feat: Implement courses roles and permissions mappings, including legacy compat permissions

Author: rodmgwgu

CHANGELOG.rst

@@ -17,9 +17,12 @@ Unreleased
 Added
 =====
 
+0.22.0 - 2026-02-19
+********************
+
 * ADR on the AuthZ for Course Authoring implementation plan.
 * ADR on the AuthZ for Course Authoring Feature Flag Implementation Details.
-
+* Defined courses roles and permissions mappings, including legacy compatible permissions.
 
 0.21.0 - 2026-02-12
 ********************

openedx_authz/__init__.py

@@ -4,6 +4,6 @@
 
 import os
 
-__version__ = "0.21.0"
+__version__ = "0.22.0"
 
 ROOT_DIRECTORY = os.path.dirname(os.path.abspath(__file__))

openedx_authz/constants/permissions.py

@@ -58,7 +58,177 @@
 
 COURSES_NAMESPACE = "courses"
 
-MANAGE_ADVANCED_SETTINGS = PermissionData(
+COURSES_VIEW_COURSE = PermissionData(
+    action=ActionData(external_key=f"{COURSES_NAMESPACE}.view_course"),
+    effect="allow",
+)
+
+COURSES_CREATE_COURSE = PermissionData(
+    action=ActionData(external_key=f"{COURSES_NAMESPACE}.create_course"),
+    effect="allow",
+)
+
+COURSES_EDIT_COURSE_CONTENT = PermissionData(
+    action=ActionData(external_key=f"{COURSES_NAMESPACE}.edit_course_content"),
+    effect="allow",
+)
+
+COURSES_PUBLISH_COURSE_CONTENT = PermissionData(
+    action=ActionData(external_key=f"{COURSES_NAMESPACE}.publish_course_content"),
+    effect="allow",
+)
+
+COURSES_MANAGE_LIBRARY_UPDATES = PermissionData(
+    action=ActionData(external_key=f"{COURSES_NAMESPACE}.manage_library_updates"),
+    effect="allow",
+)
+
+COURSES_VIEW_COURSE_UPDATES = PermissionData(
+    action=ActionData(external_key=f"{COURSES_NAMESPACE}.view_course_updates"),
+    effect="allow",
+)
+
+COURSES_MANAGE_COURSE_UPDATES = PermissionData(
+    action=ActionData(external_key=f"{COURSES_NAMESPACE}.manage_course_updates"),
+    effect="allow",
+)
+
+COURSES_VIEW_PAGES_AND_RESOURCES = PermissionData(
+    action=ActionData(external_key=f"{COURSES_NAMESPACE}.view_pages_and_resources"),
+    effect="allow",
+)
+
+COURSES_MANAGE_PAGES_AND_RESOURCES = PermissionData(
+    action=ActionData(external_key=f"{COURSES_NAMESPACE}.manage_pages_and_resources"),
+    effect="allow",
+)
+
+COURSES_VIEW_FILES = PermissionData(
+    action=ActionData(external_key=f"{COURSES_NAMESPACE}.view_files"),
+    effect="allow",
+)
+
+COURSES_CREATE_FILES = PermissionData(
+    action=ActionData(external_key=f"{COURSES_NAMESPACE}.create_files"),
+    effect="allow",
+)
+
+COURSES_DELETE_FILES = PermissionData(
+    action=ActionData(external_key=f"{COURSES_NAMESPACE}.delete_files"),
+    effect="allow",
+)
+
+COURSES_EDIT_FILES = PermissionData(
+    action=ActionData(external_key=f"{COURSES_NAMESPACE}.edit_files"),
+    effect="allow",
+)
+
+COURSES_VIEW_SCHEDULE_AND_DETAILS = PermissionData(
+    action=ActionData(external_key=f"{COURSES_NAMESPACE}.view_schedule_and_details"),
+    effect="allow",
+)
+
+COURSES_EDIT_SCHEDULE = PermissionData(
+    action=ActionData(external_key=f"{COURSES_NAMESPACE}.edit_schedule"),
+    effect="allow",
+)
+
+COURSES_EDIT_DETAILS = PermissionData(
+    action=ActionData(external_key=f"{COURSES_NAMESPACE}.edit_details"),
+    effect="allow",
+)
+
+COURSES_VIEW_GRADING_SETTINGS = PermissionData(
+    action=ActionData(external_key=f"{COURSES_NAMESPACE}.view_grading_settings"),
+    effect="allow",
+)
+
+COURSES_EDIT_GRADING_SETTINGS = PermissionData(
+    action=ActionData(external_key=f"{COURSES_NAMESPACE}.edit_grading_settings"),
+    effect="allow",
+)
+
+COURSES_VIEW_COURSE_TEAM = PermissionData(
+    action=ActionData(external_key=f"{COURSES_NAMESPACE}.view_course_team"),
+    effect="allow",
+)
+
+COURSES_MANAGE_COURSE_TEAM = PermissionData(
+    action=ActionData(external_key=f"{COURSES_NAMESPACE}.manage_course_team"),
+    effect="allow",
+)
+
+COURSES_MANAGE_GROUP_CONFIGURATIONS = PermissionData(
+    action=ActionData(external_key=f"{COURSES_NAMESPACE}.manage_group_configurations"),
+    effect="allow",
+)
+
+COURSES_MANAGE_ADVANCED_SETTINGS = PermissionData(
     action=ActionData(external_key=f"{COURSES_NAMESPACE}.manage_advanced_settings"),
     effect="allow",
 )
+
+COURSES_MANAGE_CERTIFICATES = PermissionData(
+    action=ActionData(external_key=f"{COURSES_NAMESPACE}.manage_certificates"),
+    effect="allow",
+)
+
+COURSES_IMPORT_COURSE = PermissionData(
+    action=ActionData(external_key=f"{COURSES_NAMESPACE}.import_course"),
+    effect="allow",
+)
+
+COURSES_EXPORT_COURSE = PermissionData(
+    action=ActionData(external_key=f"{COURSES_NAMESPACE}.export_course"),
+    effect="allow",
+)
+
+COURSES_EXPORT_TAGS = PermissionData(
+    action=ActionData(external_key=f"{COURSES_NAMESPACE}.export_tags"),
+    effect="allow",
+)
+
+COURSES_VIEW_CHECKLISTS = PermissionData(
+    action=ActionData(external_key=f"{COURSES_NAMESPACE}.view_checklists"),
+    effect="allow",
+)
+
+COURSES_MANAGE_TAGS = PermissionData(
+    action=ActionData(external_key=f"{COURSES_NAMESPACE}.manage_tags"),
+    effect="allow",
+)
+
+COURSES_MANAGE_TAXONOMIES = PermissionData(
+    action=ActionData(external_key=f"{COURSES_NAMESPACE}.manage_taxonomies"),
+    effect="allow",
+)
+
+# Legacy Course permissions
+# These permissions allow backwards compatibility with legacy code that depends on the old roles system
+# These relate to legacy roles, if a openedx-authz role has one of these permissions,
+# it will have the same permissions as the equivalent legacy roles on code that has not been updated to the new system.
+
+COURSES_LEGACY_INSTRUCTOR_ROLE_PERMISSIONS = PermissionData(
+    action=ActionData(external_key=f"{COURSES_NAMESPACE}.legacy_instructor_role_permissions"),
+    effect="allow",
+)
+
+COURSES_LEGACY_STAFF_ROLE_PERMISSIONS = PermissionData(
+    action=ActionData(external_key=f"{COURSES_NAMESPACE}.legacy_staff_role_permissions"),
+    effect="allow",
+)
+
+COURSES_LEGACY_LIMITED_STAFF_ROLE_PERMISSIONS = PermissionData(
+    action=ActionData(external_key=f"{COURSES_NAMESPACE}.legacy_limited_staff_role_permissions"),
+    effect="allow",
+)
+
+COURSES_LEGACY_DATA_RESEARCHER_PERMISSIONS = PermissionData(
+    action=ActionData(external_key=f"{COURSES_NAMESPACE}.legacy_data_researcher_permissions"),
+    effect="allow",
+)
+
+COURSES_LEGACY_BETA_TESTER_PERMISSIONS = PermissionData(
+    action=ActionData(external_key=f"{COURSES_NAMESPACE}.legacy_beta_tester_permissions"),
+    effect="allow",
+)

openedx_authz/constants/roles.py

@@ -60,9 +60,133 @@
 
 # Course Roles and Permissions
 
+COURSE_AUDITOR_PERMISSIONS = [
+    permissions.COURSES_VIEW_COURSE,
+    permissions.COURSES_VIEW_COURSE_UPDATES,
+    permissions.COURSES_VIEW_PAGES_AND_RESOURCES,
+    permissions.COURSES_VIEW_FILES,
+    permissions.COURSES_VIEW_GRADING_SETTINGS,
+    permissions.COURSES_VIEW_CHECKLISTS,
+    permissions.COURSES_VIEW_COURSE_TEAM,
+    permissions.COURSES_VIEW_SCHEDULE_AND_DETAILS,
+]
+
+COURSE_AUDITOR = RoleData(external_key="course_auditor", permissions=COURSE_AUDITOR_PERMISSIONS)
+
+COURSE_EDITOR_PERMISSIONS = [
+    permissions.COURSES_VIEW_COURSE,
+    permissions.COURSES_VIEW_COURSE_UPDATES,
+    permissions.COURSES_VIEW_PAGES_AND_RESOURCES,
+    permissions.COURSES_VIEW_FILES,
+    permissions.COURSES_VIEW_GRADING_SETTINGS,
+    permissions.COURSES_VIEW_CHECKLISTS,
+    permissions.COURSES_VIEW_COURSE_TEAM,
+    permissions.COURSES_VIEW_SCHEDULE_AND_DETAILS,
+    permissions.COURSES_EDIT_COURSE_CONTENT,
+    permissions.COURSES_MANAGE_LIBRARY_UPDATES,
+    permissions.COURSES_MANAGE_COURSE_UPDATES,
+    permissions.COURSES_MANAGE_PAGES_AND_RESOURCES,
+    permissions.COURSES_CREATE_FILES,
+    permissions.COURSES_EDIT_FILES,
+    permissions.COURSES_EDIT_GRADING_SETTINGS,
+    permissions.COURSES_MANAGE_GROUP_CONFIGURATIONS,
+    permissions.COURSES_EDIT_DETAILS,
+    permissions.COURSES_MANAGE_TAGS,
+]
+
+COURSE_EDITOR = RoleData(external_key="course_editor", permissions=COURSE_EDITOR_PERMISSIONS)
+
+COURSE_ADMIN_PERMISSIONS = [
+    permissions.COURSES_LEGACY_INSTRUCTOR_ROLE_PERMISSIONS,
+    permissions.COURSES_VIEW_COURSE,
+    permissions.COURSES_VIEW_COURSE_UPDATES,
+    permissions.COURSES_VIEW_PAGES_AND_RESOURCES,
+    permissions.COURSES_VIEW_FILES,
+    permissions.COURSES_VIEW_GRADING_SETTINGS,
+    permissions.COURSES_VIEW_CHECKLISTS,
+    permissions.COURSES_VIEW_COURSE_TEAM,
+    permissions.COURSES_VIEW_SCHEDULE_AND_DETAILS,
+    permissions.COURSES_EDIT_COURSE_CONTENT,
+    permissions.COURSES_MANAGE_LIBRARY_UPDATES,
+    permissions.COURSES_MANAGE_COURSE_UPDATES,
+    permissions.COURSES_MANAGE_PAGES_AND_RESOURCES,
+    permissions.COURSES_CREATE_FILES,
+    permissions.COURSES_EDIT_FILES,
+    permissions.COURSES_EDIT_GRADING_SETTINGS,
+    permissions.COURSES_MANAGE_GROUP_CONFIGURATIONS,
+    permissions.COURSES_EDIT_DETAILS,
+    permissions.COURSES_MANAGE_TAGS,
+    permissions.COURSES_PUBLISH_COURSE_CONTENT,
+    permissions.COURSES_DELETE_FILES,
+    permissions.COURSES_EDIT_SCHEDULE,
+    permissions.COURSES_MANAGE_ADVANCED_SETTINGS,
+    permissions.COURSES_MANAGE_CERTIFICATES,
+    permissions.COURSES_IMPORT_COURSE,
+    permissions.COURSES_EXPORT_COURSE,
+    permissions.COURSES_EXPORT_TAGS,
+    permissions.COURSES_MANAGE_COURSE_TEAM,
+    permissions.COURSES_MANAGE_TAXONOMIES,
+]
+
+COURSE_ADMIN = RoleData(external_key="course_admin", permissions=COURSE_ADMIN_PERMISSIONS)
 
 COURSE_STAFF_PERMISSIONS = [
-    permissions.MANAGE_ADVANCED_SETTINGS,
+    permissions.COURSES_LEGACY_STAFF_ROLE_PERMISSIONS,
+    permissions.COURSES_VIEW_COURSE,
+    permissions.COURSES_VIEW_COURSE_UPDATES,
+    permissions.COURSES_VIEW_PAGES_AND_RESOURCES,
+    permissions.COURSES_VIEW_FILES,
+    permissions.COURSES_VIEW_GRADING_SETTINGS,
+    permissions.COURSES_VIEW_CHECKLISTS,
+    permissions.COURSES_VIEW_COURSE_TEAM,
+    permissions.COURSES_VIEW_SCHEDULE_AND_DETAILS,
+    permissions.COURSES_EDIT_COURSE_CONTENT,
+    permissions.COURSES_MANAGE_LIBRARY_UPDATES,
+    permissions.COURSES_MANAGE_COURSE_UPDATES,
+    permissions.COURSES_MANAGE_PAGES_AND_RESOURCES,
+    permissions.COURSES_CREATE_FILES,
+    permissions.COURSES_EDIT_FILES,
+    permissions.COURSES_EDIT_GRADING_SETTINGS,
+    permissions.COURSES_MANAGE_GROUP_CONFIGURATIONS,
+    permissions.COURSES_EDIT_DETAILS,
+    permissions.COURSES_MANAGE_TAGS,
+    permissions.COURSES_PUBLISH_COURSE_CONTENT,
+    permissions.COURSES_DELETE_FILES,
+    permissions.COURSES_EDIT_SCHEDULE,
+    permissions.COURSES_MANAGE_ADVANCED_SETTINGS,
+    permissions.COURSES_MANAGE_CERTIFICATES,
+    permissions.COURSES_IMPORT_COURSE,
+    permissions.COURSES_EXPORT_COURSE,
+    permissions.COURSES_EXPORT_TAGS,
 ]
 
 COURSE_STAFF = RoleData(external_key="course_staff", permissions=COURSE_STAFF_PERMISSIONS)
+
+COURSE_LIMITED_STAFF_PERMISSIONS = [
+    permissions.COURSES_LEGACY_LIMITED_STAFF_ROLE_PERMISSIONS,
+]
+
+COURSE_LIMITED_STAFF = RoleData(external_key="course_limited_staff", permissions=COURSE_LIMITED_STAFF_PERMISSIONS)
+
+COURSE_DATA_RESEARCHER_PERMISSIONS = [
+    permissions.COURSES_LEGACY_DATA_RESEARCHER_PERMISSIONS,
+]
+
+COURSE_DATA_RESEARCHER = RoleData(external_key="course_data_researcher", permissions=COURSE_DATA_RESEARCHER_PERMISSIONS)
+
+COURSE_BETA_TESTER_PERMISSIONS = [
+    permissions.COURSES_LEGACY_BETA_TESTER_PERMISSIONS,
+]
+
+COURSE_BETA_TESTER = RoleData(external_key="course_beta_tester", permissions=COURSE_BETA_TESTER_PERMISSIONS)
+
+# Map of legacy course role names to their equivalent new roles
+# This mapping must be unique in both directions, since it may be used as a reverse lookup (value → key).
+# If multiple keys share the same value, it will lead to collisions.
+LEGACY_COURSE_ROLE_EQUIVALENCES = {
+    "instructor": COURSE_ADMIN.external_key,
+    "staff": COURSE_STAFF.external_key,
+    "limited_staff": COURSE_LIMITED_STAFF.external_key,
+    "data_researcher": COURSE_DATA_RESEARCHER.external_key,
+    "beta_testers": COURSE_BETA_TESTER.external_key,
+}