feat: add AuthZ permissions to course creation and outline

[dwong2708]

Description

Resolves: #38129

This PR introduces new AuthZ permissions for the course list and related course endpoints, aligning them with the course-v1:* permission model.

It ensures that course visibility and creation are consistently enforced using the new authorization system.

Permissions Implemented

The following endpoints were updated to use AuthZ permissions:

Course creation

POST /course/ → courses.create_course
Uses Org-scoped authorization, since the course does not yet exist at creation time.

Course read / visibility

The following endpoints now require courses.view_course:

• GET /api/courses/v1/courses/<course_id>
• GET /api/contentstore/v1/course_index/<course_id>
• GET /api/contentstore/v2/downstreams/<course_id>/summary
• GET /api/courses/v1/migrate_legacy_content_blocks/<course_id>

Excluded Endpoint

The following endpoint was intentionally not updated:

• GET /api/content_tagging/v1/object_tag_counts/<course_id>/

Reason:

• It belongs to an external app (openedx-tagging)
• It does not currently implement legacy permissions
• Modifying it would require changes outside openedx-platform

Testing instructions

Added/updated tests to validate:

• Authorized users can access course data
• Unauthorized users receive appropriate errors (e.g., 403)
• Course creation respects Org-level permissions

Deadline

Verawood

[openedx-webhooks]

Thanks for the pull request, @dwong2708!

This repository is currently maintained by @openedx/wg-maintenance-openedx-platform.

Once you've gone through the following steps feel free to tag them in a comment and let them know that your changes are ready for engineering review.

🔘 Get product approval

If you haven't already, check this list to see if your contribution needs to go through the product review process.

• If it does, you'll need to submit a product proposal for your contribution, and have it reviewed by the Product Working Group.
  • This process (including the steps you'll need to take) is documented here.
• If it doesn't, simply proceed with the next step.

🔘 Provide context

To help your reviewers and other members of the community understand the purpose and larger context of your changes, feel free to add as much of the following information to the PR description as you can:

• Dependencies

  This PR must be merged before / after / at the same time as ...

• Blockers

  This PR is waiting for OEP-1234 to be accepted.

• Timeline information

  This PR must be merged by XX date because ...

• Partner information

  This is for a course on edx.org.

• Supporting documentation
• Relevant Open edX discussion forum threads

🔘 Get a green build

If one or more checks are failing, continue working on your changes until this is no longer the case and your build turns green.

🔘 Update the status of your PR

Your PR is currently marked as a draft. After completing the steps above, update its status by clicking "Ready for Review", or removing "WIP" from the title, as appropriate.

---

Where can I find more information?

If you'd like to get more details on all aspects of the review process for open source pull requests (OSPRs), check out the following resources:

• Overview of Review Process for Community Contributions
• Pull Request Status Guide
• Making changes to your pull request

When can I expect my changes to be merged?

Our goal is to get community contributions seen and reviewed as efficiently as possible.

However, the amount of time that it takes to review and merge a PR can vary significantly based on factors such as:

• The size and impact of the changes that it introduces
• The need for product review
• Maintenance status of the parent repository

💡 As a result it may take up to several weeks or months to complete a review and merge your PR.

[Copilot]

Pull request overview

This PR adds AuthZ (openedx-authz) permission enforcement for course authoring/course-visibility-related endpoints (course detail, outline/course index, downstream summary, and legacy content migration), plus new/updated tests and test utilities to validate the new behavior behind the course-authoring AuthZ feature flag.

Changes:

• Enforce courses.view_course checks (with legacy fallbacks where applicable) for several course authoring/read endpoints.
• Add an AuthZ-aware course creation permission helper and integration/unit tests for the updated authorization paths.
• Expand AuthZ test mixins to include staff and superuser clients for repeated use in endpoint tests.

Reviewed changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
openedx/core/djangoapps/authz/tests/mixins.py	Extends AuthZ test mixin with staff/superuser users and API clients.
lms/djangoapps/courseware/courses.py	Adjusts course access flow when AuthZ authoring is enabled (staff-bypass behavior changes).
lms/djangoapps/courseware/access.py	Updates see_about_page access logic to use AuthZ permission checks under the flag.
lms/djangoapps/course_api/tests/test_api.py	Adds AuthZ-focused tests for course_detail and related access behavior.
common/djangoapps/student/auth.py	Introduces AuthZ-backed is_content_creator check for course creation.
cms/djangoapps/contentstore/tests/test_course_create_rerun.py	Adds AuthZ integration tests for course creation via course_handler.
cms/djangoapps/contentstore/rest_api/v2/views/downstreams.py	Enforces courses.view_course AuthZ permission for downstream summary endpoint.
cms/djangoapps/contentstore/rest_api/v2/views/tests/test_downstreams.py	Adds AuthZ tests for downstream summary endpoint access control.
cms/djangoapps/contentstore/rest_api/v1/views/course_index.py	Enforces courses.view_course AuthZ permission for course outline (course index) endpoint.
cms/djangoapps/contentstore/rest_api/v1/views/tests/test_course_index.py	Adds AuthZ tests for course index access control.
cms/djangoapps/contentstore/api/views/course_validation.py	Moves migrate-legacy-content list endpoint to AuthZ permission decorator and adds DeveloperError mixin.
cms/djangoapps/contentstore/api/tests/test_validation.py	Updates/extends tests for migrate-legacy-content endpoint authorization under AuthZ.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The AuthZ toggle branch has inconsistent indentation (extra leading space) compared to the surrounding block. This makes the code harder to read and may trip style/lint checks; align the comment and return indentation with the if core_toggles... block’s standard 4-space indentation level.

Suggested change

	# If AuthZ is enabled for this course, it checks already
	# permissions for staff.
	return non_staff_access_response
	# If AuthZ is enabled for this course, it checks already
	# permissions for staff.
	return non_staff_access_response

[Copilot]

When AuthZ is enabled, can_see_about_page returns a plain ACCESS_DENIED for unauthorized users instead of returning the typed CatalogVisibilityError that the legacy path returns. This removes the ability for downstream handlers to show the existing meaningful “not visible in catalog” error message for logged-in users under the flag.

Suggested change

	return ACCESS_GRANTED if is_authz_allowed else ACCESS_DENIED
	if is_authz_allowed:
	return ACCESS_GRANTED
	# Preserve the legacy typed CatalogVisibilityError response for denied users
	# so downstream handlers can continue showing the existing meaningful message.
	return legacy_can_see_about_page()

[Copilot]

This AuthZ branch for course creation does not preserve the legacy GlobalStaff/staff bypass: user_has_role grants Django staff users access, but _has_content_creator_access only checks authz_api.is_user_allowed(...). If AuthZ is enabled without explicit role assignment, Django staff/superusers may lose the ability to create/rerun courses.

[Copilot]

_has_content_creator_access is used for course creation but checks COURSES_EDIT_COURSE_CONTENT. This appears inconsistent with the PR’s stated permission model (courses.create_course) and makes it unclear which permission is actually required to create a course. Consider using the dedicated create-course permission constant (or renaming the helper to reflect that it is checking edit-content permission).

[Copilot]

The test docstring says “Staff user can create course”, but the assertion expects a 403. Either the expected behavior or the docstring/test name should be updated so the test intent matches the assertion (and aligns with the rest of the AuthZ tests that treat staff/superusers as elevated users).

[Copilot]

CourseAuthoringAuthzTestMixin.setUp() already creates self.authorized_user, self.unauthorized_user, and self.staff_user for each test. The additional user objects created in this class’s setUpClass() are unused (they’re overwritten in setUp()), which adds unnecessary DB setup and makes it harder to understand which users are actually used in assertions.

Suggested change

	cls.authorized_user = cls.create_user('authorized', is_staff=False)
	cls.unauthorized_user = cls.create_user('unauthorized', is_staff=False)
	cls.staff_user = cls.create_user('staff', is_staff=True)