Merge pull request #38213 from WGU-Open-edX/dwong2708/authz-new-perms-schedule-details

feat: add AuthZ permissions for course schedule & details

Author: bmtcril

cms/djangoapps/contentstore/rest_api/v1/views/course_details.py

@@ -3,12 +3,18 @@
 import edx_api_doc_tools as apidocs
 from django.core.exceptions import ValidationError
 from opaque_keys.edx.keys import CourseKey
+from openedx_authz.constants.permissions import (
+        COURSES_EDIT_DETAILS,
+        COURSES_EDIT_SCHEDULE,
+        COURSES_VIEW_SCHEDULE_AND_DETAILS,
+)
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView
 
-from common.djangoapps.student.auth import has_studio_read_access
 from common.djangoapps.util.json_request import JsonResponseBadRequest
+from openedx.core.djangoapps.authz.constants import LegacyAuthoringPermission
+from openedx.core.djangoapps.authz.decorators import user_has_course_permission
 from openedx.core.djangoapps.models.course_details import CourseDetails
 from openedx.core.lib.api.view_utils import DeveloperErrorViewMixin, verify_course_exists, view_auth_classes
 from xmodule.modulestore.django import modulestore
@@ -17,6 +23,76 @@
 from ..serializers import CourseDetailsSerializer
 
 
+def _classify_update(payload: dict, course_key: CourseKey) -> tuple[bool, bool]:
+    """
+    Determine whether the payload is updating schedule fields, detail fields, or both
+    for the course identified by course_key.
+
+    Returns:
+        (is_schedule_update, is_details_update)
+    """
+
+    # Define which fields are considered schedule fields.
+    # Any field not in this set that is being updated will be considered a details update.
+    schedule_fields = frozenset(
+        {"start_date", "end_date", "enrollment_start", "enrollment_end", "certificate_available_date"}
+    )
+
+    # Define which fields are date fields to ensure proper comparison after parsing.
+    # At this time, all schedule fields are also date fields, but this is defined separately for clarity
+    # and in case this changes in the future.
+    date_fields = frozenset(
+        {"start_date", "end_date", "enrollment_start", "enrollment_end", "certificate_available_date"}
+    )
+
+    course_details = CourseDetails.fetch(course_key)
+
+    is_schedule_update = False
+    is_details_update = False
+
+    serializer = CourseDetailsSerializer()
+
+    for field, payload_value in payload.items():
+        # Early exit for efficiency
+        if is_schedule_update and is_details_update:
+            break
+
+        # Ignore unknown fields if needed
+        if field not in serializer.fields:
+            continue
+
+        current_value = getattr(course_details, field, None)
+
+        if field in date_fields:
+            # For date fields, we need to parse the payload value to compare it with the current value
+            try:
+                # Convert payload value to internal value for accurate comparison
+                # on date fields
+                if payload_value is not None:
+                    payload_value = serializer.fields[field].to_internal_value(payload_value)
+            except ValidationError as exc:
+                raise ValidationError(
+                    f"Invalid date format for field {field}: {payload_value}"
+                ) from exc
+
+        # Check schedule fields
+        if field in schedule_fields:
+            if is_schedule_update:
+                # Already classified as schedule update, no need to check again
+                continue
+            if payload_value != current_value:
+                is_schedule_update = True
+        else:
+            # Any non-schedule field counts as details update
+            if is_details_update:
+                # Already classified as details update, no need to check again
+                continue
+            if payload_value != current_value:
+                is_details_update = True
+
+    return is_schedule_update, is_details_update
+
+
 @view_auth_classes(is_authenticated=True)
 class CourseDetailsView(DeveloperErrorViewMixin, APIView):
     """
@@ -99,7 +175,12 @@ def get(self, request: Request, course_id: str):
         ```
         """
         course_key = CourseKey.from_string(course_id)
-        if not has_studio_read_access(request.user, course_key):
+        if not user_has_course_permission(
+            request.user,
+            COURSES_VIEW_SCHEDULE_AND_DETAILS.identifier,
+            course_key,
+            LegacyAuthoringPermission.READ
+        ):
             self.permission_denied(request)
 
         course_details = CourseDetails.fetch(course_key)
@@ -142,7 +223,26 @@ def put(self, request: Request, course_id: str):
         along with all the course's details similar to a ``GET`` request.
         """
         course_key = CourseKey.from_string(course_id)
-        if not has_studio_read_access(request.user, course_key):
+        is_schedule_update, is_details_update = _classify_update(request.data, course_key)
+
+        if not is_schedule_update and not is_details_update:
+            # No updatable fields provided in the request
+            is_details_update = True  # To trigger permission check and return 403 if user cannot edit details
+
+        if is_schedule_update and not user_has_course_permission(
+            request.user,
+            COURSES_EDIT_SCHEDULE.identifier,
+            course_key,
+            LegacyAuthoringPermission.READ
+        ):
+            self.permission_denied(request)
+
+        if is_details_update and not user_has_course_permission(
+            request.user,
+            COURSES_EDIT_DETAILS.identifier,
+            course_key,
+            LegacyAuthoringPermission.READ
+        ):
             self.permission_denied(request)
 
         course_block = modulestore().get_course(course_key)

cms/djangoapps/contentstore/rest_api/v1/views/settings.py

@@ -3,12 +3,14 @@
 import edx_api_doc_tools as apidocs
 from django.conf import settings
 from opaque_keys.edx.keys import CourseKey
+from openedx_authz.constants.permissions import COURSES_VIEW_COURSE
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView
 
-from common.djangoapps.student.auth import has_studio_read_access
 from lms.djangoapps.certificates.api import can_show_certificate_available_date_field
+from openedx.core.djangoapps.authz.constants import LegacyAuthoringPermission
+from openedx.core.djangoapps.authz.decorators import user_has_course_permission
 from openedx.core.lib.api.view_utils import DeveloperErrorViewMixin, verify_course_exists, view_auth_classes
 from xmodule.modulestore.django import modulestore
 
@@ -99,7 +101,12 @@ def get(self, request: Request, course_id: str):
         ```
         """
         course_key = CourseKey.from_string(course_id)
-        if not has_studio_read_access(request.user, course_key):
+        if not user_has_course_permission(
+            request.user,
+            COURSES_VIEW_COURSE.identifier,
+            course_key,
+            LegacyAuthoringPermission.READ
+        ):
             self.permission_denied(request)
 
         with modulestore().bulk_operations(course_key):