feat: implement schedule and details permissions

[bra-i-am]

Description

Implements fine-grained authorization for the Schedule & Details page using the existing authz module. Three new permission constants are introduced:

• courses.view_schedule_and_details — gates access to the entire page
• courses.edit_schedule — controls whether date fields (start/end/enrollment dates) are editable
• courses.edit_details — controls whether all other fields (pacing, language, description, images, instructors, license, etc.) are editable

How it behaves:

• If the user lacks view_schedule_and_details, a PermissionDeniedAlert is rendered instead of the page.
• If the user lacks edit_schedule, all date inputs in the Schedule section are rendered as read-only.
• If the user lacks edit_details, all remaining inputs (pacing radios, language dropdown, WYSIWYG editors, image uploads, instructor fields, learning outcomes, license selector, requirements) are disabled.
• The Save button is disabled when the user has neither edit permission.

Impacted roles: Course Authors and Operators. Learners are unaffected.

Two generic components were extended to support a disabled prop: WysiwygEditor and CourseUploadImage.

Supporting information

• Resolves Task - RBAC Authz - Implement frontend check for Settings -> Schedule & details permissions #2935
• Follows the same pattern established for Grading Settings permissions (see src/authz/).
• No new Redux state was added; permissions are fetched via useCourseUserPermissions.

Testing instructions

1. Enable the enable_authz_course_authoring waffle flag for your test user/course.
2. Open the Schedule & Details page for a course.
3. View permission denied: Remove courses.view_schedule_and_details from the user's permissions → the page should show the permission denied alert instead of the form.
4. Edit schedule denied: Keep view permission, remove courses.edit_schedule → all date inputs (Start Date, End Date, Enrollment Start, Enrollment End) should be read-only; details fields remain editable.
5. Edit details denied: Keep view and edit_schedule permissions, remove courses.edit_details → pacing radios, language dropdown, description fields, image uploads, instructor fields, learning outcomes, license buttons, and requirements fields should all be disabled; date fields remain editable.
6. No edit permissions: Remove both edit permissions → Save button should never appear (no dirty state can be produced).
7. Waffle flag off: Disable enable_authz_course_authoring → page should render and behave exactly as before (no regression).

Other information

• This change does not depend on backend changes beyond what is already in place for the authz module.
• The upgradeDeadline field remains always read-only regardless of permissions (it is platform-managed and not user-editable).
• No new i18n messages were added.
• WysiwygEditor and CourseUploadImage are generic components — the new disabled prop is backward-compatible with a false default.

Best Practices Checklist

• Any new files are using TypeScript (.ts, .tsx).
• Avoid propTypes and defaultProps in any new or modified code.
• Tests should use the helpers in src/testUtils.tsx (specifically initializeMocks)
• Do not add new fields to the Redux state/store. Use React Context to share state among multiple components.
• Use React Query to load data from REST APIs. See any apiHooks.ts in this repo for examples.
• All new i18n messages in messages.ts files have a description for translators to use.
• Avoid using ../ in import paths. To import from parent folders, use @src, e.g. import { initializeMocks } from '@src/testUtils'; instead of from '../../../../testUtils'

[openedx-webhooks]

Thanks for the pull request, @bra-i-am!

This repository is currently maintained by @bradenmacdonald.

Once you've gone through the following steps feel free to tag them in a comment and let them know that your changes are ready for engineering review.

🔘 Get product approval

If you haven't already, check this list to see if your contribution needs to go through the product review process.

• If it does, you'll need to submit a product proposal for your contribution, and have it reviewed by the Product Working Group.
  • This process (including the steps you'll need to take) is documented here.
• If it doesn't, simply proceed with the next step.

🔘 Provide context

To help your reviewers and other members of the community understand the purpose and larger context of your changes, feel free to add as much of the following information to the PR description as you can:

• Dependencies

  This PR must be merged before / after / at the same time as ...

• Blockers

  This PR is waiting for OEP-1234 to be accepted.

• Timeline information

  This PR must be merged by XX date because ...

• Partner information

  This is for a course on edx.org.

• Supporting documentation
• Relevant Open edX discussion forum threads

🔘 Get a green build

If one or more checks are failing, continue working on your changes until this is no longer the case and your build turns green.

Details

---

Where can I find more information?

If you'd like to get more details on all aspects of the review process for open source pull requests (OSPRs), check out the following resources:

• Overview of Review Process for Community Contributions
• Pull Request Status Guide
• Making changes to your pull request

When can I expect my changes to be merged?

