openedx
diff --git a/‎cms/djangoapps/contentstore/rest_api/v0/tests/test_authoring_grading.py‎
Lines changed: 118 additions & 0 deletions b/‎cms/djangoapps/contentstore/rest_api/v0/tests/test_authoring_grading.py‎
Lines changed: 118 additions & 0 deletions
diff --git a/‎cms/djangoapps/contentstore/rest_api/v0/views/authoring_grading.py‎
Lines changed: 7 additions & 7 deletions b/‎cms/djangoapps/contentstore/rest_api/v0/views/authoring_grading.py‎
Lines changed: 7 additions & 7 deletions
diff --git a/‎cms/djangoapps/contentstore/rest_api/v1/views/grading.py‎
Lines changed: 10 additions & 14 deletions b/‎cms/djangoapps/contentstore/rest_api/v1/views/grading.py‎
Lines changed: 10 additions & 14 deletions
diff --git a/‎cms/djangoapps/contentstore/rest_api/v1/views/group_configurations.py‎
Lines changed: 8 additions & 6 deletions b/‎cms/djangoapps/contentstore/rest_api/v1/views/group_configurations.py‎
Lines changed: 8 additions & 6 deletions
@@ -0,0 +1,118 @@
+"""
+Unit tests for authoring grading views.
+"""
+import json
+
+from openedx_authz.constants.roles import COURSE_DATA_RESEARCHER, COURSE_STAFF
+from rest_framework import status
+from rest_framework.test import APIClient
+
+from cms.djangoapps.contentstore.api.tests.base import BaseCourseViewTest
+from common.djangoapps.student.tests.factories import UserFactory
+from openedx.core.djangoapps.authz.tests.mixins import CourseAuthzTestMixin
+
+class AuthoringGradingViewAuthzTest(CourseAuthzTestMixin, BaseCourseViewTest):
+    """
+    Tests Authoring Grading configuration API authorization using openedx-authz.
+    The endpoint uses the COURSES_EDIT_GRADING_SETTINGS permission.
+    """
+
+    view_name = "cms.djangoapps.contentstore:v0:cms_api_update_grading"
+    authz_roles_to_assign = [COURSE_STAFF.external_key]
+    post_data = json.dumps({
+        "graders": [
+            {
+                "type": "Homework",
+                "min_count": 1,
+                "drop_count": 0,
+                "short_label": "",
+                "weight": 100,
+                "id": 0
+            }
+        ],
+        "grade_cutoffs": {
+            "A": 0.75,
+            "B": 0.63,
+            "C": 0.57,
+            "D": 0.5
+        },
+        "grace_period": {
+            "hours": 12,
+            "minutes": 0
+        },
+        "minimum_grade_credit": 0.7,
+        "is_credit_course": True
+    })
+
+    def test_authorized_user_can_access_post(self):
+        """User with COURSE_STAFF role can access."""
+        resp = self.authorized_client.post(
+            self.get_url(self.course_key),
+            data=self.post_data,
+            content_type="application/json"
+        )
+        self.assertEqual(resp.status_code, status.HTTP_200_OK)
+
+    def test_unauthorized_user_cannot_access_post(self):
+        """User without role cannot access."""
+        resp = self.unauthorized_client.post(
+            self.get_url(self.course_key),
+            data=self.post_data,
+            content_type="application/json"
+        )
+        self.assertEqual(resp.status_code, status.HTTP_403_FORBIDDEN)
+
+    def test_role_scoped_to_course_post(self):
+        """Authorization should only apply to the assigned course."""
+        other_course = self.store.create_course("OtherOrg", "OtherCourse", "Run", self.staff.id)
+
+        resp = self.authorized_client.post(
+            self.get_url(other_course.id),
+            data=self.post_data,
+            content_type="application/json"
+        )
+        self.assertEqual(resp.status_code, status.HTTP_403_FORBIDDEN)
+
+    def test_staff_user_allowed_via_legacy_post(self):
+        """
+        Staff users should still pass through legacy fallback.
+        """
+        self.client.login(username=self.staff.username, password=self.password)
+
+        resp = self.client.post(
+            self.get_url(self.course_key),
+            data=self.post_data,
+            content_type="application/json"
+        )
+        self.assertEqual(resp.status_code, status.HTTP_200_OK)
+
+    def test_superuser_allowed_post(self):
+        """Superusers should always be allowed."""
+        superuser = UserFactory(is_superuser=True)
+
+        client = APIClient()
+        client.force_authenticate(user=superuser)
+
+        resp = client.post(
+            self.get_url(self.course_key),
+            data=self.post_data,
+            content_type="application/json"
+        )
+        self.assertEqual(resp.status_code, status.HTTP_200_OK)
+
+    def test_non_staff_user_cannot_access_post(self):
+        """
+        User without required permissions should be denied.
+        This case validates that a non-staff user doesn't get access.
+        """
+        non_staff_user = UserFactory()
+        non_staff_client = APIClient()
+        self.add_user_to_role(non_staff_user, COURSE_DATA_RESEARCHER.external_key)
+        non_staff_client.force_authenticate(user=non_staff_user)
+
+        resp = non_staff_client.post(
+            self.get_url(self.course_key),
+            data=self.post_data,
+            content_type="application/json"
+        )
+        self.assertEqual(resp.status_code, status.HTTP_403_FORBIDDEN)
@@ -2,12 +2,14 @@
 
