Namespace or app names in our permissions

[MaferMazu]

Description

Currently our permissions in openedx-authz looks like "view_library" but in the OEP-66 the suggestion is to use permissions like 'my_app.change_modelname'. This is inspired in django permissions and bridgekeeper, but I think it is a valuable approach to know which app is affected by a certain permission.

Proposed solution

Add the app_name as a prefix of the external_key in the action data.

Implications

• Change the policy, and the constants, and upgrade openedx-authz in edx-platform.

Deadline:

I don't thinks this necesarily needs to enter in the MVP, but defenetly in the future, to be able to identify which app is affected by a specific permission, and avoid permissions with same/similar names that can generate confusion.

References:

• https://github.com/openedx/openedx-authz/blob/main/openedx_authz/constants/permissions.py#L9
• https://docs.openedx.org/projects/openedx-proposals/en/latest/best-practices/oep-0066-bp-authorization.html#permission-checks

[MaferMazu]

More info: openedx/openedx-platform#37501 (comment)

[BryanttV]

I’ve been reviewing this, and I think the solution proposed by @MaferMazu is the most appropriate one. We should always add the app_name as a prefix in each permission.

For the MVP, since we’re only handling library permissions, we should:

1. Update the authz.policy file

- p, role^library_admin, act^view_library, lib^*, allow
+ p, role^library_admin, act^content_libraries.view_library, lib^*, allow

2. Update the constants

VIEW_LIBRARY = PermissionData(
- action=ActionData(external_key="content_libraries.view_library")
+ action=ActionData(external_key="content_libraries.view_library")
effect="allow",
)

3. Update the tests.
4. Update the documentation.

I'm working on a PR with these changes.

[BryanttV]

This is the PR: #142

[MaferMazu]

Also we are going to need openedx/frontend-app-admin-console#35