Skip to content

fix: limit assignable roles to the user's manage-team permissions#172

Open
dcoa wants to merge 3 commits into
openedx:masterfrom
eduNEXT:dcoa/limit-roles
Open

fix: limit assignable roles to the user's manage-team permissions#172
dcoa wants to merge 3 commits into
openedx:masterfrom
eduNEXT:dcoa/limit-roles

Conversation

@dcoa

@dcoa dcoa commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Description

The "Assign Role" entry point and the role list inside the assignment wizard were shown to every user regardless of whether they could actually manage a team. This PR gates both on the current user's permissions, so people only see the action and the role groups they're allowed to assign.

Changes

AddRoleButton

  • Validates MANAGE_LIBRARY_TEAM / MANAGE_COURSE_TEAM and renders the button only when at least one is allowed; otherwise renders nothing.

AssignRoleWizardPage

  • Derives rolesAssignable from the permission response, library roles when library-team management is allowed, course roles when course-team management is allowed, and passes them to AssignRoleWizard via the existing roles prop.
  • Replace the allRolesMetadata used as default value in roles props for an empty array. So in the meantime the validation is done the user don't see the complete list.

RolesFilter

  • Validates VIEW_LIBRARY_TEAM / VIEW_COURSE_TEAM and renders the respecting roles according to the allowed scope.

Context

It follows the proposal in openedx/wg-build-test-release#603
It solves #163
It solves #161

Testing instructions

  1. As a non-staff user with a library_user role in a single scope, the Assign Roles button should not be visible, only library roles should be in the filters.
  2. As a non-staff user with a library_admin role in a single scope, the Assign Roles button should be visible, and the Wizard/filters displays only library roles.
  3. As a user with multi scope manage team permissions, such as supper admin should see the button and the roles for both scopes.

Important

Depends on openedx/openedx-authz#348 - Available in version openedx-authz==1.20.0

@openedx-webhooks openedx-webhooks added open-source-contribution PR author is not from Axim or 2U core contributor PR author is a Core Contributor (who may or may not have write access to this repo). labels Jun 29, 2026
@openedx-webhooks

openedx-webhooks commented Jun 29, 2026

Copy link
Copy Markdown

Thanks for the pull request, @dcoa!

This repository is currently maintained by @openedx/committers-frontend.

Once you've gone through the following steps feel free to tag them in a comment and let them know that your changes are ready for engineering review.

🔘 Get product approval

If you haven't already, check this list to see if your contribution needs to go through the product review process.

  • If it does, you'll need to submit a product proposal for your contribution, and have it reviewed by the Product Working Group.
    • This process (including the steps you'll need to take) is documented here.
  • If it doesn't, simply proceed with the next step.
🔘 Provide context

To help your reviewers and other members of the community understand the purpose and larger context of your changes, feel free to add as much of the following information to the PR description as you can:

  • Dependencies

    This PR must be merged before / after / at the same time as ...

  • Blockers

    This PR is waiting for OEP-1234 to be accepted.

  • Timeline information

    This PR must be merged by XX date because ...

  • Partner information

    This is for a course on edx.org.

  • Supporting documentation
  • Relevant Open edX discussion forum threads
🔘 Get a green build

If one or more checks are failing, continue working on your changes until this is no longer the case and your build turns green.

Details
Where can I find more information?

If you'd like to get more details on all aspects of the review process for open source pull requests (OSPRs), check out the following resources:

When can I expect my changes to be merged?

Our goal is to get community contributions seen and reviewed as efficiently as possible.

However, the amount of time that it takes to review and merge a PR can vary significantly based on factors such as:

  • The size and impact of the changes that it introduces
  • The need for product review
  • Maintenance status of the parent repository

💡 As a result it may take up to several weeks or months to complete a review and merge your PR.

@codecov

codecov Bot commented Jun 29, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 97.48%. Comparing base (e3d90d8) to head (9232178).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files
@@            Coverage Diff             @@
##           master     #172      +/-   ##
==========================================
+ Coverage   97.44%   97.48%   +0.04%     
==========================================
  Files          66       66              
  Lines        1525     1552      +27     
  Branches      386      370      -16     
==========================================
+ Hits         1486     1513      +27     
  Misses         39       39              

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@dcoa dcoa force-pushed the dcoa/limit-roles branch from 5c44796 to 9fd2766 Compare June 30, 2026 00:53
@dcoa dcoa changed the title fix: validate user manage team action and scopes fix: limit assignable roles to the user's manage-team permissions Jun 30, 2026
@dcoa dcoa force-pushed the dcoa/limit-roles branch from 9fd2766 to a6898ae Compare June 30, 2026 01:49
@dcoa dcoa force-pushed the dcoa/limit-roles branch from a6898ae to 24e28e3 Compare June 30, 2026 02:23
@dcoa dcoa marked this pull request as ready for review June 30, 2026 02:25
@bra-i-am

bra-i-am commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Testing Behavior

  • As a non-staff user with a library_user role in a single scope, the Assign Roles button should not be visible, only library roles should be in the filters.
Role UI
image image
  • As a non-staff user with a library_admin role in a single scope, the Assign Roles button should be visible, and the Wizard/filters displays only library roles.
Role UI
image image image image
  • As a user with multi scope manage team permissions, such as super admin should see the button and the roles for both scopes.
image

@bra-i-am bra-i-am left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this PR @dcoa, everything works as expected!!

I'm just nitpicking... feel free to continue ✨

const contexts = new Set<string>();
permissions?.forEach((p) => {
if (!p.allowed) { return; }
if (p.action === CONTENT_LIBRARY_PERMISSIONS.VIEW_LIBRARY_TEAM) { contexts.add('library'); }

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit

Suggested change
if (p.action === CONTENT_LIBRARY_PERMISSIONS.VIEW_LIBRARY_TEAM) { contexts.add('library'); }
if (p.action === CONTENT_LIBRARY_PERMISSIONS.VIEW_LIBRARY_TEAM) { contexts.add(CONTEXT_TYPE.LIBRARY); }

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @bra-i-am, I made the nit changes.

permissions?.forEach((p) => {
if (!p.allowed) { return; }
if (p.action === CONTENT_LIBRARY_PERMISSIONS.VIEW_LIBRARY_TEAM) { contexts.add('library'); }
if (p.action === CONTENT_COURSE_PERMISSIONS.VIEW_COURSE_TEAM) { contexts.add('course'); }

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit

Suggested change
if (p.action === CONTENT_COURSE_PERMISSIONS.VIEW_COURSE_TEAM) { contexts.add('course'); }
if (p.action === CONTENT_COURSE_PERMISSIONS.VIEW_COURSE_TEAM) { contexts.add(CONTEXT_TYPE.COURSE); }

Comment on lines +21 to +22
{ action: CONTENT_LIBRARY_PERMISSIONS.MANAGE_LIBRARY_TEAM },
{ action: CONTENT_COURSE_PERMISSIONS.MANAGE_COURSE_TEAM },

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: maybe this can be a constant because these permissions are used in AssignRoleWizardPage.tsx too

const MANAGE_PERMISSIONS = [
  { action: CONTENT_LIBRARY_PERMISSIONS.MANAGE_LIBRARY_TEAM },
  { action: CONTENT_COURSE_PERMISSIONS.MANAGE_COURSE_TEAM },
]

import { Language, LibraryBooks, School } from '@openedx/paragon/icons';
import messages from './messages';

export const getRolesFiltersOptions = (intl: IntlShape) => [

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: use the contentType constant I recommended in RolesFilter.tsx

Comment on lines +26 to +27
{ action: CONTENT_LIBRARY_PERMISSIONS.MANAGE_LIBRARY_TEAM },
{ action: CONTENT_COURSE_PERMISSIONS.MANAGE_COURSE_TEAM },

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: use the constant I recommended in AddRoleButton.tsx

@bra-i-am bra-i-am left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wait... just 1 question... I just noticed that the admin users now can't see the Global roles in the filter dropdown. Is it the expected behavior?

Before After
Image Image

@bra-i-am bra-i-am self-requested a review July 1, 2026 15:28
@dcoa

dcoa commented Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

wait... just 1 question... I just noticed that the admin users now can't see the Global roles in the filter dropdown. Is it the expected behavior?

Yes, that is the expected behavior, you can get more information here #173

}));

// Mock constants
jest.mock('./course/constants', () => ({

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Due to the introduction of MANAGE_TEAM_PERMISSIONS test stated to failing for the mock (that I consider an unusual decision for constants, specially in this component that any change in the constant is important)

@bra-i-am bra-i-am left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just noticed here is used the MANAGE_TEAM_PERMISSIONS in the useValidateUserPermissionsNonSuspense but then the permissions returned are being compared with the view constants below:

p.action === CONTENT_LIBRARY_PERMISSIONS.VIEW_LIBRARY_TEAM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

core contributor PR author is a Core Contributor (who may or may not have write access to this repo). open-source-contribution PR author is not from Axim or 2U

Projects

Status: Needs Triage

Development

Successfully merging this pull request may close these issues.

[Test failure] TC-00396: Add New Role action is visible only to users with manage team permission (library)

3 participants