 import edx_api_doc_tools as apidocs
 from opaque_keys.edx.keys import CourseKey
+from openedx_authz.constants.permissions import COURSES_EDIT_GRADING_SETTINGS
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView
 
 from cms.djangoapps.models.settings.course_grading import CourseGradingModel
-from common.djangoapps.student.auth import has_studio_read_access
+from openedx.core.djangoapps.authz.constants import LegacyAuthoringPermission
+from openedx.core.djangoapps.authz.decorators import authz_permission_required
 from openedx.core.djangoapps.credit.tasks import update_credit_course_requirements
 from openedx.core.lib.api.view_utils import DeveloperErrorViewMixin, verify_course_exists, view_auth_classes
 from ..serializers import CourseGradingModelSerializer
@@ -31,7 +33,10 @@ class AuthoringGradingView(DeveloperErrorViewMixin, APIView):
         },
     )
     @verify_course_exists()
-    def post(self, request: Request, course_id: str):
+    # Please note: previous legacy permisison was checking for has_studio_read_access
+    # So we are using LegacyAuthoringPermission.READ to keep compatibility
+    @authz_permission_required(COURSES_EDIT_GRADING_SETTINGS.identifier, LegacyAuthoringPermission.READ)
+    def post(self, request: Request, course_key: CourseKey):
         """
         Update a course's grading.
 
@@ -75,11 +80,6 @@ def post(self, request: Request, course_id: str):
 
         If the request is successful, an HTTP 200 "OK" response is returned,
         """
-        course_key = CourseKey.from_string(course_id)
-
-        if not has_studio_read_access(request.user, course_key):
-            self.permission_denied(request)
-
         if 'minimum_grade_credit' in request.data:
             update_credit_course_requirements.delay(str(course_key))
 
 
@@ -3,12 +3,14 @@
 import edx_api_doc_tools as apidocs
 from django.conf import settings
 from opaque_keys.edx.keys import CourseKey
+from openedx_authz.constants.permissions import COURSES_VIEW_GRADING_SETTINGS, COURSES_EDIT_GRADING_SETTINGS
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView
 
