feat: add PoC permission and role

[dwong2708]

Resolves: #203

As part of implementing PoC permissions and roles for the advanced settings section, this PR is intended to introduce only the definitions of the mentioned roles and permissions.

Merge checklist:
Check off if complete or not applicable:

• Version bumped
• Changelog record added
• Documentation updated (not only docstrings)
• Fixup commits are squashed away
• Unit tests added/updated
• Manual testing instructions provided
• Noted any: Concerns, dependencies, migration issues, deadlines, tickets

[openedx-webhooks]

Thanks for the pull request, @dwong2708!

This repository is currently maintained by @openedx/committers-openedx-authz.

Once you've gone through the following steps feel free to tag them in a comment and let them know that your changes are ready for engineering review.

🔘 Get product approval

If you haven't already, check this list to see if your contribution needs to go through the product review process.

• If it does, you'll need to submit a product proposal for your contribution, and have it reviewed by the Product Working Group.
  • This process (including the steps you'll need to take) is documented here.
• If it doesn't, simply proceed with the next step.

🔘 Provide context

To help your reviewers and other members of the community understand the purpose and larger context of your changes, feel free to add as much of the following information to the PR description as you can:

• Dependencies

  This PR must be merged before / after / at the same time as ...

• Blockers

  This PR is waiting for OEP-1234 to be accepted.

• Timeline information

  This PR must be merged by XX date because ...

• Partner information

  This is for a course on edx.org.

• Supporting documentation
• Relevant Open edX discussion forum threads

🔘 Get a green build

If one or more checks are failing, continue working on your changes until this is no longer the case and your build turns green.

Details

---

Where can I find more information?

If you'd like to get more details on all aspects of the review process for open source pull requests (OSPRs), check out the following resources:

• Overview of Review Process for Community Contributions
• Pull Request Status Guide
• Making changes to your pull request

When can I expect my changes to be merged?

Our goal is to get community contributions seen and reviewed as efficiently as possible.

However, the amount of time that it takes to review and merge a PR can vary significantly based on factors such as:

• The size and impact of the changes that it introduces
• The need for product review
• Maintenance status of the parent repository

💡 As a result it may take up to several weeks or months to complete a review and merge your PR.

[rodmgwgu]

Adding some initial comments, I'm still investigating the error you are seeing.

[wgu-taylor-payne]

I'm having some issues mounting this branch to my local dev environment. One issue was which app name for CourseOverview being used by default (content vs course_overviews), as I point out in the comments here. The other errors showing up I've documented in #215, which don't seem to be related to the changes you are introducing.

[dwong2708]

I'm having some issues mounting this branch to my local dev environment. One issue was which app name for CourseOverview being used by default (content vs course_overviews), as I point out in the comments here. The other errors showing up I've documented in #215, which don't seem to be related to the changes you are introducing.

Good catch, @wgu-taylor-payne. Those comments were very helpful — thanks!

[wgu-taylor-payne]

Okay, it looks like I found what triggered the errors I came across in #215 as it relates to the changes in this PR.

[wgu-taylor-payne]

Sorry to keep reviewing this in small pieces, but I'm wanting to bring up issues I'm running into while testing this branch locally on my machine.

One other general suggestion would be to look to see if we can add more tests for the common ways these new additions will be used. One example, for instance, is it would be nice to see course data used in the test_is_user_allowed test in the test_users.py module.

[wgu-taylor-payne]

ScopeMeta.get_subclass_by_external_key assumes what is before the first ':' is the namespace, so in our case, if we do something like ScopeData(external_key='course-v1:TestOrg+TestCourse+2024_T1'), ScopeMeta will assume that course-v1 is the namespace, but we set the namespace to be 'course', so it will fail to find this subclass. We will need to analyze how to handle this difference between course keys and library keys.

[dwong2708]

I think we could explore using the course-v1 namespace. That would mean creating a new scope for each new version, which actually sounds reasonable to me.
Otherwise, we’d need to handle versioning within our Scope model.
I updated the tests to use course-v1, and if that approach looks good to you, we can keep it that way.
What do you think? @rodmgwgu @wgu-taylor-payne @bmtcril

[bmtcril]

Yes that makes sense to me, and I think is what we were planning on. Given the way different opaque keys work it makes scoping by the different types easier. I think you'll need to change it at line 483 here too?

[dwong2708]

Correct. However, on second thought, there could be side effects depending on what we want. I’d like to ask:

What should the expected namespaced_key be?

A) course^course-v1:TestOrg+TestCourse+2024_T1

Implications:

• Update get_subclass_by_external_key to retrieve it based on the ScopeModel namespace instead of the - ScopeData namespace (somehow).
• The policy remains as is:
  p, role^course_staff, act^courses.manage_advanced_settings, course^*, allow

B) course-v1^course-v1:TestOrg+TestCourse+2024_T1
Implications:

• Keep get_subclass_by_external_key as is.
• Update the policy to:
  p, role^course_staff, act^courses.manage_advanced_settings, course-v1^*, allow

What do you think is the better option?

[rodmgwgu]

I think both should match course-v1 so it should be like course-v1^course-v1:TestOrg+TestCourse+2024_T1.

If we are all aligned with this, I'll also change this on my frontend PR, where I'm referring to these permissions.

[bmtcril]

Yeah I agree with @rodmgwgu

[dwong2708]

Changes applied. Thanks.

[dwong2708]

FYI: With option B, I had to update the policy to p, role^course_staff, act^courses.manage_advanced_settings, course-v1^*, allow

[bmtcril]

This looks good to me, is there a companion edx-platform PR that's testing this in-context yet?

[dwong2708]

Sorry to keep reviewing this in small pieces, but I'm wanting to bring up issues I'm running into while testing this branch locally on my machine.

One other general suggestion would be to look to see if we can add more tests for the common ways these new additions will be used. One example, for instance, is it would be nice to see course data used in the test_is_user_allowed test in the test_users.py module.

No worries. I expected this flow to happen while you were testing, which is good. I’ve updated test_is_user_allowed to account for the new permission. Thank you

[rodmgwgu]

Tested in my local, it's looking good, thanks!

[wgu-taylor-payne]

The changelog needs to be updated, but other than that this looks good to go.