feat: add authz permission to search_reindex endpoint#38348
feat: add authz permission to search_reindex endpoint#38348dwong2708 wants to merge 2 commits intoopenedx:masterfrom
Conversation
openedx-webhooks
added
the
open-source-contribution
|
Thanks for the pull request, @dwong2708! This repository is currently maintained by Once you've gone through the following steps feel free to tag them in a comment and let them know that your changes are ready for engineering review. 🔘 Get product approvalIf you haven't already, check this list to see if your contribution needs to go through the product review process.
🔘 Provide contextTo help your reviewers and other members of the community understand the purpose and larger context of your changes, feel free to add as much of the following information to the PR description as you can:
🔘 Get a green buildIf one or more checks are failing, continue working on your changes until this is no longer the case and your build turns green. DetailsWhere can I find more information?If you'd like to get more details on all aspects of the review process for open source pull requests (OSPRs), check out the following resources: When can I expect my changes to be merged?Our goal is to get community contributions seen and reviewed as efficiently as possible. However, the amount of time that it takes to review and merge a PR can vary significantly based on factors such as:
💡 As a result it may take up to several weeks or months to complete a review and merge your PR. |
| if not has_course_author_access(user, course_key): | ||
| if not user_has_course_permission( | ||
| user=user, | ||
| authz_permission=COURSES_CREATE_COURSE.identifier, |
There was a problem hiding this comment.
I'm leaning more towards the edit course or publish course permissions for this, pending confirmation from product.
There was a problem hiding this comment.
Pull request overview
Adds AuthZ-based authorization enforcement for the Studio course search reindex endpoint (GET /course/{course_id}/search_reindex/) to align with the broader course authoring permissions rollout behind the existing feature flag.
Changes:
- Enforce AuthZ permission (
courses.create_course) inreindex_course_and_check_access. - Gate
course_search_index_handlerbehavior on the course authoring AuthZ feature flag (legacy behavior when disabled). - Add an AuthZ-focused test class for the reindex endpoint.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
cms/djangoapps/contentstore/views/course.py |
Switches reindex access checks to user_has_course_permission(...) and adjusts endpoint gating under the AuthZ feature flag. |
cms/djangoapps/contentstore/views/tests/test_course_index.py |
Adds an AuthZ test class intended to validate allow/deny behavior for reindexing. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Description
This PR adds authorization enforcement to the search reindex endpoint as part of the course list page permissions work.
The original ticket introduced new permissions behind a feature flag for multiple course-related endpoints, but the following endpoint was not covered:
GET /course/{course_id}/search_reindex/This change ensures the endpoint is now protected and aligned with the overall AuthZ strategy.
Changes
Permission Applied
courses.create_courseThis permission is currently used as the closest available match for restricting access to this operation, ensuring that only authorized users can trigger a reindex.
Supporting information
This PR completes the missing piece from the ticket: #38129
Testing instructions
Please provide detailed step-by-step instructions for testing this change.
Deadline
Verawood
Other information
Closes: