Skip to content

Enforcement Updates #88

New issue
New issue
Closed
Closed
Enforcement Updates#88
openedx/openedx-platform
#37564
 (+1)
Assignees
MaferMazu
Labels
MVPrelease blockerBlocks the upcoming release (fix needed)
@MaferMazu

Description

@MaferMazu
MaferMazu
opened on Oct 8, 2025

Strategy: We are not revoking the current access; only adding a new check for permission. This will ensure that something like 'has an explicit permission in the new system' or 'you have access for the previous system' is met.

openedx/openedx-platform#37501

  • Modify the rest_api/containers.py to add the lines related to content edition to the openedx_authz.api.permissions.has_permission to edit_library.
    • Add openedx_authz.api.permissions.has_permission for view_libraries
  • Modify rest_api/blocks - similar to containers, add the new check for views and edit using the new api methods (openedx_authz.api.permissions.has_permission)
  • Modify the rest_api/collections to add our enforcer and using the new schema (not edit_library but create_collections, edit_collections, delete_collections)
  • Modify rest_api/libraries
    • permissions.CAN_DELETE_THIS_CONTENT_LIBRARY -> add delete_library with our check (openedx_authz.api.permissions.has_permission)
    • permissions.CAN_CREATE_CONTENT_LIBRARY -> we can add our check create_library (optional - it won't have an effect because the mvp doesn't take it into account the create_library assignation)
    • the can_view - add our view_library
    • the can_edit - add our edit_library
    • permissions.CAN_VIEW_THIS_CONTENT_LIBRARY_TEAM - use our view_library_team (optional - we'll cover it in our rest api)
    • edit_library_team - use our view_library_team (optional - we'll cover it in our rest api)
    • Add in the librarycommitview the edit to publish_library.
  • Mosify the rest_api/serializers: when checkin can_edit, use and or to add our authz backend enforcer: openedx_authz.api.permissions.has_permission
  • Modify content_libraries/library_context to also check our enforcement (using: edit_library, view_library) - We should't touch permissions.CAN_LEARN_FROM_THIS_CONTENT_LIBRARY because in the new system, we are not longer checking that.
  • Modify content_staging/views to add our enforcement (view_library)
  • Modify the api/libraries
    • add view_library
    • create_library
    • get_libraries_for_user

Out of MVP:

  • manage_taxonomies: This is a new permission and doesn't affect the console MVP. We will have it in our system, but we won't check it.
  • Modify lib/xblock/upstream_sync_container (optional) - It has a comment: # TODO: should permissions be checked at this low level?
  • Modify the rest_api/v2/views/downstreams (optional - unstable)

Metadata

Metadata

Assignees

Labels

MVPrelease blockerBlocks the upcoming release (fix needed)

Type

No type

Projects

RBAC AuthZ Board

Status

Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions