feat: apply authz decorator to quality and validation views

dwong2708 · wgu-taylor-payne · commit 6e50d3b0264c · 2026-03-17T18:05:50.000-06:00
diff --git a/cms/djangoapps/contentstore/api/tests/test_quality.py b/cms/djangoapps/contentstore/api/tests/test_quality.py
@@ -2,9 +2,12 @@
 Tests for the course import API views
 """
 
-
+from rest_framework.test import APIClient
 from rest_framework import status
+from openedx_authz.constants.roles import COURSE_STAFF, COURSE_DATA_RESEARCHER
 
+from common.djangoapps.student.tests.factories import UserFactory
+from openedx.core.djangoapps.authz.tests.mixins import CourseAuthzTestMixin
 from .base import BaseCourseViewTest
 
 
@@ -67,3 +70,63 @@ def test_student_fails(self):
         self.client.login(username=self.student.username, password=self.password)
         resp = self.client.get(self.get_url(self.course_key))
         self.assertEqual(resp.status_code, status.HTTP_403_FORBIDDEN)
+
+
+class CourseQualityAuthzTest(CourseAuthzTestMixin, BaseCourseViewTest):
+    """
+    Tests Course Quality API authorization using openedx-authz.
+    The endpoint uses COURSES_VIEW_COURSE permission.
+    """
+
+    view_name = "courses_api:course_quality"
+    authz_roles_to_assign = [COURSE_STAFF.external_key]
+
+    def test_authorized_user_can_access(self):
+        """User with COURSE_STAFF role can access."""
+        resp = self.authorized_client.get(self.get_url(self.course_key))
+        self.assertEqual(resp.status_code, status.HTTP_200_OK)
+
+    def test_unauthorized_user_cannot_access(self):
+        """User without role cannot access."""
+        resp = self.unauthorized_client.get(self.get_url(self.course_key))
+        self.assertEqual(resp.status_code, status.HTTP_403_FORBIDDEN)
+
+    def test_role_scoped_to_course(self):
+        """Authorization should only apply to the assigned course."""
+        other_course = self.store.create_course("OtherOrg", "OtherCourse", "Run", self.staff.id)
+
+        resp = self.authorized_client.get(self.get_url(other_course.id))
+        self.assertEqual(resp.status_code, status.HTTP_403_FORBIDDEN)
+
+    def test_staff_user_allowed_via_legacy(self):
+        """
+        Staff users should still pass through legacy fallback.
+        """
+        self.client.login(username=self.staff.username, password=self.password)
+
+        resp = self.client.get(self.get_url(self.course_key))
+        self.assertEqual(resp.status_code, status.HTTP_200_OK)
+
+    def test_superuser_allowed(self):
+        """Superusers should always be allowed."""
+        superuser = UserFactory(is_superuser=True)
+
+        client = APIClient()
+        client.force_authenticate(user=superuser)
+
+        resp = client.get(self.get_url(self.course_key))
+        self.assertEqual(resp.status_code, status.HTTP_200_OK)
+
+    def test_non_staff_user_cannot_access(self):
+        """
+        User without permissions should be denied.
+        This case validates that a non-staff user cannot access even
+        if they have course author access to the course.
+        """
+        non_staff_user = UserFactory()
+        non_staff_client = APIClient()
+        self.add_user_to_role(non_staff_user, COURSE_DATA_RESEARCHER.external_key)
+        non_staff_client.force_authenticate(user=non_staff_user)
+
+        resp = non_staff_client.get(self.get_url(self.course_key))
+        self.assertEqual(resp.status_code, status.HTTP_403_FORBIDDEN)
diff --git a/cms/djangoapps/contentstore/api/tests/test_validation.py b/cms/djangoapps/contentstore/api/tests/test_validation.py
@@ -7,18 +7,23 @@
 
 import ddt
 import factory
+
 from django.conf import settings
 from django.contrib.auth import get_user_model
 from django.test.utils import override_settings
 from django.urls import reverse
 from rest_framework import status
 from rest_framework.test import APITestCase
+from rest_framework.test import APIClient
+from openedx.core.djangoapps.authz.tests.mixins import CourseAuthzTestMixin
+from openedx_authz.constants.roles import COURSE_STAFF, COURSE_DATA_RESEARCHER
 
 from common.djangoapps.course_modes.models import CourseMode
 from common.djangoapps.course_modes.tests.factories import CourseModeFactory
 from common.djangoapps.student.tests.factories import StaffFactory, UserFactory
 from xmodule.modulestore.tests.django_utils import SharedModuleStoreTestCase
 from xmodule.modulestore.tests.factories import BlockFactory, CourseFactory
+from cms.djangoapps.contentstore.api.tests.base import BaseCourseViewTest
 
 User = get_user_model()
 
