feat: add authz permission for certificates (#38190)

dwong2708 · web-flow · commit ea2f60b0cbf8 · 2026-03-23T17:03:08.000-06:00
diff --git a/cms/djangoapps/contentstore/rest_api/v1/views/certificates.py b/cms/djangoapps/contentstore/rest_api/v1/views/certificates.py
@@ -6,11 +6,14 @@
 from rest_framework.response import Response
 from rest_framework.views import APIView
 
+from openedx_authz.constants.permissions import COURSES_MANAGE_CERTIFICATES
+
 from cms.djangoapps.contentstore.utils import get_certificates_context
 from cms.djangoapps.contentstore.rest_api.v1.serializers import (
     CourseCertificatesSerializer,
 )
-from common.djangoapps.student.auth import has_studio_write_access
+from openedx.core.djangoapps.authz.constants import LegacyAuthoringPermission
+from openedx.core.djangoapps.authz.decorators import user_has_course_permission
 from openedx.core.lib.api.view_utils import (
     DeveloperErrorViewMixin,
     verify_course_exists,
@@ -96,7 +99,12 @@ def get(self, request: Request, course_id: str):
         course_key = CourseKey.from_string(course_id)
         store = modulestore()
 
-        if not has_studio_write_access(request.user, course_key):
+        if not user_has_course_permission(
+            request.user,
+            COURSES_MANAGE_CERTIFICATES.identifier,
+            course_key,
+            LegacyAuthoringPermission.WRITE
+        ):
             self.permission_denied(request)
 
         with store.bulk_operations(course_key):
diff --git a/cms/djangoapps/contentstore/rest_api/v1/views/tests/test_certificates.py b/cms/djangoapps/contentstore/rest_api/v1/views/tests/test_certificates.py
@@ -4,8 +4,11 @@
 from django.urls import reverse
 from rest_framework import status
 
+from openedx_authz.constants.roles import COURSE_STAFF, COURSE_EDITOR
+
 from cms.djangoapps.contentstore.tests.utils import CourseTestCase
 from cms.djangoapps.contentstore.views.tests.test_certificates import HelperMethods
+from openedx.core.djangoapps.authz.tests.mixins import CourseAuthoringAuthzTestMixin
 
 from ...mixins import PermissionAccessMixin
 
@@ -36,3 +39,35 @@ def test_success_response(self):
         self.assertEqual(response_data["course_number_override"], self.course.display_coursenumber)
         self.assertEqual(response_data["course_title"], self.course.display_name_with_default)
         self.assertEqual(response_data["course_number"], self.course.number)
+
+
+class CourseCertificatesAuthzViewTest(
+        CourseAuthoringAuthzTestMixin, CourseTestCase, PermissionAccessMixin, HelperMethods
+    ):
+    """
+    Tests for CourseCertificatesView with AuthZ enabled.
+    """
+
+    def setUp(self):
+        super().setUp()
+        self.url = reverse(
+            "cms.djangoapps.contentstore:v1:certificates",
+            kwargs={"course_id": self.course.id},
+        )
+
+    def test_authorized_user_can_access(self):
+        """User with COURSE_STAFF role can access."""
+        self._add_course_certificates(count=2, signatory_count=2)
+        self.add_user_to_role_in_course(self.authorized_user, COURSE_STAFF.external_key, self.course.id)
+        resp = self.authorized_client.get(self.url)
+        self.assertEqual(resp.status_code, status.HTTP_200_OK)
+
+    def test_non_staff_user_cannot_access(self):
+        """
+        User without permissions should be denied.
+        This case validates that a non-staff user cannot access.
+        """
+        self._add_course_certificates(count=2, signatory_count=2)
+        self.add_user_to_role_in_course(self.authorized_user, COURSE_EDITOR.external_key, self.course.id)
+        resp = self.authorized_client.get(self.url)
+        self.assertEqual(resp.status_code, status.HTTP_403_FORBIDDEN)
diff --git a/openedx/core/djangoapps/authz/tests/mixins.py b/openedx/core/djangoapps/authz/tests/mixins.py
@@ -14,22 +14,25 @@
 from common.djangoapps.student.tests.factories import UserFactory
 
 
-class CourseAuthzTestMixin:
-    """
-    Reusable mixin for testing course-scoped AuthZ endpoints.
+class CourseAuthoringAuthzTestMixin:
     """
+    Base mixin for testing AuthZ in the course authoring context.
 
