feat: introduce Authz Django app

- Add decorator to enforce AuthZ course permissions
- Add ADR documenting the new Authz Django app

Author: dwong2708

.github/workflows/pylint-checks.yml

@@ -21,7 +21,7 @@ jobs:
           - module-name: openedx-1
             path: "openedx/core/types/ openedx/core/djangoapps/ace_common/ openedx/core/djangoapps/agreements/ openedx/core/djangoapps/api_admin/ openedx/core/djangoapps/auth_exchange/ openedx/core/djangoapps/bookmarks/ openedx/core/djangoapps/cache_toolbox/ openedx/core/djangoapps/catalog/ openedx/core/djangoapps/ccxcon/ openedx/core/djangoapps/commerce/ openedx/core/djangoapps/common_initialization/ openedx/core/djangoapps/common_views/ openedx/core/djangoapps/config_model_utils/ openedx/core/djangoapps/content/ openedx/core/djangoapps/content_libraries/ openedx/core/djangoapps/content_staging/ openedx/core/djangoapps/contentserver/ openedx/core/djangoapps/cookie_metadata/ openedx/core/djangoapps/cors_csrf/ openedx/core/djangoapps/course_apps/ openedx/core/djangoapps/course_date_signals/ openedx/core/djangoapps/course_groups/ openedx/core/djangoapps/courseware_api/ openedx/core/djangoapps/crawlers/ openedx/core/djangoapps/credentials/ openedx/core/djangoapps/credit/ openedx/core/djangoapps/dark_lang/ openedx/core/djangoapps/debug/ openedx/core/djangoapps/discussions/ openedx/core/djangoapps/django_comment_common/ openedx/core/djangoapps/embargo/ openedx/core/djangoapps/enrollments/ openedx/core/djangoapps/external_user_ids/ openedx/core/djangoapps/zendesk_proxy/ openedx/core/djangolib/ openedx/core/lib/ openedx/core/djangoapps/course_live/"
           - module-name: openedx-2
-            path: "openedx/core/djangoapps/geoinfo/ openedx/core/djangoapps/header_control/ openedx/core/djangoapps/heartbeat/ openedx/core/djangoapps/lang_pref/ openedx/core/djangoapps/models/ openedx/core/djangoapps/monkey_patch/ openedx/core/djangoapps/oauth_dispatch/ openedx/core/djangoapps/olx_rest_api/ openedx/core/djangoapps/password_policy/ openedx/core/djangoapps/plugin_api/ openedx/core/djangoapps/plugins/ openedx/core/djangoapps/profile_images/ openedx/core/djangoapps/programs/ openedx/core/djangoapps/safe_sessions/ openedx/core/djangoapps/schedules/ openedx/core/djangoapps/service_status/ openedx/core/djangoapps/session_inactivity_timeout/ openedx/core/djangoapps/signals/ openedx/core/djangoapps/site_configuration/ openedx/core/djangoapps/system_wide_roles/ openedx/core/djangoapps/theming/ openedx/core/djangoapps/user_api/ openedx/core/djangoapps/user_authn/ openedx/core/djangoapps/util/ openedx/core/djangoapps/verified_track_content/ openedx/core/djangoapps/video_config/ openedx/core/djangoapps/video_pipeline/ openedx/core/djangoapps/waffle_utils/ openedx/core/djangoapps/xblock/ openedx/core/djangoapps/xmodule_django/ openedx/core/tests/ openedx/features/ openedx/testing/ openedx/tests/ openedx/envs/ openedx/core/djangoapps/notifications/ openedx/core/djangoapps/staticfiles/ openedx/core/djangoapps/content_tagging/"
+            path: "openedx/core/djangoapps/geoinfo/ openedx/core/djangoapps/header_control/ openedx/core/djangoapps/heartbeat/ openedx/core/djangoapps/lang_pref/ openedx/core/djangoapps/models/ openedx/core/djangoapps/monkey_patch/ openedx/core/djangoapps/oauth_dispatch/ openedx/core/djangoapps/olx_rest_api/ openedx/core/djangoapps/password_policy/ openedx/core/djangoapps/plugin_api/ openedx/core/djangoapps/plugins/ openedx/core/djangoapps/profile_images/ openedx/core/djangoapps/programs/ openedx/core/djangoapps/safe_sessions/ openedx/core/djangoapps/schedules/ openedx/core/djangoapps/service_status/ openedx/core/djangoapps/session_inactivity_timeout/ openedx/core/djangoapps/signals/ openedx/core/djangoapps/site_configuration/ openedx/core/djangoapps/system_wide_roles/ openedx/core/djangoapps/theming/ openedx/core/djangoapps/user_api/ openedx/core/djangoapps/user_authn/ openedx/core/djangoapps/util/ openedx/core/djangoapps/verified_track_content/ openedx/core/djangoapps/video_config/ openedx/core/djangoapps/video_pipeline/ openedx/core/djangoapps/waffle_utils/ openedx/core/djangoapps/xblock/ openedx/core/djangoapps/xmodule_django/ openedx/core/tests/ openedx/features/ openedx/testing/ openedx/tests/ openedx/envs/ openedx/core/djangoapps/notifications/ openedx/core/djangoapps/staticfiles/ openedx/core/djangoapps/content_tagging/ openedx/core/djangoapps/authz/"
           - module-name: common
             path: "common"
           - module-name: cms

.github/workflows/unit-test-shards.json

@@ -147,6 +147,7 @@
       "openedx/core/djangoapps/xblock/",
       "openedx/core/djangoapps/xmodule_django/",
       "openedx/core/djangoapps/zendesk_proxy/",
+      "openedx/core/djangoapps/authz/",
       "openedx/core/djangolib/",
       "openedx/core/lib/",
       "openedx/core/tests/",
@@ -227,6 +228,7 @@
       "openedx/core/djangoapps/xblock/",
       "openedx/core/djangoapps/xmodule_django/",
       "openedx/core/djangoapps/zendesk_proxy/",
+      "openedx/core/djangoapps/authz/",
       "openedx/core/lib/",
       "openedx/tests/"
     ]

cms/envs/common.py

@@ -907,6 +907,9 @@ def make_lms_template_path(settings):
     # alternative swagger generator for CMS API
     'drf_spectacular',
 
+    # Authz
+    'openedx.core.djangoapps.authz',
+
     'openedx_events',
 
     # Core models to represent courses

lms/envs/common.py

@@ -2088,6 +2088,9 @@
     # Notifications
     'openedx.core.djangoapps.notifications',
 
+    # Authz
+    'openedx.core.djangoapps.authz',
+
     'openedx_events',
 
     # Core models to represent courses

openedx/core/djangoapps/authz/README.rst

@@ -0,0 +1,82 @@
+AuthZ Django Integration
+########################
+
+Overview
+********
+
+The ``openedx.core.djangoapps.authz`` app provides Django integrations for the
+`openedx-authz` authorization framework within ``edx-platform``.
+
+The `openedx-authz` library implements a centralized authorization system based
+on explicit permissions and policy evaluation. This Django app acts as a thin
+integration layer between ``edx-platform`` and the external library, providing
+utilities that make it easier to enforce authorization checks in Django views.
+
+Currently, the app provides a decorator used to enforce AuthZ permissions in
+views. The app may also host additional Django-specific helpers and utilities
+as the integration with the AuthZ framework evolves.
+
+Purpose
+*******
+
+This app exists to:
+
+- Provide Django-specific integrations for the ``openedx-authz`` framework
+- Offer reusable decorators for enforcing authorization checks in views
+- Centralize AuthZ-related utilities used across LMS and Studio
+
+Keeping these integrations in a dedicated app avoids coupling authorization
+logic with unrelated apps and provides a clear location for future extensions.
+
+Location in the Platform
+************************
+
+The app lives in ``openedx/core/djangoapps`` because the functionality it
+provides is a **platform-level concern shared across LMS and Studio**, rather
+than something specific to either service.
+
+Usage
+*****
+
+The primary utility currently provided by this app is a decorator that enforces
+authorization checks using the AuthZ framework.
+
+Example usage::
+
+    from openedx.core.djangoapps.authz.decorators import authz_permission_required
+
+
+    @authz_permission_required("course.read")
+    def my_view(request, course_key):
+        ...
+
+The decorator ensures that the requesting user has the required permission
+before allowing the view to execute.
+
+Additional parameters may allow compatibility with legacy permission checks
+during the transition to the new authorization framework.
+
+Contents
+********
+
+The app currently includes:
+
+- **Decorators** for enforcing AuthZ permissions in Django views
+- **Constants** used by the AuthZ integration
+- **Tests** validating decorator behavior
+
+Relationship with ``openedx-authz``
+***********************************
+
+This app does not implement the authorization framework itself. Instead, it
+provides Django-specific integrations that connect ``edx-platform`` with the
+external ``openedx-authz`` library.
+
+Keeping these integrations in ``edx-platform`` ensures that the external
+library remains framework-agnostic.
+
+References
+**********
+
+- `openedx-authz repository <https://github.com/openedx/openedx-authz>`_
+- `openedx-authz documentation <https://openedx-authz.readthedocs.io/>`_

openedx/core/djangoapps/authz/__init__.py

@@ -0,0 +1,16 @@
+"""Django app configuration for authz app."""
+
+from django.apps import AppConfig
+
+
+class AuthzConfig(AppConfig):
+    """Django application configuration for the Open edX Authorization (AuthZ) app.
+
+    This app provides a centralized location for integrations with the
+    openedx-authz library, including permission helpers, decorators,
+    and other utilities used to enforce RBAC-based authorization across
+    the platform."""
+
+    default_auto_field = 'django.db.models.BigAutoField'
+    name = 'openedx.core.djangoapps.authz'
+    verbose_name = "Open edX Authorization Framework"

openedx/core/djangoapps/authz/apps.py

@@ -0,0 +1,15 @@
+"""Constants used by the Open edX Authorization (AuthZ) framework."""
+
+from common.djangoapps.student.auth import has_studio_read_access, has_studio_write_access
+from enum import Enum
+
+
+class LegacyAuthoringPermission(Enum):
+    READ = "read"
+    WRITE = "write"
+
+
+LEGACY_PERMISSION_HANDLER_MAP = {
+    LegacyAuthoringPermission.READ: has_studio_read_access,
+    LegacyAuthoringPermission.WRITE: has_studio_write_access,
+}

openedx/core/djangoapps/authz/constants.py

@@ -0,0 +1,119 @@
+"""Decorators for AuthZ-based permissions enforcement."""
+import logging
+from functools import wraps
+from collections.abc import Callable
+
+from django.contrib.auth.models import AbstractUser
+from opaque_keys import InvalidKeyError
+from opaque_keys.edx.keys import CourseKey, UsageKey
+from openedx.core.djangoapps.authz.constants import LEGACY_PERMISSION_HANDLER_MAP, LegacyAuthoringPermission
+from openedx_authz import api as authz_api
+from rest_framework import status
+
+from openedx.core import toggles as core_toggles
+from openedx.core.lib.api.view_utils import DeveloperErrorViewMixin
+
+log = logging.getLogger(__name__)
+
+
+def authz_permission_required(
+        authz_permission: str,
+        legacy_permission: LegacyAuthoringPermission | None = None) -> Callable:
+    """
+    Decorator enforcing course author permissions via AuthZ
+    with optional legacy fallback.
+
+    This decorator checks if the requesting user has the specified AuthZ permission for the course.
+    If AuthZ is not enabled for the course, and a legacy_permission is provided, it falls back to checking
+    the legacy permission.
+
+    Raises:
+        DeveloperErrorResponseException: If the user does not have the required permissions.
+    """
+
+    def decorator(view_func):
+
+        @wraps(view_func)
+        def _wrapped_view(self, request, course_id, *args, **kwargs):
+            course_key = get_course_key(course_id)
+
+            if not user_has_course_permission(
+                request.user,
+                authz_permission,
+                course_key,
+                legacy_permission
+            ):
+                raise DeveloperErrorViewMixin.api_error(
+                    status_code=status.HTTP_403_FORBIDDEN,
+                    developer_message="You do not have permission to perform this action.",
+                    error_code="permission_denied",
+                )
+
+            return view_func(self, request, course_key, *args, **kwargs)
+
+        return _wrapped_view
+
+    return decorator
+
+
+def user_has_course_permission(
+    user: AbstractUser,
+    authz_permission: str,
+    course_key: CourseKey,
+    legacy_permission: LegacyAuthoringPermission | None = None,
+) -> bool:
+    """
+    Checks if the user has the specified AuthZ permission for the course,
+    with optional fallback to legacy permissions.
+    """
+    if core_toggles.enable_authz_course_authoring(course_key):
+        # If AuthZ is enabled for this course, check the permission via AuthZ only.
+        is_user_allowed = authz_api.is_user_allowed(user.username, authz_permission, str(course_key))
+        log.info(
+            "AuthZ permission granted = {}".format(is_user_allowed),
+            extra={
+                "user_id": user.id,
+                "authz_permission": authz_permission,
+                "course_key": str(course_key),
+            },
+        )
+        return is_user_allowed
+
+    # If AuthZ is not enabled for this course, fall back to legacy course author
+    # access check if legacy_permission is provided.
+    has_legacy_permission: Callable | None = LEGACY_PERMISSION_HANDLER_MAP.get(legacy_permission)
+    if legacy_permission and has_legacy_permission and has_legacy_permission(user, course_key):
+        log.info(
+            "AuthZ fallback used",
+            extra={
+                "user_id": user.id,
+                "authz_permission": authz_permission,
+                "legacy_permission": legacy_permission,
+                "course_key": str(course_key),
+            },
+        )
+        return True
+
+    log.info(
+        "AuthZ permission denied",
+        extra={
+            "user_id": user.id,
+            "authz_permission": authz_permission,
+            "course_key": str(course_key),
+        },
+    )
+    return False
+
+
+def get_course_key(course_id: str) -> CourseKey:
+    """
+    Given a course_id string, attempts to parse it as a CourseKey.
+    If that fails, attempts to parse it as a UsageKey and extract the course key from it.
+    """
+    try:
+        return CourseKey.from_string(course_id)
+    except InvalidKeyError:
+        # If the course_id doesn't match the COURSE_KEY_PATTERN, it might be a usage key.
+        # Attempt to parse it as such and extract the course key.
+        usage_key = UsageKey.from_string(course_id)
+        return usage_key.course_key

openedx/core/djangoapps/authz/decorators.py

@@ -0,0 +1,74 @@
+0001 AUTHZ DJANGO INTEGRATION APP
+####################
+
+Status
+******
+
+Accepted
+
+Context
+*******
+
+This ADR defines where Django integrations for the openedx-authz framework should live within edx-platform.
+The openedx-authz library introduces a new authorization framework for Open edX based on explicit permissions and a centralized policy engine. Integrating this framework into edx-platform requires several Django-specific utilities.
+One of the first integrations is a view decorator used to enforce authorization checks using the new AuthZ framework. This decorator is expected to be reused across multiple views in LMS and Studio.
+During implementation, the question arose of where these Django integrations should live.
+
+Some options considered were:
+
+- common/djangoapps/student/auth.py
+- openedx/core/authz.py (a new python module)
+- openedx/core/djangoapps/authz (a new Django app)
+
+The student app contains legacy authentication and authorization logic tied to student functionality. Adding new platform-level authorization integrations there would introduce cross-cutting concerns into an unrelated app.
+
+Another option was creating a single module such as openedx/core/authz.py. However, the integration already includes multiple components (decorators, constants, tests) and is expected to grow over time.
+
+Because of this, a dedicated Django app provides a clearer and more scalable structure for these integrations.
+
+Decision
+********
+
+edx-platform will introduce a new lightweight Django app openedx.core.djangoapps.authz to host Django integrations for the openedx-authz framework.
+
+- The app will contain reusable decorators enforcing AuthZ permissions in Django views.
+- Supporting modules such as constants and helper utilities will live in this app.
+- The app will include tests validating these integrations.
+- The app acts as a thin integration layer between edx-platform and the external openedx-authz library.
+- The app will live in openedx/core/djangoapps because this functionality is a platform-level concern shared by LMS and Studio.
+
+Initial contents include:
+
+- An authorization decorator for Django views.
+- A constants.py module for AuthZ-related constants.
+- Tests validating the decorator behavior.
+
+Consequences
+************
+
+- Django integrations for the AuthZ framework have a centralized and discoverable location.
+- Future integrations can be added without expanding unrelated modules.
+- The separation clarifies the distinction between authentication (authn) and authorization (authz) responsibilities.
+
+However:
+
+- Introducing a new Django app slightly increases project structure complexity.
+- Some authorization logic may remain elsewhere until future refactoring occurs.
+
+Rejected Alternatives
+**********************
+
+- Add the decorator to common/djangoapps/student/auth.py
+Rejected because the module belongs to the student app and already mixes authentication and authorization responsibilities.
+
+- Create a single module openedx/core/authz.py
+Rejected because the integration already includes multiple components and is expected to grow.
+
+- Implement the decorator in the openedx-authz library
+Rejected because the decorator is Django-specific and tied to how edx-platform integrates authorization checks into views.
+
+References
+**********
+
+.. _openedx-authz repository: https://github.com/openedx/openedx-authz
+.. _openedx-authz documentation: https://openedx-authz.readthedocs.io/