squash!: Apply suggestions

rodmgwgu · rodmgwgu · commit f312a9aec6e1 · 2026-04-15T11:24:59.000-06:00
diff --git a/openedx_authz/rest_api/v1/views.py b/openedx_authz/rest_api/v1/views.py
@@ -595,7 +595,7 @@ def get_queryset(self) -> QuerySet:
 class AdminConsoleScopesAPIView(generics.ListAPIView):
     """
     API view for listing scopes
-    This API is used on the filters and assigna roles functionality on the Admin Console.
+    This API is used on the filters and assign roles functionality on the Admin Console.
 
     **Endpoints**
 
@@ -606,7 +606,7 @@ class AdminConsoleScopesAPIView(generics.ListAPIView):
     - search (Optional): Search term to filter scopes by display name
     - page (Optional): Page number for pagination
     - page_size (Optional): Number of items per page
-    - management_permission_only (Optional): Filter scopes either by only the ones to wich the user has "manage team"
+    - management_permission_only (Optional): Filter scopes either by only the ones to which the user has "manage team"
         permissions (if true), or just "view team" permissions.
 
     **Response Format**
@@ -656,7 +656,7 @@ class AdminConsoleScopesAPIView(generics.ListAPIView):
 
     def get_serializer_context(self):
         context = super().get_serializer_context()
-        context["org_map"] = {org.short_name: org for org in Organization.objects.all()}
+        context["org_map"] = Organization.objects.filter(active=True).in_bulk(field_name="short_name")
         return context
 
     def _get_courses_queryset(self, allowed_ids: set | None = None, search: str = "") -> QuerySet:
@@ -684,9 +684,10 @@ def _get_libraries_queryset(self, allowed_pairs: set | None = None, search: str
         """
         qs = ContentLibrary.objects
         if allowed_pairs is not None:
-            qs = qs.filter(
-                reduce(operator.or_, (Q(org__short_name=org, slug=slug) for org, slug in allowed_pairs), Q())
-            )
+            if not allowed_pairs:
+                qs = qs.none()
+            else:
+                qs = qs.filter(reduce(operator.or_, (Q(org__short_name=org, slug=slug) for org, slug in allowed_pairs)))
         if search:
             qs = qs.filter(learning_package__title__icontains=search)
         return qs.annotate(
diff --git a/openedx_authz/tests/rest_api/test_views.py b/openedx_authz/tests/rest_api/test_views.py
@@ -957,9 +957,12 @@ def setUp(self):
         def stub_get_libraries_queryset(_, allowed_pairs=None, search=""):  # pylint: disable=unused-argument
             qs = ContentLibrary.objects
             if allowed_pairs is not None:
-                qs = qs.filter(
-                    reduce(operator.or_, (Q(org__short_name=org, slug=slug) for org, slug in allowed_pairs), Q())
-                )
+                if not allowed_pairs:
+                    qs = qs.none()
+                else:
+                    qs = qs.filter(
+                        reduce(operator.or_, (Q(org__short_name=org, slug=slug) for org, slug in allowed_pairs))
+                    )
             return qs.annotate(
                 scope_id=Cast("slug", output_field=CharField()),
                 org_name=Cast("org__short_name", output_field=CharField()),
@@ -1214,6 +1217,23 @@ def test_manage_permission_filters_libraries_for_non_staff(self):
         self.assertIn("lib:Org3:LIB3", external_keys)
         self.assertNotIn(self.LIBRARY_ORG1, external_keys)
 
+    def test_empty_allowed_library_pairs_returns_no_libraries(self):
+        """When a non-staff user has no allowed libraries, no libraries are returned.
+
+        Regression test: an empty allowed_pairs set must not bypass the filter
+        and return all libraries (reduce with Q() default was a no-op).
+        """
+        # regular_9 has no library permissions, only a course role.
+        user = User.objects.get(username="regular_9")
+        self.client.force_authenticate(user=user)
+        self.build_qs_patcher.stop()
+
+        response = self.client.get(self.url, {"type": "library"})
+
+        self.build_qs_patcher.start()
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data["count"], 0)
+
     def test_manage_permission_only_uses_manage_permission(self):
         """management_permission_only=true calls get_admin_manage_permission, not get_admin_view_permission."""
         user = User.objects.get(username="regular_1")