-    authz_roles_to_assign = [COURSE_STAFF.external_key]
+    Responsibilities:
+    - Enable course authoring AuthZ feature flag
+    - Seed policies into the AuthZ enforcer
+    - Provide authenticated test clients
+    - Provide helpers for assigning roles within a course scope
+    """
 
     @classmethod
     def setUpClass(cls):
         cls.toggle_patcher = patch.object(
             core_toggles.AUTHZ_COURSE_AUTHORING_FLAG,
             "is_enabled",
-            return_value=True
+            return_value=True,
         )
         cls.toggle_patcher.start()
-
         super().setUpClass()
 
     @classmethod
@@ -40,56 +43,77 @@ def tearDownClass(cls):
     def setUp(self):
         super().setUp()
 
-        self._seed_database_with_policies()
+        self._seed_policies()
 
         self.authorized_user = UserFactory()
         self.unauthorized_user = UserFactory()
 
-        for role in self.authz_roles_to_assign:
-            assign_role_to_user_in_scope(
-                self.authorized_user.username,
-                role,
-                str(self.course_key)
-            )
-
-        AuthzEnforcer.get_enforcer().load_policy()
-
         self.authorized_client = APIClient()
         self.authorized_client.force_authenticate(user=self.authorized_user)
 
         self.unauthorized_client = APIClient()
         self.unauthorized_client.force_authenticate(user=self.unauthorized_user)
 
-    def add_user_to_role(self, user, role):
+    def tearDown(self):
+        super().tearDown()
+        AuthzEnforcer.get_enforcer().clear_policy()
+
+    def add_user_to_role_in_course(self, user, role, course_key):
         """Helper method to add a user to a role for the course."""
         assign_role_to_user_in_scope(
             user.username,
             role,
-            str(self.course_key)
+            str(course_key)
         )
         AuthzEnforcer.get_enforcer().load_policy()
 
-    def tearDown(self):
-        super().tearDown()
-        AuthzEnforcer.get_enforcer().clear_policy()
-
     @classmethod
-    def _seed_database_with_policies(cls):
+    def _seed_policies(cls):
         """Seed the database with AuthZ policies."""
         global_enforcer = AuthzEnforcer.get_enforcer()
         global_enforcer.load_policy()
 
         model_path = pkg_resources.resource_filename(
             "openedx_authz.engine",
-            "config/model.conf"
+            "config/model.conf",
         )
 
         policy_path = pkg_resources.resource_filename(
             "openedx_authz.engine",
-            "config/authz.policy"
+            "config/authz.policy",
         )
 
         migrate_policy_between_enforcers(
             source_enforcer=casbin.Enforcer(model_path, policy_path),
             target_enforcer=global_enforcer,
         )
+
+
+class CourseAuthzTestMixin(CourseAuthoringAuthzTestMixin):
+    """
+    Reusable mixin for testing course-scoped AuthZ endpoints.
+    """
+
+    authz_roles_to_assign = [COURSE_STAFF.external_key]
+
+    @property
+    def course_key(self):
+        """
+        Must be defined by subclasses.
+        """
+        raise NotImplementedError("Tests using CourseAuthzTestMixin must define 'course_key'")
+
+    def setUp(self):
+        super().setUp()
+        for role in self.authz_roles_to_assign:
+            assign_role_to_user_in_scope(
+                self.authorized_user.username,
+                role,
+                str(self.course_key)
+            )
+
+        AuthzEnforcer.get_enforcer().load_policy()
+
+    def add_user_to_role(self, user, role):
+        """Helper method to add a user to a role for the course."""
+        self.add_user_to_role_in_course(user, role, self.course_key)
