fix: update taxonomies permission rules

[rpenido]

Description

Updates the content tagging rest API permissions according to spec.

Supporting Information

• Closes [Tagging] Permissions for Taxonomies List Page and Taxonomy Detail Page modular-learning#129
• Depends:
  • feat: add object tag view permissions [FC-0036] openedx-learning#94
  • Continued simplification of Taxonomy model, squashed migrations [FC-0030] #33438

Testing instructions

• Please ensure that the tests cover the expected behavior of the view as described in the related issue.

Before Merge

• Update openedx-learning version

---

Private-ref: FAL-3518

[openedx-webhooks]

Thanks for the pull request, @rpenido! Please note that it may take us up to several weeks or months to complete a review and merge your PR.

Feel free to add as much of the following information to the ticket as you can:

• supporting documentation
• Open edX discussion forum threads
• timeline information ("this must be merged by XX date", and why that is)
• partner information ("this is a course on edx.org")
• any other information that can help Product understand the context for the PR

All technical communication about the code itself will be done via the GitHub pull request interface. As a reminder, our process documentation is here.

Please let us know once your PR is ready for our review and all tests are green.

[pomegranited]

I'm not sure how we're supposed to handle a Taxonomy that's linked to "all orgs" and linked to one or more specific orgs -- which takes precedence, the "all orgs" row, or the specific org rows?

I would guess that "all orgs" takes precedence.

So I'd expect this check to look like this, and is_all_org to not be referenced again in this function:

Suggested change

	# Only taxonomy admins can view disabled all org taxonomies
	if is_all_org and not taxonomy.enabled:
	return False
	# Only taxonomy admins can view disabled all org taxonomies
	if is_all_org:
	return taxonomy.enabled

[rpenido]

I agree that "all orgs" should take precedence.

We can't change the check that way because we would enable an ordinary user (without org) to see this taxonomy. We can short circuit a False here (denying permission) but to return a True we need additional checks.

But reviewing the code, I think we don't need to check is_all_org after:

# Org-level staff can view any taxonomy that is associated with one of their orgs.
if is_org_admin(taxonomy_orgs, user):
    return True

[pomegranited]

@rpenido I don't think your conclusion ^ is correct?

We can't change the check that way because we would enable an ordinary user (without org) to see this taxonomy.

This comment says:

• Enabled Taxonomy linked to all orgs - any registered user can view the taxonomy and its tags (3)
• Disabled Taxonomy linked to all orgs - only global staff can view the taxonomy and its tags (5)

So my original suggestion stands:

Suggested change

	# Only taxonomy admins can view disabled all org taxonomies
	if is_all_org and not taxonomy.enabled:
	return False
	# Enabled all-org taxonomies can be viewed by any registered user.
	if is_all_org:
	return taxonomy.enabled

[rpenido]

You're right @pomegranited !
Done: dd4696a110c9d22baa1780fc8fcf6d63438cef01

I'll check/fix the related test tomorrow

[pomegranited]

"Only taxonomy admins can tag objects using tags from disabled taxonomies."

I'm not sure about this.. I think "disabled" means it can't be used to tag objects, even if you're an admin.

[rpenido]

I think that it could make sense to let an admin clean tags from a disabled taxonomy. But we can simplify and let only enabled taxonomies be used.

What do you think?

[bradenmacdonald]

"Only taxonomy admins can tag objects using tags from disabled taxonomies."

Yeah I agree with @pomegranited. I don't think we have any need for this. In fact for the MVP we won't really be using disabled taxonomies at all.

Either of these options is fine with me:

• If the taxonomy is disabled, nobody can modify its tags on an object.
• If the taxonomy is disabled, admins can remove tags from objects, but not add new ones.

This only affects the API. In the UI, we will never display tags from disabled taxonomies, even to admins. (I think)

[rpenido]

Agreed!
I went to: "If the taxonomy is disabled, nobody can modify its tags on an object."

[pomegranited]

Why did this have to change? I think it's still useful to include a taxonomy in the tests which is disabled + all_orgs.

[rpenido]

I changed it to fix the following test:

https://github.com/open-craft/edx-platform/blob/aeeebf948941ed37c9cc8b28e15315e1d8d4f62a/openedx/core/djangoapps/content_tagging/tests/test_rules.py#L259C1-L278C57

We have disabled + all_orgs test here:
https://github.com/open-craft/edx-platform/blob/aeeebf948941ed37c9cc8b28e15315e1d8d4f62a/openedx/core/djangoapps/content_tagging/tests/test_rules.py#L375C1-L392C57

[rpenido]

Hi @pomegranited !
Tests refactored, and we are ready for a review here.

We have a Lint error:

Do not depend on non-public API of isolated apps.
-------------------------------------------------

openedx.core.djangoapps.content_tagging.rest_api.v1.tests.test_views:31: imported from non-public API of openedx.core.djangoapps.content_libraries:
    from openedx.core.djangoapps.content_libraries.models import ContentLibrary

I needed to create a ContentLibrary for the tests (to check our condition no. 8). Should we ignore this lint or is there a better way to handle this in the tests?

8. Users who can view any v2 content libraries belonging to an org (CAN_VIEW_THIS_CONTENT_LIBRARY) can view that org's enabled taxonomies.

Also, after implementing condition 8, I saw a potential problem.
I'm using get_libraries_for_user to see if the user has permission on some library from that org to show them the taxonomies (there is a better way?).

If an Org has a ContentLibrary with allow_public_read = True, everyone who has access to studio will see its taxonomies. I think this is not desirable, but is it a real problem that should be discussed now?
The allow_public_learn=true, which gives access to everyone (not only studio users) does not impact us right now.

I also noted that we are not preventing a user with access to more than one org from "cross tag" objects.
I.e: use a taxonomy from OrgA to tag an object from OrbB. Probably, the frontend will avoid this. Should I also handle this problem in the backend on this task?

[bradenmacdonald]

@rpenido

I needed to create a ContentLibrary for the tests (to check our condition no. 8). Should we ignore this lint or is there a better way to handle this in the tests?

You need to use the public create_library API - not import the app's internal ContentLibrary Django model.

[bradenmacdonald]

If an Org has a ContentLibrary with allow_public_read = True, everyone who has access to studio will see its taxonomies.

I think that's actually fine. Taxonomies aren't super private.

[pomegranited]

@rpenido

Subjective comment: you could split test_tag_course into two test methods, one for the successful staffA and staff users, and one for the forbidden user attempts. That would reduce the number of ddt parameters required, and negate the need for this if status.is_success clause.

But objectively: I still don't see any tests for the GET ObjectTag endpoint in this file? You could add get view tests after these successful PUTs like this:

Suggested change

	# Check that re-fetching the tags returns what we set
	response = self.client.get(url, format="json")
	assert status.is_success(response.status_code)
	assert set(t["value"] for t in response.data) == set(tag_values)

[rpenido]

Done 9695d67

[pomegranited]

@rpenido One comment about missing tests, but this still looks good 👍 .

FYI, while a PR is actively being reviewed, if you merge latest master instead of rebase, then you don't have to force-push, and your reviewer can easily see what's been changed since they last looked at your PR. These show up as merge commits on your PR, but disappear when the PR gets merged.

[rpenido]

@bradenmacdonald Package updated and tests green.
This is ready for an review when you have time!

[rpenido]

@rpenido One comment about missing tests, but this still looks good 👍 .

FYI, while a PR is actively being reviewed, if you merge latest master instead of rebase, then you don't have to force-push, and your reviewer can easily see what's been changed since they last looked at your PR. These show up as merge commits on your PR, but disappear when the PR gets merged.

Sorry for that @pomegranited!
The problem wasn't a rebase: I needed to force push to reword a commit that was not passing the lint (tests: vs. test:, I always use the wrong one!)

[bradenmacdonald]

Looks great! Just one minor thing and question, then I'll approve.

[bradenmacdonald]

This docstring is wrong.

[rpenido]

Done 66158a7!

[bradenmacdonald]

Does ENABLE_CREATOR_GROUP have any effect at all on the taxonomy code/permissions? I'm unclear why we have different tests based on that.

[rpenido]

No.
After we stopped using the is_content_creator check, the FLAG didn't impact our code anymore.

If any, these tests tell us that the FLAG is not affecting our permissions.
I think we can safely clear this. What do you think?

[bradenmacdonald]

I think it's confusing to mention that flag if it has no effect. Maybe just add one little test case that ensures things work the same way with or without that flag, but even that is probably not necessary.

[pomegranited]

Yeah I agree -- we used to care about this flag, but we don't anymore with the new permissions, so these extra tests can be removed.

[rpenido]

Great! I will fix this tomorrow ping you here!

[rpenido]

Done 217cedb
@bradenmacdonald @pomegranited

[openedx-webhooks]

@rpenido 🎉 Your pull request was merged! Please take a moment to answer a two question survey so we can improve your experience in the future.

[edx-pipeline-bot]

2U Release Notice: This PR has been deployed to the edX staging environment in preparation for a release to production.

[edx-pipeline-bot]

2U Release Notice: This PR has been deployed to the edX production environment.

[edx-pipeline-bot]

2U Release Notice: This PR has been deployed to the edX production environment.