refactor: refactor the permission check functions

Author: MaferMazu

openedx/core/djangoapps/content_libraries/api/libraries.py

@@ -73,6 +73,7 @@
 from ..constants import ALL_RIGHTS_RESERVED
 from ..models import ContentLibrary, ContentLibraryPermission
 from .exceptions import LibraryAlreadyExists, LibraryPermissionIntegrityError
+from .permissions import LEGACY_LIB_PERMISSIONS
 
 log = logging.getLogger(__name__)
 
@@ -103,8 +104,7 @@
     "publish_changes",
     "revert_changes",
     "get_backup_task_status",
-    "require_authz_lib_permission",
-    "user_has_permission_in_library",
+    "user_has_permission_across_lib_authz_systems",
 ]
 
 
@@ -236,7 +236,7 @@ def user_can_create_library(user: AbstractUser) -> bool:
     Check if the user has permission to create a content library.
     """
     library_permission = permissions.CAN_CREATE_CONTENT_LIBRARY
-    lib_permission_in_authz = _transform_lib_permission_to_authz_permission(library_permission)
+    lib_permission_in_authz = _transform_legacy_lib_permission_to_authz_permission(library_permission)
     has_perms = user.has_perm(library_permission) or authz_api.is_user_allowed(
         user,
         lib_permission_in_authz,
@@ -329,15 +329,7 @@ def require_permission_for_library_key(library_key: LibraryLocatorV2, user: User
     library_obj = ContentLibrary.objects.get_by_key(library_key)
     # obj should be able to read any valid model object but mypy thinks it can only be
     # "User | AnonymousUser | None"
-    authz_permission = _transform_lib_permission_to_authz_permission(permission)
-    if not (
-        user.has_perm(permission, obj=library_obj)
-        or authz_api.is_user_allowed(
-            user,
-            authz_permission,
-            str(library_key),
-        )
-    ):  # type:ignore[arg-type]
+    if not user_has_permission_across_lib_authz_systems(user, permission, library_key):
         raise PermissionDenied
 
     return library_obj
@@ -732,9 +724,9 @@ def get_backup_task_status(
     return result
 
 
-def _transform_lib_permission_to_authz_permission(permission: str) -> str:
+def _transform_legacy_lib_permission_to_authz_permission(permission: str) -> str:
     """
-    Transform a content library permission to an openedx-authz permission.
+    Transform a legacy content library permission to an openedx-authz permission.
     """
     mapping = {
         permissions.CAN_CREATE_CONTENT_LIBRARY: 'create_library',
@@ -747,45 +739,65 @@ def _transform_lib_permission_to_authz_permission(permission: str) -> str:
     return mapping.get(permission, permission)
 
 
-def require_authz_lib_permission(
-    library_key: LibraryLocatorV2,
-    user: UserType,
-    permission: str
-) -> ContentLibrary:
+def _transform_authz_permission_to_legacy_lib_permission(permission: str) -> str:
     """
-    This function checks the new permissions if needed using openedx-authz and also checks
-    for the old ones to maintain compatibility.
+    Transform an openedx-authz permission to a legacy content library permission.
     """
-    # Check the new permission along with the edit permission (the old one).
-    # This should apply only for publish, and crud over collections.
-    library_obj = ContentLibrary.objects.get_by_key(library_key)
-    if not (
-        user.has_perm(permissions.CAN_EDIT_THIS_CONTENT_LIBRARY, obj=library_obj)
-        or authz_api.is_user_allowed(
-            user,
-            permission,
-            str(library_key),
-        )
-    ):
-        raise PermissionDenied
-    return library_obj
+    mapping = {
+        'publish_library_content': permissions.CAN_EDIT_THIS_CONTENT_LIBRARY,
+        'create_library_collection': permissions.CAN_EDIT_THIS_CONTENT_LIBRARY,
+        'edit_library_collection': permissions.CAN_EDIT_THIS_CONTENT_LIBRARY,
+        'delete_library_collection': permissions.CAN_EDIT_THIS_CONTENT_LIBRARY,
+    }
+    return mapping.get(permission, permission)
 
-def user_has_permission_in_library(
-    library_key: LibraryLocatorV2,
+
+def user_has_permission_across_lib_authz_systems(
     user: UserType,
-    permission: str
+    permission: str,
+    library_key: LibraryLocatorV2,
 ) -> bool:
     """
-    This function checks if the user has the specified permission in the library.
+    Check whether a user has a given permission on a content library across both the
+    legacy edx-platform permission system and the newer openedx-authz system.
+
+    The provided permission name is normalized to both systems (legacy and authz), and
+    authorization is granted if either:
+    - the user holds the legacy object-level permission on the ContentLibrary instance, or
+    - the openedx-authz API allows the user for the corresponding permission on the library.
+
+    Args:
+        user: The Django user (or user-like object) to check.
+        permission: The permission identifier (either a legacy codename or an openedx-authz name).
+        library_key: The LibraryLocatorV2 identifying the target content library.
+
+    Returns:
+        bool: True if the user is authorized by either system; otherwise False.
+
+    Raises:
+        ContentLibrary.DoesNotExist: If a library does not exist for the given key.
     """
     library_obj = ContentLibrary.objects.get_by_key(library_key)
-    # Identify if the permission is old or for authz (in this moment we are using old, for the serializer)
-    permission_in_authz = _transform_lib_permission_to_authz_permission(permission)
+    if _is_legacy_permission(permission):
+        legacy_permission = permission
+        authz_permission = _transform_legacy_lib_permission_to_authz_permission(permission)
+    else:
+        authz_permission = permission
+        legacy_permission = _transform_authz_permission_to_legacy_lib_permission(permission)
     return (
-        user.has_perm(permission, obj=library_obj)
+        # Check both the legacy and the new openedx-authz permissions
+        user.has_perm(perm=legacy_permission, obj=library_obj)
         or authz_api.is_user_allowed(
             user,
-            permission_in_authz,
+            authz_permission,
             str(library_key),
         )
-    )
+    )
+
+
+def _is_legacy_permission(permission: str) -> bool:
+    """
+    Determine if the specified library permission is part of the legacy
+    or the new openedx-authz system.
+    """
+    return permission in LEGACY_LIB_PERMISSIONS

openedx/core/djangoapps/content_libraries/api/permissions.py

@@ -12,3 +12,13 @@
     CAN_VIEW_THIS_CONTENT_LIBRARY,
     CAN_VIEW_THIS_CONTENT_LIBRARY_TEAM
 )
+
+LEGACY_LIB_PERMISSIONS = frozenset({
+    CAN_CREATE_CONTENT_LIBRARY,
+    CAN_DELETE_THIS_CONTENT_LIBRARY,
+    CAN_EDIT_THIS_CONTENT_LIBRARY,
+    CAN_EDIT_THIS_CONTENT_LIBRARY_TEAM,
+    CAN_LEARN_FROM_THIS_CONTENT_LIBRARY,
+    CAN_VIEW_THIS_CONTENT_LIBRARY,
+    CAN_VIEW_THIS_CONTENT_LIBRARY_TEAM,
+})

openedx/core/djangoapps/content_libraries/rest_api/blocks.py

@@ -235,7 +235,7 @@ def post(self, request, usage_key_str):
         Publish the draft changes made to this component.
         """
         key = LibraryUsageLocatorV2.from_string(usage_key_str)
-        api.require_authz_lib_permission(
+        api.require_permission_for_library_key(
             key.lib_key,
             request.user,
             'publish_library_content'

openedx/core/djangoapps/content_libraries/rest_api/collections.py

@@ -104,7 +104,7 @@ def create(self, request: RestRequest, *args, **kwargs) -> Response:
         Create a Collection that belongs to a Content Library
         """
         content_library = self.get_content_library()
-        api.require_authz_lib_permission(
+        api.require_permission_for_library_key(
             content_library.library_key,
             request.user,
             'create_library_collection'
@@ -143,7 +143,7 @@ def partial_update(self, request: RestRequest, *args, **kwargs) -> Response:
         Update a Collection that belongs to a Content Library
         """
         content_library = self.get_content_library()
-        api.require_authz_lib_permission(
+        api.require_permission_for_library_key(
             content_library.library_key,
             request.user,
             'edit_library_collection'
@@ -170,7 +170,7 @@ def destroy(self, request: RestRequest, *args, **kwargs) -> Response:
         Soft-deletes a Collection that belongs to a Content Library
         """
         content_library = self.get_content_library()
-        api.require_authz_lib_permission(
+        api.require_permission_for_library_key(
             content_library.library_key,
             request.user,
             'delete_library_collection'
@@ -191,7 +191,7 @@ def restore(self, request: RestRequest, *args, **kwargs) -> Response:
         Restores a soft-deleted Collection that belongs to a Content Library
         """
         content_library = self.get_content_library()
-        api.require_authz_lib_permission(
+        api.require_permission_for_library_key(
             content_library.library_key,
             request.user,
             'edit_library_collection'
@@ -213,7 +213,7 @@ def update_items(self, request: RestRequest, *args, **kwargs) -> Response:
         Collection and items must all be part of the given library/learning package.
         """
         content_library = self.get_content_library()
-        api.require_authz_lib_permission(
+        api.require_permission_for_library_key(
             content_library.library_key,
             request.user,
             'edit_library_collection'

openedx/core/djangoapps/content_libraries/rest_api/containers.py

@@ -376,7 +376,7 @@ def post(self, request: RestRequest, container_key: LibraryContainerLocator) ->
         """
         Publish the container and its children
         """
-        api.require_authz_lib_permission(
+        api.require_permission_for_library_key(
             container_key.lib_key,
             request.user,
             'publish_library_content'

openedx/core/djangoapps/content_libraries/rest_api/libraries.py

@@ -473,7 +473,7 @@ def post(self, request, lib_key_str):
         descendants.
         """
         key = LibraryLocatorV2.from_string(lib_key_str)
-        api.require_authz_lib_permission(
+        api.require_permission_for_library_key(
             key,
             request.user,
             'publish_library_content'

openedx/core/djangoapps/content_libraries/rest_api/serializers.py

@@ -76,8 +76,8 @@ def get_can_edit_library(self, obj):
             return False
 
         library_obj = ContentLibrary.objects.get_by_key(obj.key)
-        return api.user_has_permission_in_library(
-            library_obj.library_key, user, permissions.CAN_EDIT_THIS_CONTENT_LIBRARY)
+        return api.user_has_permission_across_lib_authz_systems(
+            user, permissions.CAN_EDIT_THIS_CONTENT_LIBRARY, library_obj.library_key)
 
 
 class ContentLibraryUpdateSerializer(serializers.Serializer):