@@ -272,3 +277,81 @@ def test_list_ready_to_update_reference_success(self, mock_block, mock_auth):
             {'usage_key': str(self.block2.location)},
         ])
         mock_auth.assert_called_once()
+
+
+class CourseValidationAuthzTest(CourseAuthzTestMixin, BaseCourseViewTest):
+    """
+    Tests Course Validation API authorization using openedx-authz.
+    The endpoint uses COURSES_VIEW_COURSE permission.
+    """
+
+    view_name = "courses_api:course_validation"
+    authz_roles_to_assign = [COURSE_STAFF.external_key]
+
+    def test_authorized_user_can_access(self):
+        """
+        User with COURSE_STAFF role should be allowed via AuthZ.
+        """
+        resp = self.authorized_client.get(self.get_url(self.course_key))
+
+        self.assertEqual(resp.status_code, status.HTTP_200_OK)
+
+    def test_unauthorized_user_cannot_access(self):
+        """
+        User without permissions should be denied.
+        """
+        resp = self.unauthorized_client.get(self.get_url(self.course_key))
+
+        self.assertEqual(resp.status_code, status.HTTP_403_FORBIDDEN)
+
+    def test_role_scoped_to_course(self):
+        """
+        Authorization should only apply to the assigned course scope.
+        """
+        other_course = self.store.create_course(
+            "OtherOrg",
+            "OtherCourse",
+            "Run",
+            self.staff.id,
+        )
+
+        resp = self.authorized_client.get(self.get_url(other_course.id))
+
+        self.assertEqual(resp.status_code, status.HTTP_403_FORBIDDEN)
+
+    def test_staff_user_allowed_via_legacy(self):
+        """
+        Course staff should pass through legacy fallback when AuthZ denies.
+        """
+        self.client.login(username=self.staff.username, password=self.password)
+
+        resp = self.client.get(self.get_url(self.course_key))
+
+        self.assertEqual(resp.status_code, status.HTTP_200_OK)
+
+    def test_superuser_allowed(self):
+        """
+        Superusers should always be allowed through legacy fallback.
+        """
+        superuser = UserFactory(is_superuser=True)
+
+        client = APIClient()
+        client.force_authenticate(user=superuser)
+
+        resp = client.get(self.get_url(self.course_key))
+
+        self.assertEqual(resp.status_code, status.HTTP_200_OK)
+
+    def test_non_staff_user_cannot_access(self):
+        """
+        User without permissions should be denied.
+        This case validates that a non-staff user cannot access even
+        if they have course author access to the course.
+        """
+        non_staff_user = UserFactory()
+        non_staff_client = APIClient()
+        self.add_user_to_role(non_staff_user, COURSE_DATA_RESEARCHER.external_key)
+        non_staff_client.force_authenticate(user=non_staff_user)
+
+        resp = non_staff_client.get(self.get_url(self.course_key))
+        self.assertEqual(resp.status_code, status.HTTP_403_FORBIDDEN)
diff --git a/cms/djangoapps/contentstore/api/views/course_quality.py b/cms/djangoapps/contentstore/api/views/course_quality.py
@@ -6,14 +6,17 @@
 from edxval.api import get_course_videos_qset
 from rest_framework.generics import GenericAPIView
 from rest_framework.response import Response
+from openedx.core.djangoapps.authz.constants import LegacyAuthoringPermission
 from scipy import stats
+from openedx_authz.constants.permissions import COURSES_VIEW_COURSE
 
 from openedx.core.lib.api.view_utils import DeveloperErrorViewMixin, view_auth_classes
 from openedx.core.lib.cache_utils import request_cached
 from openedx.core.lib.graph_traversals import traverse_pre_order
+from openedx.core.djangoapps.authz.decorators import authz_permission_required
 from xmodule.modulestore.django import modulestore  # lint-amnesty, pylint: disable=wrong-import-order
 
-from .utils import course_author_access_required, get_bool_param
+from .utils import get_bool_param
 
 log = logging.getLogger(__name__)
 
@@ -82,7 +85,7 @@ class CourseQualityView(DeveloperErrorViewMixin, GenericAPIView):
     # does not specify a serializer class.
     swagger_schema = None
 
-    @course_author_access_required
+    @authz_permission_required(COURSES_VIEW_COURSE.identifier, LegacyAuthoringPermission.READ)
     def get(self, request, course_key):
         """
         Returns validation information for the given course.
diff --git a/cms/djangoapps/contentstore/api/views/course_validation.py b/cms/djangoapps/contentstore/api/views/course_validation.py
@@ -9,8 +9,10 @@
 from rest_framework import serializers, status
 from rest_framework.generics import GenericAPIView
 from rest_framework.response import Response
+from openedx.core.djangoapps.authz.constants import LegacyAuthoringPermission
 from user_tasks.models import UserTaskStatus
 from user_tasks.views import StatusViewSet
+from openedx_authz.constants.permissions import COURSES_VIEW_COURSE
 
 from cms.djangoapps.contentstore.course_info_model import get_course_updates
 from cms.djangoapps.contentstore.tasks import migrate_course_legacy_library_blocks_to_item_bank
@@ -19,6 +21,7 @@
 from openedx.core.lib.api.authentication import BearerAuthenticationAllowInactiveUser
 from openedx.core.lib.api.serializers import StatusSerializerWithUuid
 from openedx.core.lib.api.view_utils import DeveloperErrorViewMixin, view_auth_classes
+from openedx.core.djangoapps.authz.decorators import authz_permission_required
 from xmodule.course_metadata_utils import DEFAULT_GRADING_POLICY  # lint-amnesty, pylint: disable=wrong-import-order
 from xmodule.modulestore.django import modulestore  # lint-amnesty, pylint: disable=wrong-import-order
 
@@ -80,7 +83,7 @@ class CourseValidationView(DeveloperErrorViewMixin, GenericAPIView):
     # does not specify a serializer class.
     swagger_schema = None
 
-    @course_author_access_required
+    @authz_permission_required(COURSES_VIEW_COURSE.identifier, LegacyAuthoringPermission.READ)
     def get(self, request, course_key):
         """
         Returns validation information for the given course.
diff --git a/cms/djangoapps/contentstore/api/views/utils.py b/cms/djangoapps/contentstore/api/views/utils.py
@@ -120,7 +120,7 @@ def course_author_access_required(view):
     Usage::
         @course_author_access_required
         def my_view(request, course_key):
-            # Some functionality ...
+            # Some functionality...
     """
     def _wrapper_view(self, request, course_id, *args, **kwargs):
         """
