feat: add authz permission for certificates

cms/djangoapps/contentstore/rest_api/v1/views/certificates.py

@@ -6,11 +6,14 @@
 from rest_framework.response import Response
 from rest_framework.views import APIView
 
+from openedx_authz.constants.permissions import COURSES_MANAGE_CERTIFICATES
+
 from cms.djangoapps.contentstore.utils import get_certificates_context
 from cms.djangoapps.contentstore.rest_api.v1.serializers import (
     CourseCertificatesSerializer,
 )
-from common.djangoapps.student.auth import has_studio_write_access
+from openedx.core.djangoapps.authz.constants import LegacyAuthoringPermission
+from openedx.core.djangoapps.authz.decorators import user_has_course_permission
 from openedx.core.lib.api.view_utils import (
     DeveloperErrorViewMixin,
     verify_course_exists,
@@ -96,7 +99,12 @@ def get(self, request: Request, course_id: str):
         course_key = CourseKey.from_string(course_id)
         store = modulestore()
 
-        if not has_studio_write_access(request.user, course_key):
+        if not user_has_course_permission(
+            request.user,
+            COURSES_MANAGE_CERTIFICATES.identifier,
+            course_key,
+            LegacyAuthoringPermission.READ
+        ):
             self.permission_denied(request)
 
         with store.bulk_operations(course_key):

cms/djangoapps/contentstore/rest_api/v1/views/tests/test_certificates.py

@@ -4,8 +4,11 @@
 from django.urls import reverse
 from rest_framework import status
 
+from openedx_authz.constants.roles import COURSE_STAFF, COURSE_EDITOR
+
 from cms.djangoapps.contentstore.tests.utils import CourseTestCase
 from cms.djangoapps.contentstore.views.tests.test_certificates import HelperMethods
+from openedx.core.djangoapps.authz.tests.mixins import AuthzTestMixin
 
 from ...mixins import PermissionAccessMixin
 
@@ -36,3 +39,33 @@ def test_success_response(self):
         self.assertEqual(response_data["course_number_override"], self.course.display_coursenumber)
         self.assertEqual(response_data["course_title"], self.course.display_name_with_default)
         self.assertEqual(response_data["course_number"], self.course.number)
+
+
+class CourseCertificatesAuthzViewTest(AuthzTestMixin, CourseTestCase, PermissionAccessMixin, HelperMethods):
+    """
+    Tests for CourseCertificatesView with AuthZ enabled.
+    """
+
+    def setUp(self):
+        super().setUp()
+        self.url = reverse(
+            "cms.djangoapps.contentstore:v1:certificates",
+            kwargs={"course_id": self.course.id},
+        )
+
+    def test_authorized_user_can_access(self):
+        """User with COURSE_STAFF role can access."""
+        self._add_course_certificates(count=2, signatory_count=2)
+        self.add_user_to_role(self.authorized_user, COURSE_STAFF.external_key, self.course.id)
+        resp = self.authorized_client.get(self.url)
+        self.assertEqual(resp.status_code, status.HTTP_200_OK)
+
+    def test_non_staff_user_cannot_access(self):
+        """
+        User without permissions should be denied.
+        This case validates that a non-staff user cannot access.
+        """
+        self._add_course_certificates(count=2, signatory_count=2)
+        self.add_user_to_role(self.authorized_user, COURSE_EDITOR.external_key, self.course.id)
+        resp = self.authorized_client.get(self.url)
+        self.assertEqual(resp.status_code, status.HTTP_403_FORBIDDEN)

openedx/core/djangoapps/authz/tests/mixins.py

@@ -14,6 +14,75 @@
 from common.djangoapps.student.tests.factories import UserFactory
 
 
+class AuthzTestMixin:
+    """
+    Minimal reusable mixin for AuthZ-enabled tests.
+    """
+
+    @classmethod
+    def setUpClass(cls):
+        cls.toggle_patcher = patch.object(
+            core_toggles.AUTHZ_COURSE_AUTHORING_FLAG,
+            "is_enabled",
+            return_value=True,
+        )
+        cls.toggle_patcher.start()
+        super().setUpClass()
+
+    @classmethod
+    def tearDownClass(cls):
+        cls.toggle_patcher.stop()
+        super().tearDownClass()
+
+    def setUp(self):
+        super().setUp()
+
+        self._seed_policies()
+
+        self.authorized_user = UserFactory()
+        self.unauthorized_user = UserFactory()
+
+        self.authorized_client = APIClient()
+        self.authorized_client.force_authenticate(user=self.authorized_user)
+
+        self.unauthorized_client = APIClient()
+        self.unauthorized_client.force_authenticate(user=self.unauthorized_user)
+
+    def tearDown(self):
+        super().tearDown()
+        AuthzEnforcer.get_enforcer().clear_policy()
+
+    def add_user_to_role(self, user, role, course_key):
+        """Helper method to add a user to a role for the course."""
+        assign_role_to_user_in_scope(
+            user.username,
+            role,
+            str(course_key)
+        )
+        AuthzEnforcer.get_enforcer().load_policy()
+
+    @classmethod
+    def _seed_policies(cls):
+        """Seed the database with AuthZ policies."""
+        global_enforcer = AuthzEnforcer.get_enforcer()
+        global_enforcer.load_policy()
+
+        model_path = pkg_resources.resource_filename(
+            "openedx_authz.engine",
+            "config/model.conf",
+        )
+
+        policy_path = pkg_resources.resource_filename(
+            "openedx_authz.engine",
+            "config/authz.policy",
+        )
+
+        migrate_policy_between_enforcers(
+            source_enforcer=casbin.Enforcer(model_path, policy_path),
+            target_enforcer=global_enforcer,
+        )
+
+
 class CourseAuthzTestMixin:
     """
     Reusable mixin for testing course-scoped AuthZ endpoints.