Skip to content

feat: make scope optional for user action validation#348

Merged
MaferMazu merged 2 commits into
openedx:mainfrom
eduNEXT:dcoa/action-val
Jun 30, 2026
Merged

feat: make scope optional for user action validation#348
MaferMazu merged 2 commits into
openedx:mainfrom
eduNEXT:dcoa/action-val

Conversation

@dcoa

@dcoa dcoa commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Description

The current PR adds the ability to validate whether the authenticated user holds a permission in any scope.

Changes

API layer (openedx_authz/api/users.py)

  • New is_user_allowed_in_any_scope(user_external_key, action_external_key): returns True for staff/superusers, otherwise True if the user holds the permission in at least one scope.

REST API (openedx_authz/rest_api/v1/)

  • POST /api/authz/v1/permissions/validate/me scope is now optional per permission object:
    • With scope: existing behavior (is_user_allowed); the response echoes scope.
    • Without scope: new any-scope check (is_user_allowed_in_any_scope); the response omits scope.
  • Serializer: scope made optional; response drops the scope key when none was provided.

Context

This supports the Admin Console's Roles and Permissions Management view, where the Assign Role button should only render when the user has at least one permission to manage library or course roles; a check that isn't tied to a single scope.

It follows the proposal in openedx/wg-build-test-release#603

Testing instructions

  1. As a non-staff user with a library_user (or any) role in a single scope, POST to /api/authz/v1/permissions/validate/me with scope-less items and confirm allowed reflects whether the user holds each action in any scope.
  2. Repeat with scope included and confirm unchanged behavior.
  3. As a staff/superuser, confirm all scope-less actions return allowed: true.

Merge checklist:
Check off if complete or not applicable:

  • Version bumped
  • Changelog record added
  • Documentation updated (not only docstrings)
  • Fixup commits are squashed away
  • Unit tests added/updated
  • Manual testing instructions provided
  • Noted any: Concerns, dependencies, migration issues, deadlines, tickets

AI use acknowledgement
Supported by Claude Code

@openedx-webhooks openedx-webhooks added open-source-contribution PR author is not from Axim or 2U core contributor PR author is a Core Contributor (who may or may not have write access to this repo). labels Jun 29, 2026
@openedx-webhooks

openedx-webhooks commented Jun 29, 2026

Copy link
Copy Markdown

Thanks for the pull request, @dcoa!

This repository is currently maintained by @openedx/committers-openedx-authz.

Once you've gone through the following steps feel free to tag them in a comment and let them know that your changes are ready for engineering review.

🔘 Get product approval

If you haven't already, check this list to see if your contribution needs to go through the product review process.

  • If it does, you'll need to submit a product proposal for your contribution, and have it reviewed by the Product Working Group.
    • This process (including the steps you'll need to take) is documented here.
  • If it doesn't, simply proceed with the next step.
🔘 Provide context

To help your reviewers and other members of the community understand the purpose and larger context of your changes, feel free to add as much of the following information to the PR description as you can:

  • Dependencies

    This PR must be merged before / after / at the same time as ...

  • Blockers

    This PR is waiting for OEP-1234 to be accepted.

  • Timeline information

    This PR must be merged by XX date because ...

  • Partner information

    This is for a course on edx.org.

  • Supporting documentation
  • Relevant Open edX discussion forum threads
🔘 Get a green build

If one or more checks are failing, continue working on your changes until this is no longer the case and your build turns green.

Details
Where can I find more information?

If you'd like to get more details on all aspects of the review process for open source pull requests (OSPRs), check out the following resources:

When can I expect my changes to be merged?

Our goal is to get community contributions seen and reviewed as efficiently as possible.

However, the amount of time that it takes to review and merge a PR can vary significantly based on factors such as:

  • The size and impact of the changes that it introduces
  • The need for product review
  • Maintenance status of the parent repository

💡 As a result it may take up to several weeks or months to complete a review and merge your PR.

@github-project-automation github-project-automation Bot moved this to Needs Triage in Contributions Jun 29, 2026
@dcoa dcoa changed the title make scope optional for action validation feat: allow validate actions without scope Jun 29, 2026
@dcoa dcoa force-pushed the dcoa/action-val branch 2 times, most recently from f8ae234 to c131225 Compare June 29, 2026 11:27
@dcoa dcoa changed the title feat: allow validate actions without scope feat: make scope optional for user action validation Jun 29, 2026
@dcoa dcoa requested a review from BryanttV June 30, 2026 00:34
@dcoa dcoa marked this pull request as ready for review June 30, 2026 00:37
@dcoa dcoa requested a review from mariajgrimaldi June 30, 2026 00:40

@BryanttV BryanttV left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this, @dcoa. The code looks good. I'm going to test the changes on my local.

For now, could we add the changelog entry and bump the version?

@BryanttV BryanttV left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tested this locally and it works as expected! Just a few minor comments. Thanks!

scope; when omitted, the permission is validated across any scope.
"""

scope = serializers.CharField(max_length=255, required=False, allow_null=True)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
scope = serializers.CharField(max_length=255, required=False, allow_null=True)
scope = serializers.CharField(max_length=255, required=False)

Comment on lines +81 to +86
def to_representation(self, instance: dict) -> dict:
"""Serialize the result, omitting ``scope`` when the request had no scope."""
representation = super().to_representation(instance)
if instance.get("scope") is None:
representation.pop("scope", None)
return representation

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Without the allow_null this override is not necessary.

("nonexistent_user", permissions.MANAGE_LIBRARY_TEAM.identifier, False),
)
@unpack
def test_is_user_allowed_in_any_scope(self, username, action, expected_result):

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we also add test cases for course permissions?

Comment thread openedx_authz/tests/api/test_users.py Outdated
)
self.assertEqual(result, expected_result)

def test_is_user_allowed_in_any_scope_staff_always_allowed(self):

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we add a test case for is_superuser=True?

@dcoa dcoa force-pushed the dcoa/action-val branch from c131225 to 5b6628a Compare June 30, 2026 22:43
@dcoa dcoa force-pushed the dcoa/action-val branch from 5b6628a to 78f034b Compare June 30, 2026 22:49
@dcoa dcoa requested a review from BryanttV June 30, 2026 22:56
@dcoa

dcoa commented Jun 30, 2026

Copy link
Copy Markdown
Contributor Author

@BryanttV thank you for the feedback, I addressed your comments.

@BryanttV BryanttV left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@MaferMazu MaferMazu left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good to me too. Thanks @dcoa

@MaferMazu MaferMazu merged commit 16efed8 into openedx:main Jun 30, 2026
8 checks passed
@github-project-automation github-project-automation Bot moved this from Needs Triage to Done in Contributions Jun 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

core contributor PR author is a Core Contributor (who may or may not have write access to this repo). open-source-contribution PR author is not from Axim or 2U

Projects

Status: Done

Development

Successfully merging this pull request may close these issues.

[Test failure] TC-00396: Add New Role action is visible only to users with manage team permission (library)

4 participants