feat: return 403 with descriptive error for catalog visibility restricted courses

[Anas12091101]

Description

Description

When a course has its catalog_visibility set to "none", non-staff users attempting to access it via the Learning MFE receive a generic "Course not found" 404 error, which provides no useful information about why access was denied. This change introduces a new CatalogVisibilityError access response type and ensures it propagates through the access control chain, so the API returns a 403 with a meaningful message instead.

The core of the fix is in the access control layer. The _has_catalog_visibility() helper now returns a typed CatalogVisibilityError instead of a bare ACCESS_DENIED. The can_see_about_page() and can_see_in_catalog() functions were restructured to preserve this typed error through their logic (the previous or-chain pattern would discard it). A new handler in check_course_access_with_redirect catches CatalogVisibilityError and raises a CourseAccessRedirect with the error attached.

On the API side, CourseHomeMetadataView now catches CourseAccessRedirect exceptions from course_detail() and converts them into a DRF PermissionDenied response (HTTP 403), including the user_message and error_code from the access error. This allows frontend clients to display a descriptive message like "This course is not currently accessible. The course team has restricted access to this content." instead of a confusing "Course not found" error.

Useful information to include:

• Which edX user roles will this change impact? Learners, Course Authors
• Include screenshots for changes to the UI (ideally, both "before" and "after" screenshots, if applicable).

Before

After

• Provide links to the description of corresponding configuration changes. Remember to correctly annotate these
  changes.

Supporting information

Learning MFE PR: openedx/frontend-app-learning#1871

Testing Instructions

1. Checkout to this learning MFE branch: https://github.com/mitodl/frontend-app-learning/tree/anas/display-detailed-error-message
2. Ensure COURSE_ABOUT_VISIBILITY_PERMISSION = 'see_about_page' is set in your LMS settings.
3. In Studio (Authoring MFE), open a course and go to Settings > Advanced Settings.
4. Find the Course visibility In catalog field and set it to "none". Save.
5. Log in as a non-staff user (or use an incognito window with a learner account).
6. Navigate to the course in the Learning MFE, e.g. http://local.openedx.io:8000/learning/course/course-v1:Org+Course+Run/home.
7. Alternatively, hit the API directly: GET /api/course_home/course_metadata/course-v1:Org+Course+Run.

Expected (after this change):

• The API returns HTTP 403 with a JSON body containing:
  • "detail": "This course is not currently accessible. The course team has restricted access to this content. Please contact the course team for further assistance."
  • "error_code": "not_visible_in_catalog"

Expected (before this change):

• The API returned HTTP 404 with "detail": "Course not found.".

7. Log in as a staff/admin user and repeat step 4 or 5.

   • The course should load normally (HTTP 200) — staff access bypasses catalog visibility restrictions.

8. Set Course Visibility In Catalog back to "both" and verify the course loads normally for all users.

Deadline

"None"

Other information

Include anything else that will help reviewers and consumers understand the change.

• Does this change depend on other changes elsewhere?
• Any special concerns or limitations? For example: deprecations, migrations, security, or accessibility.
• If your database migration can't be rolled back easily.

[openedx-webhooks]

Thanks for the pull request, @Anas12091101!

This repository is currently maintained by @openedx/wg-maintenance-openedx-platform.

Once you've gone through the following steps feel free to tag them in a comment and let them know that your changes are ready for engineering review.

🔘 Get product approval

If you haven't already, check this list to see if your contribution needs to go through the product review process.

• If it does, you'll need to submit a product proposal for your contribution, and have it reviewed by the Product Working Group.
  • This process (including the steps you'll need to take) is documented here.
• If it doesn't, simply proceed with the next step.

🔘 Provide context

To help your reviewers and other members of the community understand the purpose and larger context of your changes, feel free to add as much of the following information to the PR description as you can:

• Dependencies

  This PR must be merged before / after / at the same time as ...

• Blockers

  This PR is waiting for OEP-1234 to be accepted.

• Timeline information

  This PR must be merged by XX date because ...

• Partner information

  This is for a course on edx.org.

• Supporting documentation
• Relevant Open edX discussion forum threads

🔘 Get a green build

If one or more checks are failing, continue working on your changes until this is no longer the case and your build turns green.

Details

---

Where can I find more information?

If you'd like to get more details on all aspects of the review process for open source pull requests (OSPRs), check out the following resources:

• Overview of Review Process for Community Contributions
• Pull Request Status Guide
• Making changes to your pull request

When can I expect my changes to be merged?

Our goal is to get community contributions seen and reviewed as efficiently as possible.

However, the amount of time that it takes to review and merge a PR can vary significantly based on factors such as:

• The size and impact of the changes that it introduces
• The need for product review
• Maintenance status of the parent repository

💡 As a result it may take up to several weeks or months to complete a review and merge your PR.

[ormsbee]

Minor questions and request. Thank you!

[ormsbee]

[Question]: Why is this import local to the function?

[Anas12091101]

Moved it to the top in 2d02a9e

[ormsbee]

[Question]: What kinds of values can visibility_type be?

[Anas12091101]

_has_catalog_visibility is only ever called with "both" or "about", never "none". When catalog_visibility="none", neither check matches, so CatalogVisibilityError is returned implicitly.

[ormsbee]

Please put a comment here to explain why this isn't equivalent to returning ACCESS_DENIED (like you did with can_see_about_page().