Our goal is to get community contributions seen and reviewed as efficiently as possible.

However, the amount of time that it takes to review and merge a PR can vary significantly based on factors such as:

• The size and impact of the changes that it introduces
• The need for product review
• Maintenance status of the parent repository

💡 As a result it may take up to several weeks or months to complete a review and merge your PR.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 95.53%. Comparing base (da4e81b) to head (080608c).
⚠️ Report is 7 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #2991      +/-   ##
==========================================
+ Coverage   95.52%   95.53%   +0.01%     
==========================================
  Files        1392     1393       +1     
  Lines       32911    33009      +98     
  Branches     7340     7662     +322     
==========================================
+ Hits        31437    31535      +98     
+ Misses       1419     1406      -13     
- Partials       55       68      +13     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[bradenmacdonald]

The code looks good to me. ✅ Please get someone from the RBAC project to test this and verify it's working correctly, then I'll merge it.

[dcoa]

It works, I left a video with the testing

Screencast.from.2026-05-09.11-20-17.webm

Mi only comment is if we can verify "courses.view_schedule_and_details" on the header rendering and removed for the course navigation, you just need to add the validation here (you can follow canAccessAdvancedSettings example):

frontend-app-authoring/src/header/hooks.tsx

Lines 60 to 122 in 0188698

	export const useSettingMenuItems = (courseId: string) => {
	const intl = useIntl();
	const { canAccessAdvancedSettings: legacyCanAccessAdvancedSettings } = useSelector(getStudioHomeData);
	const waffleFlags = useWaffleFlags(courseId);
	/*
	AuthZ for Course Authoring
	If authz.enable_course_authoring flag is enabled, validate permissions using AuthZ API.
	Otherwise, fallback to existing logic.
	*/
	const isAuthzEnabled = waffleFlags.enableAuthzCourseAuthoring;
	const { isLoading: isLoadingUserPermissions, data: userPermissions } = useUserPermissions({
	canManageAdvancedSettings: {
	action: COURSE_PERMISSIONS.MANAGE_ADVANCED_SETTINGS,
	scope: courseId,
	},
	}, isAuthzEnabled);
	const authzCanManageAdvancedSettings = isLoadingUserPermissions
	? false
	: userPermissions?.canManageAdvancedSettings || false;
	const canAccessAdvancedSettings = isAuthzEnabled
	? authzCanManageAdvancedSettings
	: legacyCanAccessAdvancedSettings;
	const items = [
	{
	href: `/course/${courseId}/settings/details`,
	title: intl.formatMessage(messages['header.links.scheduleAndDetails']),
	},
	{
	href: `/course/${courseId}/settings/grading`,
	title: intl.formatMessage(messages['header.links.grading']),
	},
	...(isAuthzEnabled
	? [{
	href: `${getConfig().ADMIN_CONSOLE_URL}/authz?scope=${encodeURIComponent(courseId)}`,
	title: intl.formatMessage(messages['header.links.roles.permissions']),
	}]
	: [{
	href: `/course/${courseId}/course_team`,
	title: intl.formatMessage(messages['header.links.courseTeam']),
	}]),
	{
	href: `/course/${courseId}/group_configurations`,
	title: intl.formatMessage(messages['header.links.groupConfigurations']),
	},
	...(canAccessAdvancedSettings
	? [{
	href: `/course/${courseId}/settings/advanced`,
	title: intl.formatMessage(messages['header.links.advancedSettings']),
	}] :
	[]),
	];
	if (getConfig().ENABLE_CERTIFICATE_PAGE === 'true' || waffleFlags.useNewCertificatesPage) {
	items.push({
	href: `/course/${courseId}/certificates`,
	title: intl.formatMessage(messages['header.links.certificates']),
	});
	}
	return items;
	};

Also and just a small comment here, despite we agreed to do this same change for grading was not implemented so it could worth to include it as part of this scope.

@bradenmacdonald

[bra-i-am]

@dcoa, thank you for reviewing this. I just made some changes addressing the thing with the navigation button; here are the changes: 080608c

I only applied the changes related to Schedule and Details and Grading; the Advanced Settings related changes were applied in the other PR cfc7598. Is it fine, or should I move the Grading thing to the other PR?

[MaferMazu]

I tested it in my local env, and it worked as expected! Thanks @bra-i-am ✨

[bradenmacdonald]

Thanks @dcoa and @MaferMazu ! Is this ready for merge?

[dcoa]

@bradenmacdonald ready for merge 👍