refactor: test ONLY authz filtering by removing legacy permissions

Author: mariajgrimaldi

openedx/core/djangoapps/content_libraries/tests/test_content_libraries.py

@@ -39,7 +39,7 @@
 from openedx.core.djangolib.testing.utils import skip_unless_cms
 from openedx_authz.constants.permissions import VIEW_LIBRARY
 
-from ..models import ContentLibrary
+from ..models import ContentLibrary, ContentLibraryPermission
 from ..permissions import CAN_VIEW_THIS_CONTENT_LIBRARY, HasPermissionInContentLibraryScope
 
 
@@ -1220,14 +1220,36 @@ def test_uncaught_error_creates_error_log(self):
 
         self.assertEqual(task_data, expected)
 
+
+@skip_unless_cms
+class ContentLibrariesAuthZTestCase(ContentLibrariesRestApiTest):
+    """
+    Tests for Content Libraries AuthZ integration via openedx-authz.
+
+    These tests verify the HasPermissionInContentLibraryScope Bridgekeeper rule
+    integrates correctly with the openedx-authz authorization system (Casbin).
+    See: https://github.com/openedx/openedx-authz/
+
+    IMPORTANT: These tests explicitly remove legacy ContentLibraryPermission grants
+    to ensure ONLY the AuthZ system is being tested, not the legacy fallback.
+    """
+
+    def setUp(self):
+        super().setUp()
+        # The parent class provides self.user (a staff user) and self.organization
+        # Set up admin_user as an alias to self.user for test readability
+        self.admin_user = self.user
+        # Set up org_short_name for convenience
+        self.org_short_name = self.organization.short_name
+
     def test_authz_scope_filters_by_authorized_libraries(self):
         """
         Test that HasPermissionInContentLibraryScope rule filters libraries
         based on authorized org/slug combinations.
 
         Given:
         - 3 libraries: lib1 (org1), lib2 (org2), lib3 (org1)
-        - User authorized for lib1 and lib2 only
+        - User authorized for lib1 and lib2 only via AuthZ (NO legacy permissions)
 
         Expected:
         - Filter returns exactly 2 libraries (lib1 and lib2)
@@ -1244,6 +1266,9 @@ def test_authz_scope_filters_by_authorized_libraries(self):
             lib2 = self._create_library(slug="lib2", org="org2", title="Library 2")
             lib3 = self._create_library(slug="lib3", org="org1", title="Library 3")
 
+        # CRITICAL: Ensure user has NO legacy permissions (test ONLY AuthZ filtering)
+        ContentLibraryPermission.objects.filter(user=user).delete()
+
         with patch(
             'openedx.core.djangoapps.content_libraries.permissions.get_scopes_for_user_and_permission'
         ) as mock_get_scopes:
@@ -1279,6 +1304,7 @@ def test_authz_scope_individual_check_with_permission(self):
         - Non-staff user
         - Library exists
         - Authorization system grants permission (mocked)
+        - NO legacy permissions
 
         Expected:
         - check() returns True
@@ -1290,6 +1316,9 @@ def test_authz_scope_individual_check_with_permission(self):
 
         library_obj = ContentLibrary.objects.get_by_key(LibraryLocatorV2.from_string(lib["id"]))
 
+        # CRITICAL: Ensure user has NO legacy permissions (test ONLY AuthZ)
+        ContentLibraryPermission.objects.filter(user=user).delete()
+
         with patch("openedx.core.djangoapps.content_libraries.permissions.is_user_allowed", return_value=True):
             result = perms[CAN_VIEW_THIS_CONTENT_LIBRARY].check(user, library_obj)
 
@@ -1304,6 +1333,7 @@ def test_authz_scope_individual_check_without_permission(self):
         - Non-staff user
         - Non-public library
         - Authorization system denies permission (mocked)
+        - NO legacy permissions
 
         Expected:
         - check() returns False
@@ -1315,6 +1345,9 @@ def test_authz_scope_individual_check_without_permission(self):
 
         library_obj = ContentLibrary.objects.get_by_key(LibraryLocatorV2.from_string(lib['id']))
 
+        # CRITICAL: Ensure user has NO legacy permissions (test ONLY AuthZ)
+        ContentLibraryPermission.objects.filter(user=user).delete()
+
         with patch('openedx.core.djangoapps.content_libraries.permissions.is_user_allowed', return_value=False):
             result = perms[CAN_VIEW_THIS_CONTENT_LIBRARY].check(user, library_obj)
 
@@ -1332,6 +1365,7 @@ def test_authz_scope_handles_empty_scopes(self):
         - Non-staff user
         - Library exists in database
         - Authorization system returns empty scope list (mocked)
+        - NO legacy permissions
 
         Expected:
         - Filter returns 0 libraries
@@ -1342,6 +1376,9 @@ def test_authz_scope_handles_empty_scopes(self):
         with self.as_user(self.admin_user):
             lib = self._create_library(slug="empty-lib", title="Empty Scopes Test")
 
+        # CRITICAL: Ensure user has NO legacy permissions (test ONLY AuthZ)
+        ContentLibraryPermission.objects.filter(user=user).delete()
+
         with patch(
             'openedx.core.djangoapps.content_libraries.permissions.get_scopes_for_user_and_permission',
             return_value=[]
@@ -1369,6 +1406,9 @@ def test_authz_scope_q_object_has_correct_structure(self):
 
         Multiple scopes should be OR'd:
         (Q(org__short_name='org1') & Q(slug='lib1')) | (Q(org__short_name='org2') & Q(slug='lib2'))
+
+        Note: This test focuses on Q object structure, not filtering behavior,
+        so legacy permissions don't affect the outcome.
         """
         user = UserFactory.create(username="q_user")
         rule = HasPermissionInContentLibraryScope(VIEW_LIBRARY, filter_keys=['org', 'slug'])
@@ -1467,6 +1507,9 @@ def test_authz_scope_q_object_matches_exact_org_slug_pairs(self):
             lib3 = self._create_library(slug="pair-lib3", org="pair-org1", title="Pair Lib 3")  # Same org as lib1
             lib4 = self._create_library(slug="pair-lib1", org="pair-org3", title="Pair Lib 4")  # Same slug as lib1
 
+        # CRITICAL: Ensure user has NO legacy permissions (test ONLY AuthZ filtering)
+        ContentLibraryPermission.objects.filter(user=user).delete()
+
         with patch(
             'openedx.core.djangoapps.content_libraries.permissions.get_scopes_for_user_and_permission'
         ) as mock_get_scopes: