fixup! feat: add course authoring migration and rollback scripts

Author: dwong2708

CHANGELOG.rst

@@ -14,6 +14,18 @@ Change Log
 Unreleased
 **********
 
+0.23.0 - 2026-02-18
+********************
+
+Added
+=====
+
+* Add authz_migrate_course_authoring command to migrate legacy CourseAccessRole data to the new Authz (Casbin-based) system
+* Add authz_rollback_course_authoring command to rollback Authz roles back to legacy CourseAccessRole
+* Support optional --delete flag for controlled cleanup of source permissions after successful migration
+* Add migrate_legacy_course_roles_to_authz and migrate_authz_to_legacy_course_roles service functions
+* Add unit tests to verify migration and command behavior
+
 Added
 =====
 

openedx_authz/__init__.py

@@ -4,6 +4,6 @@
 
 import os
 
-__version__ = "0.22.0"
+__version__ = "0.23.0"
 
 ROOT_DIRECTORY = os.path.dirname(os.path.abspath(__file__))

openedx_authz/constants/roles.py

@@ -160,11 +160,6 @@
     permissions.COURSES_EXPORT_TAGS,
 ]
 
-COURSE_LIMITED_STAFF_PERMISSIONS = []
-
-COURSE_DATA_RESEARCHER_PERMISSIONS = []
-
-COURSE_ADMIN = RoleData(external_key="course_admin", permissions=COURSE_ADMIN_PERMISSIONS)
 COURSE_STAFF = RoleData(external_key="course_staff", permissions=COURSE_STAFF_PERMISSIONS)
 
 COURSE_LIMITED_STAFF_PERMISSIONS = [

openedx_authz/engine/utils.py

@@ -19,6 +19,7 @@
     COURSE_DATA_RESEARCHER,
     COURSE_LIMITED_STAFF,
     COURSE_STAFF,
+    LEGACY_COURSE_ROLE_EQUIVALENCES,
     LIBRARY_ADMIN,
     LIBRARY_AUTHOR,
     LIBRARY_USER,
@@ -29,13 +30,8 @@
 GROUPING_POLICY_PTYPES = ["g", "g2", "g3", "g4", "g5", "g6"]
 
 
-# Map new roles back to legacy roles
-role_to_legacy_role = {
-    COURSE_ADMIN.external_key: "instructor",
-    COURSE_STAFF.external_key: "staff",
-    COURSE_LIMITED_STAFF.external_key: "limited_staff",
-    COURSE_DATA_RESEARCHER.external_key: "data_researcher",
-}
+# Map new roles back to legacy roles for rollback purposes
+COURSE_ROLE_EQUIVALENCES = {v: k for k, v in LEGACY_COURSE_ROLE_EQUIVALENCES.items()}
 
 
 def migrate_policy_between_enforcers(
@@ -273,7 +269,7 @@ def migrate_authz_to_legacy_course_roles(CourseAccessRole, UserSubject, delete_a
             course_overview = assignment.scope.get_object()
 
             for role in assignment.roles:
-                legacy_role = role_to_legacy_role.get(role.external_key)
+                legacy_role = COURSE_ROLE_EQUIVALENCES.get(role.external_key)
                 if legacy_role is None:
                     logger.error(f"Unknown role: {role} for User: {user_external_key}")
                     roles_with_errors.append((user_external_key, role.external_key, scope))

openedx_authz/tests/test_migrations.py

@@ -13,6 +13,7 @@
     COURSE_DATA_RESEARCHER,
     COURSE_LIMITED_STAFF,
     COURSE_STAFF,
+    LEGACY_COURSE_ROLE_EQUIVALENCES,
     LIBRARY_ADMIN,
     LIBRARY_USER,
 )
@@ -305,6 +306,16 @@ def tearDown(self):
             scope_external_key=self.course_id,
         )
 
