refactor: address PR reviews to inlcude only org/course wide access

mariajgrimaldi · mariajgrimaldi · commit f099f2694a0e · 2026-04-10T11:37:39.000+02:00
diff --git a/openedx_authz/engine/utils.py b/openedx_authz/engine/utils.py
@@ -7,6 +7,8 @@
 import logging
 from collections import defaultdict
 
+from django.db.models import Q
+
 from casbin import Enforcer
 
 from openedx_authz.api.data import CourseOverviewData, OrgCourseOverviewGlobData
@@ -204,7 +206,6 @@ def migrate_legacy_course_roles_to_authz(course_access_role_model, course_id_lis
             "At least one of course_id_list or org_id must be provided to limit the scope of the migration."
         )
 
-    # TODO: not sure if we should keep the startswith here
     course_access_role_filter = {}
 
     if org_id:
@@ -216,7 +217,10 @@ def migrate_legacy_course_roles_to_authz(course_access_role_model, course_id_lis
         course_access_role_filter["course_id__in"] = course_id_list
 
     legacy_permissions = (
-        course_access_role_model.objects.filter(**course_access_role_filter).select_related("user").all()
+        course_access_role_model.objects.filter(**course_access_role_filter)
+        .filter(Q(course_id="") | Q(course_id__startswith=CourseOverviewData.NAMESPACE))
+        .select_related("user")
+        .all()
     )
 
     # List to keep track of any permissions that could not be migrated
