feat: add authz permission checks for the course group configuration endpoints (#38204)

Author: rodmgwgu

cms/djangoapps/contentstore/rest_api/v1/views/group_configurations.py

@@ -5,12 +5,14 @@
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView
+from openedx_authz.constants.permissions import COURSES_MANAGE_GROUP_CONFIGURATIONS
 
 from cms.djangoapps.contentstore.utils import get_group_configurations_context
 from cms.djangoapps.contentstore.rest_api.v1.serializers import (
     CourseGroupConfigurationsSerializer,
 )
-from common.djangoapps.student.auth import has_studio_read_access
+from openedx.core.djangoapps.authz.constants import LegacyAuthoringPermission
+from openedx.core.djangoapps.authz.decorators import authz_permission_required
 from openedx.core.lib.api.view_utils import (
     DeveloperErrorViewMixin,
     verify_course_exists,
@@ -39,7 +41,11 @@ class CourseGroupConfigurationsView(DeveloperErrorViewMixin, APIView):
         },
     )
     @verify_course_exists()
-    def get(self, request: Request, course_id: str):
+    @authz_permission_required(
+        authz_permission=COURSES_MANAGE_GROUP_CONFIGURATIONS.identifier,
+        legacy_permission=LegacyAuthoringPermission.READ
+    )
+    def get(self, request: Request, course_key: CourseKey):
         """
         Get an object containing course's settings group configurations.
 
@@ -139,12 +145,8 @@ def get(self, request: Request, course_id: str):
         }
         ```
         """
-        course_key = CourseKey.from_string(course_id)
         store = modulestore()
 
-        if not has_studio_read_access(request.user, course_key):
-            self.permission_denied(request)
-
         with store.bulk_operations(course_key):
             course = modulestore().get_course(course_key)
             group_configurations_context = get_group_configurations_context(course, store)

cms/djangoapps/contentstore/rest_api/v1/views/tests/test_group_configurations.py

@@ -3,11 +3,16 @@
 """
 from django.urls import reverse
 from rest_framework import status
+from rest_framework.test import APIClient
 
+from cms.djangoapps.contentstore.api.tests.base import BaseCourseViewTest
 from cms.djangoapps.contentstore.course_group_config import (
     CONTENT_GROUP_CONFIGURATION_NAME,
 )
 from cms.djangoapps.contentstore.tests.utils import CourseTestCase
+from common.djangoapps.student.tests.factories import UserFactory
+from openedx_authz.constants.roles import COURSE_DATA_RESEARCHER, COURSE_STAFF
+from openedx.core.djangoapps.authz.tests.mixins import CourseAuthzTestMixin
 from xmodule.partitions.partitions import (
     Group,
     UserPartition,
@@ -53,3 +58,61 @@ def test_success_response(self):
         self.assertContains(response, "Group C")
         self.assertContains(response, CONTENT_GROUP_CONFIGURATION_NAME)
         self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+class CourseGroupConfigurationsAuthzTest(CourseAuthzTestMixin, BaseCourseViewTest):
+    """
+    Tests Course Group Configuration API authorization using openedx-authz.
+    The endpoint uses COURSES_MANAGE_GROUP_CONFIGURATIONS permission.
+    """
+
+    view_name = "cms.djangoapps.contentstore:v1:group_configurations"
+    authz_roles_to_assign = [COURSE_STAFF.external_key]
+
+    def test_authorized_user_can_access(self):
+        """User with COURSE_STAFF role can access."""
+        resp = self.authorized_client.get(self.get_url(self.course_key))
+        self.assertEqual(resp.status_code, status.HTTP_200_OK)
+
+    def test_unauthorized_user_cannot_access(self):
+        """User without role cannot access."""
+        resp = self.unauthorized_client.get(self.get_url(self.course_key))
+        self.assertEqual(resp.status_code, status.HTTP_403_FORBIDDEN)
+
+    def test_role_scoped_to_course(self):
+        """Authorization should only apply to the assigned course."""
+        other_course = self.store.create_course("OtherOrg", "OtherCourse", "Run", self.staff.id)
+
+        resp = self.authorized_client.get(self.get_url(other_course.id))
+        self.assertEqual(resp.status_code, status.HTTP_403_FORBIDDEN)
+
+    def test_staff_user_allowed_via_legacy(self):
+        """
+        Staff users should still pass through legacy fallback.
+        """
+        self.client.login(username=self.staff.username, password=self.password)
+
+        resp = self.client.get(self.get_url(self.course_key))
+        self.assertEqual(resp.status_code, status.HTTP_200_OK)
+
+    def test_superuser_allowed(self):
+        """Superusers should always be allowed."""
+        superuser = UserFactory(is_superuser=True)
+
+        client = APIClient()
+        client.force_authenticate(user=superuser)
+
+        resp = client.get(self.get_url(self.course_key))
+        self.assertEqual(resp.status_code, status.HTTP_200_OK)
+
+    def test_non_staff_user_cannot_access(self):
+        """
+        User without required permissions should be denied.
+        This case validates that a non-staff user doesn't get access.
+        """
+        non_staff_user = UserFactory()
+        non_staff_client = APIClient()
+        self.add_user_to_role(non_staff_user, COURSE_DATA_RESEARCHER.external_key)
+        non_staff_client.force_authenticate(user=non_staff_user)
+
+        resp = non_staff_client.get(self.get_url(self.course_key))
+        self.assertEqual(resp.status_code, status.HTTP_403_FORBIDDEN)