 from cms.djangoapps.models.settings.course_grading import CourseGradingModel
-from common.djangoapps.student.auth import has_studio_read_access
+from openedx.core.djangoapps.authz.constants import LegacyAuthoringPermission
+from openedx.core.djangoapps.authz.decorators import authz_permission_required
 from openedx.core.djangoapps.credit.api import is_credit_course
 from openedx.core.djangoapps.credit.tasks import update_credit_course_requirements
 from openedx.core.lib.api.view_utils import DeveloperErrorViewMixin, verify_course_exists, view_auth_classes
@@ -36,7 +38,8 @@ class CourseGradingView(DeveloperErrorViewMixin, APIView):
         },
     )
     @verify_course_exists()
-    def get(self, request: Request, course_id: str):
+    @authz_permission_required(COURSES_VIEW_GRADING_SETTINGS.identifier, LegacyAuthoringPermission.READ)
+    def get(self, request: Request, course_key: CourseKey):
         """
         Get an object containing course grading settings with model.
 
@@ -90,11 +93,6 @@ def get(self, request: Request, course_id: str):
         }
         ```
         """
-        course_key = CourseKey.from_string(course_id)
-
-        if not has_studio_read_access(request.user, course_key):
-            self.permission_denied(request)
-
         with modulestore().bulk_operations(course_key):
             credit_eligibility_enabled = settings.FEATURES.get("ENABLE_CREDIT_ELIGIBILITY", False)
             show_credit_eligibility = is_credit_course(course_key) and credit_eligibility_enabled
@@ -118,13 +116,16 @@ def get(self, request: Request, course_id: str):
         },
     )
     @verify_course_exists()
-    def post(self, request: Request, course_id: str):
+    # Please note: previous legacy permisison was checking for has_studio_read_access
+    # So we are using LegacyAuthoringPermission.READ to keep compatibility
+    @authz_permission_required(COURSES_EDIT_GRADING_SETTINGS.identifier, LegacyAuthoringPermission.READ)
+    def post(self, request: Request, course_key: CourseKey):
         """
         Update a course's grading.
 
         **Example Request**
 
-            PUT /api/contentstore/v1/course_grading/{course_id}
+            POST /api/contentstore/v1/course_grading/{course_id}
 
         **POST Parameters**
 
@@ -162,11 +163,6 @@ def post(self, request: Request, course_id: str):
 
         If the request is successful, an HTTP 200 "OK" response is returned,
         """
-        course_key = CourseKey.from_string(course_id)
-
-        if not has_studio_read_access(request.user, course_key):
-            self.permission_denied(request)
-
         if 'minimum_grade_credit' in request.data:
             update_credit_course_requirements.delay(str(course_key))
 
 
@@ -5,12 +5,14 @@
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView
+from openedx_authz.constants.permissions import COURSES_MANAGE_GROUP_CONFIGURATIONS
 
 from cms.djangoapps.contentstore.utils import get_group_configurations_context
 from cms.djangoapps.contentstore.rest_api.v1.serializers import (
     CourseGroupConfigurationsSerializer,
 )
-from common.djangoapps.student.auth import has_studio_read_access
+from openedx.core.djangoapps.authz.constants import LegacyAuthoringPermission
+from openedx.core.djangoapps.authz.decorators import authz_permission_required
 from openedx.core.lib.api.view_utils import (
     DeveloperErrorViewMixin,
     verify_course_exists,
@@ -39,7 +41,11 @@ class CourseGroupConfigurationsView(DeveloperErrorViewMixin, APIView):
         },
     )
     @verify_course_exists()
-    def get(self, request: Request, course_id: str):
+    @authz_permission_required(
+        authz_permission=COURSES_MANAGE_GROUP_CONFIGURATIONS.identifier,
+        legacy_permission=LegacyAuthoringPermission.READ
+    )
+    def get(self, request: Request, course_key: CourseKey):
         """
         Get an object containing course's settings group configurations.
 
@@ -139,12 +145,8 @@ def get(self, request: Request, course_id: str):
         }
         ```
         """
-        course_key = CourseKey.from_string(course_id)
         store = modulestore()
 
-        if not has_studio_read_access(request.user, course_key):
-            self.permission_denied(request)
-
         with store.bulk_operations(course_key):
             course = modulestore().get_course(course_key)
             group_configurations_context = get_group_configurations_context(course, store)