feat: Implement scopes endpoint for admin console

[rodmgwgu]

Description

Closes: #229

Implement the /api/authz/v1/scopes/ endpoint to list all scopes (courses and libraries), sorted by org, with search and pagination support, to be used in the admin console.

Scopes are always ordered by org.

Query Parameters

• search (Optional): Search term to filter scopes by display name
• org (Optional): Filter scopes by org
• page (Optional): Page number for pagination
• page_size (Optional): Number of items per page
• management_permission_only (Optional): Filter scopes either by only the ones to wich the user has "manage team" permissions (if true), or just "view team" permissions.

Response Format

Returns a paginated list of scope objects, each containing:

• external_key: The scope external key
• display_name: The scope's name
• org: The organization serialized object

Authentication and Permissions

• Requires authenticated user with either a content library or course view team permission.

Deadline: Verawood

How to test

Using a local dev tutor installation, call the following endpoint with required credentials:

http://local.openedx.io:8000/api/authz/v1/scopes/

The user you use to test this should have permission to at least view one course or library.

You should see a response similar to this:

{
    "count": 2,
    "next": null,
    "previous": null,
    "results": [
        {
            "external_key": "course-v1:OpenedX+DemoX+DemoCourse",
            "display_name": "Open edX Demo Course",
            "org": {
                "id": 1,
                "created": "2026-04-02T19:30:36.779095Z",
                "modified": "2026-04-02T19:30:36.779095Z",
                "name": "OpenedX",
                "short_name": "OpenedX",
                "description": "",
                "logo": null,
                "active": true
            }
        },
        {
            "external_key": "lib:WGU:CSPROB",
            "display_name": "Computer Science Problems",
            "org": {
                "id": 2,
                "created": "2026-04-02T19:31:21.196446Z",
                "modified": "2026-04-02T19:31:21.196446Z",
                "name": "WGU",
                "short_name": "WGU",
                "description": "",
                "logo": null,
                "active": true
            }
        }
    ]
}

You can also test with params, for example:

http://local.openedx.io:8000/api/authz/v1/scopes/?search=demo&page=1&page_size=2&management_permission_only=true

Other information

Co-authored by Amazon Q using Claude Sonnet 4.6.

Merge checklist:

Check off if complete or not applicable:

• Version bumped
• Changelog record added
• Documentation updated (not only docstrings)
• Fixup commits are squashed away
• Unit tests added/updated
• Manual testing instructions provided
• Noted any: Concerns, dependencies, migration issues, deadlines, tickets

[openedx-webhooks]

Thanks for the pull request, @rodmgwgu!

This repository is currently maintained by @openedx/committers-openedx-authz.

Once you've gone through the following steps feel free to tag them in a comment and let them know that your changes are ready for engineering review.

🔘 Get product approval

If you haven't already, check this list to see if your contribution needs to go through the product review process.

• If it does, you'll need to submit a product proposal for your contribution, and have it reviewed by the Product Working Group.
  • This process (including the steps you'll need to take) is documented here.
• If it doesn't, simply proceed with the next step.

🔘 Provide context

To help your reviewers and other members of the community understand the purpose and larger context of your changes, feel free to add as much of the following information to the PR description as you can:

• Dependencies

  This PR must be merged before / after / at the same time as ...

• Blockers

  This PR is waiting for OEP-1234 to be accepted.

• Timeline information

  This PR must be merged by XX date because ...

• Partner information

  This is for a course on edx.org.

• Supporting documentation
• Relevant Open edX discussion forum threads

🔘 Get a green build

If one or more checks are failing, continue working on your changes until this is no longer the case and your build turns green.

Details

---

Where can I find more information?

If you'd like to get more details on all aspects of the review process for open source pull requests (OSPRs), check out the following resources:

• Overview of Review Process for Community Contributions
• Pull Request Status Guide
• Making changes to your pull request

When can I expect my changes to be merged?

Our goal is to get community contributions seen and reviewed as efficiently as possible.

However, the amount of time that it takes to review and merge a PR can vary significantly based on factors such as:

• The size and impact of the changes that it introduces
• The need for product review
• Maintenance status of the parent repository

💡 As a result it may take up to several weeks or months to complete a review and merge your PR.

[Copilot]

Pull request overview

Implements a new Admin Console-facing endpoint (/api/authz/v1/scopes/) to list course and library scopes, with pagination and filtering driven by the calling user’s permissions.

Changes:

• Added AdminConsoleScopesAPIView with org-sorted listing, search, pagination, and optional “management-permission-only” filtering.
• Added request/response serializers for scope listing and expanded scope data classes to expose “manage” permissions.
• Added REST API tests, URL wiring, and bumped version/changelog.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
openedx_authz/rest_api/v1/views.py	Adds AdminConsoleScopesAPIView and its query/permission filtering logic.
openedx_authz/rest_api/v1/serializers.py	Adds query param validator and scope response serializer.
openedx_authz/rest_api/v1/urls.py	Registers the new scopes/ route.
openedx_authz/tests/rest_api/test_views.py	Adds tests for auth, sorting, pagination, and permission filtering for scopes.
openedx_authz/api/data.py	Introduces get_admin_manage_permission() and implements it for relevant scope types.
openedx_authz/init.py	Version bump.
CHANGELOG.rst	Adds release entry documenting the new endpoint.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[mariajgrimaldi]

I wonder how this could be extended for additional scope types. What do you think we could do to make this extensibility proof?

[rodmgwgu]

Good point, in this implementation I tried to offload the work to MySQL as much as possible, what I'm doing here mostly is creating a query to the corresponding parent model (model-dependent), then normalize the data with annotate, and then joining that into a single queryset to be used downstream for pagination, sorting, etc.

Now, the challenge here will be:

1. New scopes will be different models, we could standardize a way to generate the normalized queryset, but this may not always be possible depending on the model specifics and the django ORM / SQL constraints.

2. New scopes may even be something completely different not stored in the DB.

We could generalize this further to cover both cases, but we will have to sacrifice performance doing it all on memory, or in some other way.

I think this is a challenge to be researched for future phases when we work on extensibility.

[mariajgrimaldi]

Yes, I agree! I think this could also be related to my question here: https://github.com/openedx/openedx-authz/pull/257/changes#r3092897006

Can we document this somewhere?

[rodmgwgu]

Sure, Created a spike ticket in tech debt: #264

[rodmgwgu]

Another idea: we could index the scopes in meilisearch, we would create an interface as part of the openedx-authz extensibility API where a consumer module would specify how to index their specific model.

Then we could query meilisearch directly here

[mariajgrimaldi]

Yes, I agree! I think this could also be related to my question here: https://github.com/openedx/openedx-authz/pull/257/changes#r3092897006

Can we document this somewhere?

[mariajgrimaldi]

LGTM! Thanks for addressing all of my comments :)

[wgu-taylor-payne]

Looks good to me!

[wgu-taylor-payne]

Suggested change

	status.HTTP_403_FORBIDDEN: "The user does not have the required permisisons",
	status.HTTP_403_FORBIDDEN: "The user does not have the required permissions",

[wgu-taylor-payne]

Looks like 1.9.0 has already been released.

Suggested change

	__version__ = "1.9.0"
	__version__ = "1.10.0"

[dwong2708]

LGTM. Thanks!