+        return any(api.get_scopes_for_user_and_permission(request.user.username, permission) for permission in required)
+
+
 class ContentLibraryPermission(MethodPermissionMixin, BaseScopePermission):
     """Permission handler for content library scopes.
 

openedx_authz/rest_api/v1/views.py

@@ -10,6 +10,7 @@
 import edx_api_doc_tools as apidocs
 from django.contrib.auth import get_user_model
 from django.http import HttpRequest
+from django.utils.decorators import method_decorator
 from edx_api_doc_tools import schema_for
 from organizations.models import Organization
 from organizations.serializers import OrganizationSerializer
@@ -29,7 +30,7 @@
     sort_users,
 )
 from openedx_authz.rest_api.v1.paginators import AuthZAPIViewPagination
-from openedx_authz.rest_api.v1.permissions import DynamicScopePermission
+from openedx_authz.rest_api.v1.permissions import AnyScopePermission, DynamicScopePermission
 from openedx_authz.rest_api.v1.serializers import (
     AddUsersToRoleWithScopeSerializer,
     ListRolesWithScopeResponseSerializer,
@@ -455,6 +456,15 @@ def get(self, request: HttpRequest) -> Response:
 
 
 @view_auth_classes()
+@method_decorator(
+    authz_permissions(
+        [
+            permissions.VIEW_LIBRARY_TEAM.identifier,
+            permissions.COURSES_VIEW_COURSE_TEAM.identifier,
+        ]
+    ),
+    name="get",
+)
 @schema_for(
     "get",
     parameters=[
@@ -524,3 +534,4 @@ class OrgsAPIView(generics.ListAPIView):
     pagination_class = AuthZAPIViewPagination
     filter_backends = [filters.SearchFilter]
     search_fields = ["name", "short_name"]
+    permission_classes = [AnyScopePermission]

openedx_authz/tests/rest_api/test_views.py

@@ -858,6 +858,20 @@ def test_put_accepts_valid_full_course_key_scope(self, _mock_exists, _mock_assig
 class TestOrgsAPIView(ViewTestMixin):
     """Test suite for OrgsAPIView."""
 
+    @classmethod
+    def setUpClass(cls):
+        """Assign a course role to regular_9 for COURSES_VIEW_COURSE_TEAM permission tests."""
+        super().setUpClass()
+        cls._assign_roles_to_users(
+            [
+                {
+                    "subject_name": "regular_9",
+                    "role_name": roles.COURSE_STAFF.external_key,
+                    "scope_name": "course-v1:Org1+COURSE1+2024",
+                },
+            ]
+        )
+
     @classmethod
     def setUpTestData(cls):
         """Create Organization fixtures."""
@@ -968,6 +982,59 @@ def test_get_orgs_excludes_inactive(self):
         result_names = [org["name"] for org in response.data["results"]]
         self.assertNotIn("Inactive Org", result_names)
 
+    @data(
+        # Only VIEW_LIBRARY_TEAM (library_user role in a lib scope)
+        ("regular_1", status.HTTP_200_OK),
+        # Only COURSES_VIEW_COURSE_TEAM (course_staff role in a course scope)
+        ("regular_9", status.HTTP_200_OK),
+        # No relevant permissions
+        ("regular_10", status.HTTP_403_FORBIDDEN),
+        # Superuser
+        ("admin_1", status.HTTP_200_OK),
+    )
+    @unpack
+    def test_get_orgs_permissions(self, username: str, expected_status: int):
+        """Test access control for OrgsAPIView.
+
+        Test cases:
+            - User with only VIEW_LIBRARY_TEAM (via library role): allowed
+            - User with only COURSES_VIEW_COURSE_TEAM (via course role): allowed
+            - User with neither permission: forbidden
+            - Superuser/staff: allowed
+
+        Expected result:
+            - Returns appropriate status code based on user permissions
+        """
+        user = User.objects.get(username=username)
+        self.client.force_authenticate(user=user)
+
+        response = self.client.get(self.url)
+
+        self.assertEqual(response.status_code, expected_status)
+
+    def test_get_orgs_user_with_both_permissions_allowed(self):
+        """Test that a user with both VIEW_LIBRARY_TEAM and COURSES_VIEW_COURSE_TEAM can access the endpoint.
+
+        Expected result:
+            - Returns 200 OK status
+        """
+        # regular_1 has library_user (VIEW_LIBRARY_TEAM); assign a course role too
+        self._assign_roles_to_users(
+            [
+                {
+                    "subject_name": "regular_1",
+                    "role_name": roles.COURSE_STAFF.external_key,
+                    "scope_name": "course-v1:Org1+COURSE1+2024",
+                },
+            ]
+        )
+        user = User.objects.get(username="regular_1")
+        self.client.force_authenticate(user=user)
+
+        response = self.client.get(self.url)
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
     def test_get_orgs_unauthenticated(self):
         """Test that unauthenticated requests are rejected.