+    def test_legacy_course_role_equivalences_mapping(self):
+        """Test that the LEGACY_COURSE_ROLE_EQUIVALENCES mapping contains no duplicate values."""
+        legacy_roles = LEGACY_COURSE_ROLE_EQUIVALENCES.keys()
+        new_roles = LEGACY_COURSE_ROLE_EQUIVALENCES.values()
+
+        # Check that there are no duplicate values in the mapping
+        self.assertEqual(
+            len(legacy_roles), len(set(new_roles)), "LEGACY_COURSE_ROLE_EQUIVALENCES contains duplicate values"
+        )
+
     @patch("openedx_authz.api.data.CourseOverview", CourseOverview)
     def test_migrate_legacy_course_roles_to_authz_and_rollback_no_deletion(self):
         """Test the migration of legacy permissions from CourseAccessRole to the new Casbin-based model
@@ -613,12 +624,12 @@ def test_migrate_legacy_course_roles_to_authz_and_rollback_with_no_new_role_equi
             CourseAccessRole.objects.all().order_by("id").values("id", "user_id", "org", "course_id", "role")
         )
 
-        # Mock the role_to_legacy_role mapping to only include a mapping
+        # Mock the COURSE_ROLE_EQUIVALENCES mapping to only include a mapping
         # for COURSE_ADMIN to simulate the scenario where the staff, limited_staff
         # and data_researcher roles do not have a legacy role equivalent and
         # therefore cannot be migrated back to legacy roles during the rollback.
         with patch(
-            "openedx_authz.engine.utils.role_to_legacy_role",
+            "openedx_authz.engine.utils.COURSE_ROLE_EQUIVALENCES",
             {COURSE_ADMIN.external_key: "instructor"},
         ):
             permissions_with_errors = migrate_authz_to_legacy_course_roles(
@@ -636,21 +647,21 @@ def test_migrate_legacy_course_roles_to_authz_and_rollback_with_no_new_role_equi
             assignments = get_user_role_assignments_in_scope(
                 user_external_key=user.username, scope_external_key=self.course_id
             )
-            # Since we are mocking the role_to_legacy_role mapping to only include a mapping for COURSE_ADMIN,
+            # Since we are mocking the COURSE_ROLE_EQUIVALENCES mapping to only include a mapping for COURSE_ADMIN,
             # the staff role will not have a legacy role equivalent and therefore should not be migrated back
             self.assertEqual(len(assignments), 1)
         for user in self.limited_staff:
             assignments = get_user_role_assignments_in_scope(
                 user_external_key=user.username, scope_external_key=self.course_id
             )
-            # Since we are mocking the role_to_legacy_role mapping to only include a mapping for COURSE_ADMIN,
+            # Since we are mocking the COURSE_ROLE_EQUIVALENCES mapping to only include a mapping for COURSE_ADMIN,
             # the limited_staff role will not have a legacy role equivalent and therefore should not be migrated back
             self.assertEqual(len(assignments), 1)
         for user in self.data_researcher:
             assignments = get_user_role_assignments_in_scope(
                 user_external_key=user.username, scope_external_key=self.course_id
             )
-            # Since we are mocking the role_to_legacy_role mapping to only include a mapping for COURSE_ADMIN,
+            # Since we are mocking the COURSE_ROLE_EQUIVALENCES mapping to only include a mapping for COURSE_ADMIN,
             # the data_researcher role will not have a legacy role equivalent and therefore should not be migrated back
             self.assertEqual(len(assignments), 1)
 
@@ -680,7 +691,7 @@ def test_migrate_legacy_course_roles_to_authz_and_rollback_with_no_new_role_equi
 
         # After rollback, we should have 9 UserSubjects related to the course permissions
         # since the users with staff, limited_staff and data_researcher roles will not be
-        # migrated back to legacy roles due to our mocked role_to_legacy_role mapping.
+        # migrated back to legacy roles due to our mocked COURSE_ROLE_EQUIVALENCES mapping.
         self.assertEqual(len(state_after_migration_user_subjects), 9)
 
     @patch("openedx_authz.management.commands.authz_migrate_course_authoring.CourseAccessRole", CourseAccessRole)