Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OEP-66 - update comment_client, add course_roles #556

Merged
merged 3 commits into from
Feb 2, 2024
Merged

OEP-66 - update comment_client, add course_roles #556

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
55531b0
feat: add course_roles section to oep-66, add details to comment_clie…
hsinkoff Jan 23, 2024
b171497
chore: add link to PR in change history
hsinkoff Jan 23, 2024
cb35ed8
docs: update course_roles role assignment description
hsinkoff Feb 2, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
64 changes: 64 additions & 0 deletions oeps/best-practices/oep-0066-bp-authorization.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -395,12 +395,69 @@ django_comment_client_role

Explicit roles are assigned to users on a course level basis.

Each role is made up of a combination of permissions stored in the database.

These roles require that the user already be enrolled in the course
(have an enrollment, audit or verified).

Roles are assigned through the LMS in the same place in the UI as the student_courseaccessrole roles.
They can also be granted in the LMS Django Admin Dashboard.

Access is granted through a combination of checking a user's role and checking if a user has a specified permission.
In some situations, the code also checks if a user has a combination (and or or) of permissions to grant access.

course_roles_role (Proposed Service)
------------------------------------

.. note::
Code related to the course_role schema is in progress.
This section describes the intended usage, but not all portions have been implemented at this time.
The code is not being used in production at this time.

Explicit course level roles are assigned to users. The roles grant access on the course level,
but can also be assigned organization or instance wide.

**Permissions:**

Each role is a combination of the permissions found in the course_roles_permission database table.
The permissions in course_roles_permission are used to determine authorization (access) within the code. As a result,
new roles can be added to the database, connected to existing permissions, and utilized in the system
with minimal effort.

**Role Assignment**

A course_roles_role can be assigned to a user in the LMS, CMS, or Django Admin Dashboard.
These three locations are stored in the course_roles_service database table.
If needed, additional UI locations can be added at a later date.
When a course_roles_role is created, a course_roles_roleservice database row (or rows) should also be created that link the role to the UI service where the role should be assignable to users.
The course_roles_role list will be filtered by course_roles_roleservice values to determine which roles to show in each UI role assignment page (Course Team, Membership, Course_Roles).

Each role assignment will generate one row in the course_roles_userrole database table. The values
in the row will determine if the user is granted access for a single course, all
courses in the org, or all courses in the instance.

* If a userrole is assigned to a course, it grants access based on the related permissions to that course.
* If a userrole is assigned on an organization wide level, it grants access based on the related permissions to all courses that belong to the organization.
* If a userrole is assigned on an instance wide level, it grants access based on the related permissions to all courses that belong to the instance.

The course_roles_userrole database table utilizes foreign keys to user, role, course (CourseOverview), and organization. It is not
possible to assign a course_roles_userrole on an object that is not a course (does not have a CourseOverview) in the database.

.. note::
Once the proposed course_roles architecture is created, the next planned step is to migrate
existing student_courseaccessrole roles to the course_roles schema and deprecate the student_courseaccessrole roles.
The comment_client roles are also being considered for migration to course_roles, but are considered lower
priority because they are already based upon permissions.

.. image:: oep-0066/Open_edX_Course_Roles_Proposal.png
:alt: A diagram that provides an overview of the proposed architecture for course_roles. The information in the diagram is also in the Open edX Course Roles Proposal Table (linked to in this document).

.. toctree::
:maxdepth: 1
:glob:

oep-0066/Open_edX_Course_Roles_Proposal_Table.rst

edx-rbac
--------

Expand Down Expand Up @@ -523,6 +580,13 @@ References
Change History
**************

2024-01-23
----------

* Update django_comment_client_role section
* Add draft course_roles section
* `Pull request #556 <https://github.com/openedx/open-edx-proposals/pull/556>`_

2023-10-23
----------

Expand Down
Binary file removed oeps/best-practices/oep-0066/Open_edX_Authorization.png
View file
Open in desktop
Binary file not shown.
Binary file added oeps/best-practices/oep-0066/Open_edX_Course_Roles_Proposal.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Loading