cms/djangoapps/contentstore/views/course.py

@@ -58,7 +58,11 @@
 )
 from openedx.core.djangoapps.authz.constants import LegacyAuthoringPermission
 from openedx.core.djangoapps.authz.decorators import user_has_course_permission
-from openedx_authz.constants.permissions import COURSES_MANAGE_COURSE_UPDATES, COURSES_VIEW_COURSE_UPDATES
+from openedx_authz.constants.permissions import (
+    COURSES_MANAGE_COURSE_UPDATES,
+    COURSES_VIEW_COURSE_UPDATES,
+    COURSES_MANAGE_GROUP_CONFIGURATIONS,
+)
 from common.djangoapps.student.roles import (
     CourseInstructorRole,
     CourseStaffRole,
@@ -150,16 +154,37 @@ class AccessListFallback(Exception):
     pass  # lint-amnesty, pylint: disable=unnecessary-pass
 
 
-def get_course_and_check_access(course_key, user, depth=0):
+def _get_course_block(course_key, depth=0):
     """
     Function used to calculate and return the locator and course block
     for the view functions in this file.
     """
-    if not has_studio_read_access(user, course_key):
-        raise PermissionDenied()
     course_block = modulestore().get_course(course_key, depth=depth)
     return course_block
 
+def get_course_and_check_access(course_key, user, depth=0):
+    """
+    Function used to validate permission and return a course block
+    for the view functions in this file.
+    """
+    if not has_studio_read_access(user, course_key):
+        raise PermissionDenied()
+    return _get_course_block(course_key, depth)
+
+def get_course_and_check_manage_group_configurations_access(course_key, user, depth=0):
+    """
+    Function used to validate permission and return a course block
+    for the view functions for group configurations in this file.
+    """
+    if not user_has_course_permission(
+        user=user,
+        authz_permission=COURSES_MANAGE_GROUP_CONFIGURATIONS.identifier,
+        course_key=course_key,
+        legacy_permission=LegacyAuthoringPermission.READ
+    ):
+        raise PermissionDenied()
+    return _get_course_block(course_key, depth)
+
 
 def reindex_course_and_check_access(course_key, user):
     """
@@ -1628,7 +1653,7 @@ def group_configurations_list_handler(request, course_key_string):
     course_key = CourseKey.from_string(course_key_string)
     store = modulestore()
     with store.bulk_operations(course_key):
-        course = get_course_and_check_access(course_key, request.user)
+        course = get_course_and_check_manage_group_configurations_access(course_key, request.user)
 
         if 'text/html' in request.META.get('HTTP_ACCEPT', 'text/html'):
             if use_new_group_configurations_page(course_key):
@@ -1671,7 +1696,7 @@ def group_configurations_detail_handler(request, course_key_string, group_config
     course_key = CourseKey.from_string(course_key_string)
     store = modulestore()
     with store.bulk_operations(course_key):
-        course = get_course_and_check_access(course_key, request.user)
+        course = get_course_and_check_manage_group_configurations_access(course_key, request.user)
         matching_id = [p for p in course.user_partitions
                        if str(p.id) == str(group_configuration_id)]
         if matching_id: