feat: enforce authz permissions for Pages & Resources endpoints

Co-authored-by: Kiro <kiro@amazon.com>

Author: wgu-taylor-payne

cms/djangoapps/contentstore/rest_api/v0/tests/test_tabs_permissions.py

@@ -0,0 +1,109 @@
+"""
+Integration tests verifying authz permissions for v0 tabs REST API views.
+"""
+from urllib.parse import urlencode
+
+from django.urls import reverse
+from openedx_authz.constants.roles import COURSE_AUDITOR, COURSE_LIMITED_STAFF, COURSE_STAFF
+from rest_framework.test import APIClient
+
+from cms.djangoapps.contentstore.tests.utils import CourseTestCase
+from common.djangoapps.student.tests.factories import UserFactory
+from openedx.core.djangoapps.authz.tests.mixins import CourseAuthoringAuthzTestMixin
+
+
+class TabsV0AuthzTest(CourseAuthoringAuthzTestMixin, CourseTestCase):
+    """
+    Integration tests for v0 tabs API authz permissions.
+    """
+
+    def setUp(self):
+        super().setUp()
+        self.list_url = reverse(
+            'cms.djangoapps.contentstore:v0:course_tab_list',
+            kwargs={'course_id': self.course.id},
+        )
+        self.settings_url = reverse(
+            'cms.djangoapps.contentstore:v0:course_tab_settings',
+            kwargs={'course_id': self.course.id},
+        )
+        self.reorder_url = reverse(
+            'cms.djangoapps.contentstore:v0:course_tab_reorder',
+            kwargs={'course_id': self.course.id},
+        )
+
+    # --- CourseTabListView (GET) - requires courses.view_pages_and_resources ---
+
+    def test_staff_can_list_tabs(self):
+        self.add_user_to_role_in_course(self.authorized_user, COURSE_STAFF.external_key, self.course.id)
+        resp = self.authorized_client.get(self.list_url)
+        assert resp.status_code == 200
+
+    def test_auditor_can_list_tabs(self):
+        self.add_user_to_role_in_course(self.authorized_user, COURSE_AUDITOR.external_key, self.course.id)
+        resp = self.authorized_client.get(self.list_url)
+        assert resp.status_code == 200
+
+    def test_limited_staff_cannot_list_tabs(self):
+        self.add_user_to_role_in_course(self.authorized_user, COURSE_LIMITED_STAFF.external_key, self.course.id)
+        resp = self.authorized_client.get(self.list_url)
+        assert resp.status_code == 403
+
+    def test_unauthorized_cannot_list_tabs(self):
+        resp = self.unauthorized_client.get(self.list_url)
+        assert resp.status_code == 403
+
+    # --- CourseTabSettingsView (POST) - requires courses.manage_pages_and_resources ---
+
+    def test_staff_can_update_tab_settings(self):
+        """Asserts not-403 rather than 200 because the minimal payload may fail validation."""
+        self.add_user_to_role_in_course(self.authorized_user, COURSE_STAFF.external_key, self.course.id)
+        resp = self.authorized_client.post(
+            f'{self.settings_url}?{urlencode({"tab_id": "wiki"})}',
+            data={'is_hidden': True},
+            format='json',
+        )
+        assert resp.status_code != 403
+
+    def test_auditor_cannot_update_tab_settings(self):
+        self.add_user_to_role_in_course(self.authorized_user, COURSE_AUDITOR.external_key, self.course.id)
+        resp = self.authorized_client.post(
+            f'{self.settings_url}?{urlencode({"tab_id": "wiki"})}',
+            data={'is_hidden': True},
+            format='json',
+        )
+        assert resp.status_code == 403
+
+    def test_unauthorized_cannot_update_tab_settings(self):
+        resp = self.unauthorized_client.post(
+            f'{self.settings_url}?{urlencode({"tab_id": "wiki"})}',
+            data={'is_hidden': True},
+            format='json',
+        )
+        assert resp.status_code == 403
+
+    # --- CourseTabReorderView (POST) - requires courses.manage_pages_and_resources ---
+
+    def test_staff_can_reorder_tabs(self):
+        """Asserts not-403 rather than 200 because the empty tab list may fail validation."""
+        self.add_user_to_role_in_course(self.authorized_user, COURSE_STAFF.external_key, self.course.id)
+        resp = self.authorized_client.post(self.reorder_url, data=[], format='json')
+        assert resp.status_code != 403
+
+    def test_auditor_cannot_reorder_tabs(self):
+        self.add_user_to_role_in_course(self.authorized_user, COURSE_AUDITOR.external_key, self.course.id)
+        resp = self.authorized_client.post(self.reorder_url, data=[], format='json')
+        assert resp.status_code == 403
+
+    def test_unauthorized_cannot_reorder_tabs(self):
+        resp = self.unauthorized_client.post(self.reorder_url, data=[], format='json')
+        assert resp.status_code == 403
+
+    # --- Superuser bypass ---
+
+    def test_superuser_can_list_tabs(self):
+        superuser = UserFactory(is_superuser=True)
+        client = APIClient()
+        client.force_authenticate(user=superuser)
+        resp = client.get(self.list_url)
+        assert resp.status_code == 200

cms/djangoapps/contentstore/rest_api/v0/views/tabs.py

@@ -3,12 +3,17 @@
 import edx_api_doc_tools as apidocs
 from django.utils.translation import gettext_lazy as _
 from opaque_keys.edx.keys import CourseKey
+from openedx_authz.constants.permissions import (
+    COURSES_MANAGE_PAGES_AND_RESOURCES,
+    COURSES_VIEW_PAGES_AND_RESOURCES,
+)
 from rest_framework import status
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView
 
-from common.djangoapps.student.auth import has_studio_read_access, has_studio_write_access
+from openedx.core.djangoapps.authz.constants import LegacyAuthoringPermission
+from openedx.core.djangoapps.authz.decorators import user_has_course_permission
 from openedx.core.lib.api.view_utils import DeveloperErrorViewMixin, verify_course_exists, view_auth_classes
 from xmodule.modulestore.django import modulestore
 from xmodule.modulestore.exceptions import ItemNotFoundError
@@ -79,7 +84,12 @@ def get(self, request: Request, course_id: str) -> Response:
         ```
         """
         course_key = CourseKey.from_string(course_id)
-        if not has_studio_read_access(request.user, course_key):
+        if not user_has_course_permission(
+            request.user,
+            COURSES_VIEW_PAGES_AND_RESOURCES.identifier,
+            course_key,
+            LegacyAuthoringPermission.READ,
+        ):
             self.permission_denied(request)
 
         course_block = modulestore().get_course(course_key)
@@ -150,7 +160,12 @@ def post(self, request: Request, course_id: str) -> Response:
         without any content.
         """
         course_key = CourseKey.from_string(course_id)
-        if not has_studio_write_access(request.user, course_key):
+        if not user_has_course_permission(
+            request.user,
+            COURSES_MANAGE_PAGES_AND_RESOURCES.identifier,
+            course_key,
+            LegacyAuthoringPermission.WRITE,
+        ):
             self.permission_denied(request)
 
         tab_id_locator = TabIDLocatorSerializer(data=request.query_params)
@@ -222,7 +237,12 @@ def post(self, request: Request, course_id: str) -> Response:
         without any content.
         """
         course_key = CourseKey.from_string(course_id)
-        if not has_studio_write_access(request.user, course_key):
+        if not user_has_course_permission(
+            request.user,
+            COURSES_MANAGE_PAGES_AND_RESOURCES.identifier,
+            course_key,
+            LegacyAuthoringPermission.WRITE,
+        ):
             self.permission_denied(request)
 
         course_block = modulestore().get_course(course_key)

cms/djangoapps/contentstore/rest_api/v1/views/tests/test_textbooks.py

@@ -2,9 +2,12 @@
 Unit tests for the course's textbooks.
 """
 from django.urls import reverse
-from rest_framework import status
+from openedx_authz.constants.roles import COURSE_AUDITOR, COURSE_LIMITED_STAFF, COURSE_STAFF
+from rest_framework.test import APIClient
 
 from cms.djangoapps.contentstore.tests.utils import CourseTestCase
+from common.djangoapps.student.tests.factories import UserFactory
+from openedx.core.djangoapps.authz.tests.mixins import CourseAuthoringAuthzTestMixin
 
 from ...mixins import PermissionAccessMixin
 
@@ -39,5 +42,44 @@ def test_success_response(self):
         self.save_course()
 
         response = self.client.get(self.url)
-        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.status_code, 200)
         self.assertEqual(response.data["textbooks"], expected_textbook)
+
+
+class CourseTextbooksAuthzTest(CourseAuthoringAuthzTestMixin, CourseTestCase):
+    """
+    Integration tests for CourseTextbooksView authz permissions.
+    """
+
+    def setUp(self):
+        super().setUp()
+        self.url = reverse(
+            "cms.djangoapps.contentstore:v1:textbooks",
+            kwargs={"course_id": self.course.id},
+        )
+
+    def test_staff_can_view_textbooks(self):
+        self.add_user_to_role_in_course(self.authorized_user, COURSE_STAFF.external_key, self.course.id)
+        resp = self.authorized_client.get(self.url)
+        assert resp.status_code == 200
+
+    def test_auditor_can_view_textbooks(self):
+        self.add_user_to_role_in_course(self.authorized_user, COURSE_AUDITOR.external_key, self.course.id)
+        resp = self.authorized_client.get(self.url)
+        assert resp.status_code == 200
+
+    def test_limited_staff_cannot_view_textbooks(self):
+        self.add_user_to_role_in_course(self.authorized_user, COURSE_LIMITED_STAFF.external_key, self.course.id)
+        resp = self.authorized_client.get(self.url)
+        assert resp.status_code == 403
+
+    def test_unauthorized_cannot_view_textbooks(self):
+        resp = self.unauthorized_client.get(self.url)
+        assert resp.status_code == 403
+
+    def test_superuser_can_view_textbooks(self):
+        superuser = UserFactory(is_superuser=True)
+        client = APIClient()
+        client.force_authenticate(user=superuser)
+        resp = client.get(self.url)
+        assert resp.status_code == 200

cms/djangoapps/contentstore/rest_api/v1/views/textbooks.py

@@ -2,13 +2,15 @@
 
 import edx_api_doc_tools as apidocs
 from opaque_keys.edx.keys import CourseKey
+from openedx_authz.constants.permissions import COURSES_VIEW_PAGES_AND_RESOURCES
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView
 
 from cms.djangoapps.contentstore.rest_api.v1.serializers import CourseTextbooksSerializer
 from cms.djangoapps.contentstore.utils import get_textbooks_context
-from common.djangoapps.student.auth import has_studio_read_access
+from openedx.core.djangoapps.authz.constants import LegacyAuthoringPermission
+from openedx.core.djangoapps.authz.decorators import user_has_course_permission
 from openedx.core.lib.api.view_utils import DeveloperErrorViewMixin, verify_course_exists, view_auth_classes
 from xmodule.modulestore.django import modulestore
 
@@ -74,7 +76,12 @@ def get(self, request: Request, course_id: str):
         course_key = CourseKey.from_string(course_id)
         store = modulestore()
 
-        if not has_studio_read_access(request.user, course_key):
+        if not user_has_course_permission(
+            request.user,
+            COURSES_VIEW_PAGES_AND_RESOURCES.identifier,
+            course_key,
+            LegacyAuthoringPermission.READ,
+        ):
             self.permission_denied(request)
 
         with store.bulk_operations(course_key):

cms/djangoapps/contentstore/views/course.py

@@ -33,8 +33,10 @@
 from openedx_authz.constants.permissions import (
     COURSES_MANAGE_COURSE_UPDATES,
     COURSES_MANAGE_GROUP_CONFIGURATIONS,
+    COURSES_MANAGE_PAGES_AND_RESOURCES,
     COURSES_VIEW_COURSE,
     COURSES_VIEW_COURSE_UPDATES,
+    COURSES_VIEW_PAGES_AND_RESOURCES,
 )
 from organizations.api import add_organization_course, ensure_organization
 from organizations.exceptions import InvalidOrganizationException
@@ -1653,16 +1655,23 @@ def textbooks_list_handler(request, course_key_string):
     """
     course_key = CourseKey.from_string(course_key_string)
     if "application/json" not in request.META.get('HTTP_ACCEPT', 'text/html'):
-        # return HTML page
-        # We don't need to do an access check here because
-        # that is done when the endpoint for the actual content of the page.
-        # This is just to handle redirecting anyone that has bookmarked the old
-        # textbooks page.
+        # Legacy HTML bookmark redirect — no data is exposed here.
+        # Access is enforced when the MFE fetches data from the textbooks API.
         return redirect(get_textbooks_url(course_key))
 
+    if request.method == 'GET':
+        authz_perm = COURSES_VIEW_PAGES_AND_RESOURCES.identifier
+        legacy_perm = LegacyAuthoringPermission.READ
+    else:
+        authz_perm = COURSES_MANAGE_PAGES_AND_RESOURCES.identifier
+        legacy_perm = LegacyAuthoringPermission.WRITE
+
+    if not user_has_course_permission(request.user, authz_perm, course_key, legacy_perm):
+        raise PermissionDenied()
+
     store = modulestore()
     with store.bulk_operations(course_key):
-        course = get_course_and_check_access(course_key, request.user)
+        course = _get_course_block(course_key)
 
         # from here on down, we know the client has requested JSON
         if request.method == 'GET':
@@ -1725,9 +1734,20 @@ def textbooks_detail_handler(request, course_key_string, textbook_id):
         json: remove textbook
     """
     course_key = CourseKey.from_string(course_key_string)
+
+    if request.method == 'GET':
+        authz_perm = COURSES_VIEW_PAGES_AND_RESOURCES.identifier
+        legacy_perm = LegacyAuthoringPermission.READ
+    else:
+        authz_perm = COURSES_MANAGE_PAGES_AND_RESOURCES.identifier
+        legacy_perm = LegacyAuthoringPermission.WRITE
+
+    if not user_has_course_permission(request.user, authz_perm, course_key, legacy_perm):
+        raise PermissionDenied()
+
     store = modulestore()
     with store.bulk_operations(course_key):
-        course_block = get_course_and_check_access(course_key, request.user)
+        course_block = _get_course_block(course_key)
         matching_id = [tb for tb in course_block.pdf_textbooks
                        if str(tb.get("id")) == str(textbook_id)]
         if matching_id: