[FC-0099] feat: add rest api for roles and permissions#84
[FC-0099] feat: add rest api for roles and permissions#84mariajgrimaldi merged 26 commits intoopenedx:mainfrom
Conversation
openedx-webhooks
added
open-source-contribution
|
Thanks for the pull request, @BryanttV! This repository is currently maintained by Once you've gone through the following steps feel free to tag them in a comment and let them know that your changes are ready for engineering review. 🔘 Get product approvalIf you haven't already, check this list to see if your contribution needs to go through the product review process.
🔘 Provide contextTo help your reviewers and other members of the community understand the purpose and larger context of your changes, feel free to add as much of the following information to the PR description as you can:
🔘 Get a green buildIf one or more checks are failing, continue working on your changes until this is no longer the case and your build turns green. DetailsWhere can I find more information?If you'd like to get more details on all aspects of the review process for open source pull requests (OSPRs), check out the following resources: When can I expect my changes to be merged?Our goal is to get community contributions seen and reviewed as efficiently as possible. However, the amount of time that it takes to review and merge a PR can vary significantly based on factors such as:
💡 As a result it may take up to several weeks or months to complete a review and merge your PR. |
BryanttV
force-pushed
the
bav/rest-api
branch
2 times, most recently
from
fe5cd43 to
6ed26f6
Compare
BryanttV
force-pushed
the
bav/rest-api
branch
2 times, most recently
from
623b6b1 to
9b924f8
Compare
BryanttV
changed the title
bmtcril
left a comment
bmtcril
left a comment
There was a problem hiding this comment.
This is looking great, I think there are 1-2 more thorny issues to work out but it's close.
| serializer = AddUserToRoleWithScopeSerializer(data=request.data) | ||
| serializer.is_valid(raise_exception=True) | ||
|
|
||
| # TODO: Should we validate that the role or scope exists? |
There was a problem hiding this comment.
I think we have to if the api doesn't error on it. Otherwise it may be a vector for credential stuffing attacks? Similarly we should make sure that the scope matches whatever we're authenticating for in permission class (ex: we're checking library permissions in the permission class now, but not checking that the scope they're modifying here is a library scope).
There was a problem hiding this comment.
Yes, I agree with you. I added a validation method in the serializer that checks whether the scope exists. For example, if my scope is a Library ID (lib:OpenedX:CSPROB), it will validate using the exists() method to ensure that this library actually exists in the database. After that, it validates that the role exists within the roles defined in the general scope (namespace). If any of these validations fail, it will return an error. What do you think?
|
|
||
| user_identifiers = serializer.validated_data["users"] | ||
| role_name = serializer.validated_data["role"] | ||
| scope = serializer.validated_data["scope"] |
There was a problem hiding this comment.
Similar comment to above, we should make sure that the scope we're deleting matches the permissions we're checking in the permission class.
| - user_count: Number of users currently assigned to this role | ||
|
|
||
| **Authentication and Permissions** | ||
| Requires authenticated user. |
There was a problem hiding this comment.
Can any authenticated user make this call for any scope?
There was a problem hiding this comment.
I don't think so, I'm just not sure which permission we should validate in this case, considering that it's a general endpoint for all scopes.
There was a problem hiding this comment.
I believe it's this one: https://openedx.atlassian.net/wiki/spaces/OEPM/pages/4840095745/Library+Roles+and+Permissions#Manage-Library-Team (which also considers view). This ties back to our earlier discussion about HasLibraryPermission as well. For now, it's limited to that specific library perm, but once we add support for other scopes, it would apply to the course admin, and so on.
Tagging @MaferMazu since she has been working on the final authz.policy.
BryanttV
force-pushed
the
bav/rest-api
branch
from
6c7f2aa to
1ffb2f6
Compare
bmtcril
left a comment
bmtcril
left a comment
There was a problem hiding this comment.
This is looking really good, I appreciate the changes to add BaseScopePermission! 👍
BryanttV
force-pushed
the
bav/rest-api
branch
from
6ce352d to
6380719
Compare
|
I just bumped to version For now, the endpoint to get roles and permissions by namespace has been added so that only an admin user can use it. It should be usable by any user with the If you agree, we can merge the PR, and I will work on a way to fix it in another PR. |
|
@BryanttV: I'll merge this with that note in mind, we can address it in a different PR. Thank you all for all the work! |
github-project-automation
Bot
moved this from Waiting on Author
to Done
in Contributions
6 participants
Description
This PR introduces the REST API for Open edX AuthZ.
How To Test
We create the following endpoints:
POST)GET)PUT)DELETE)GET)You can download this open-edx-authz.postman_collection.json or go to
{lms_domain}/api-docs/#/authzto test all endpoints.