docs: ADR for publisher external users access #3923
Conversation
Ali-D-Akbar
force-pushed
the
aakbar/PROD-3327
branch
2 times, most recently
from
b6b3d56
to
21a19fc
Compare
| ========= | ||
|
|
||
| A user group will be created for each product line. | ||
| Each group will have a product source(s) and course type(s) associated to them. |
There was a problem hiding this comment.
There could be a lot of work and maintenance hiding in these two lines.
How are groups created and maintained? Whose job is that?
There was a problem hiding this comment.
Thinking about storing the metadata information for each group/role, a better approach seems to be using rbac here. I'm going to revisit that.
| This has been an internal tool that only allows internal staff users to do these actions. | ||
| With the inclusion of other product lines in the Catalog, there has been a need to allow external users on Publisher so that they can view and edit their respective courses. | ||
| Currently, these courses are added through weekly ingestion and there are no plans to add them through Publisher. | ||
| These external users should be able to view and edit their own courses only and the legacy courses should be kept hidden from them. |
There was a problem hiding this comment.
Are they really external users or just other division of 2U users? If they're 2U users how much control do we need to apply to them? If the product source and course type is enough, would if be sufficient to expose those as filters for staff level users?
There was a problem hiding this comment.
They can be both but to visit Publisher, they need to have staff access. In order for them to view, create and edit courses, they need to have a role called PUBLISHER_EDITOR. We will restrict the external users to only perform actions on their own courses with the help of course_type and product_source.
Ali-D-Akbar
force-pushed
the
aakbar/PROD-3327
branch
2 times, most recently
from
0ca5eb6
to
8ec390b
Compare
Ali-D-Akbar
changed the title
Ali-D-Akbar
force-pushed
the
aakbar/PROD-3327
branch
3 times, most recently
from
291d94c
to
026eb08
Compare
| ======== | ||
|
|
||
| Frontend App Publisher (MFE) uses course APIs in Discovery to view, create and edit courses. | ||
| This has been an internal tool that only allows internal django staff users. |
There was a problem hiding this comment.
Incorrect, CourseEditors are not Django staff users.
| Frontend App Publisher (MFE) uses course APIs in Discovery to view, create and edit courses. | ||
| This has been an internal tool that only allows internal django staff users. | ||
| With the inclusion of other product lines in the Catalog, there has been a need to allow external users to be able to perform actions like viewing and updating their courses through Publisher. | ||
| These external users should have staff access to be able to visit Publisher and should only be able to view and edit their own courses only and the legacy courses should be kept hidden from them. |
There was a problem hiding this comment.
Again, if this staff access is Django staff user, it is incorrect.
There was a problem hiding this comment.
Just to have permissions to visit publisher, we do need staff (not django staff) access, right?
There was a problem hiding this comment.
Course Editor is more accurate in Publisher/Discovery terms.
| Currently, these courses are added through weekly ingestion and the external users should not be able to add them through Publisher. | ||
|
|
There was a problem hiding this comment.
These are internal 2U details. Rather, you can link how CSV & Degree loaders are used for ingestion of these products.
| * A feature-based role will be created for each product line in Discovery. | ||
| * The role will be assigned to external users within Discovery. The role can be assigned by an exposed endpoint. The role assignment will contain other information, such as the assignment date, the reason for giving access, access history, etc. | ||
| * Publisher will make an additional API call to get the users' assigned role. Based upon the assignment, the behavior of publisher will change. | ||
| * A mapping of the allowed product_source(s) and course_type(s) for each role will be added in edx-internal. Courses will be filtered based on these product sources and course types that a user's role is associated to. |
There was a problem hiding this comment.
This can be done on model level, like it was done for Source model.
There was a problem hiding this comment.
Which model will it be? Some config model or in course?
These mappings are specific to the user role in rbac.
There was a problem hiding this comment.
The roles will be in their dedicated tables, inhering from UserRole (from edx_rbac.models import UserRole). https://github.com/openedx/edx-platform/blob/master/openedx/core/djangoapps/system_wide_roles/models.py.
The role model, to be added, can contain the above mentioned information.
There was a problem hiding this comment.
Oh yes. That is true. Lemme update this.
| * Using Django User group, assign the users the new group, and make decisions based on the group. This approach, however, falls short in adding metadata of the role assignment. | ||
| * Using a Config Model to save mapping for each user group. The decision was changed to rather use rbac instead of user groups hence this approach isn't usable anymore. We will keep the mapping of each role in edx-internal. |
There was a problem hiding this comment.
Add more context to these, please.
Ali-D-Akbar
force-pushed
the
aakbar/PROD-3327
branch
2 times, most recently
from
742e6bf
to
1a60982
Compare
| Status | ||
| ======= | ||
|
|
||
| Accepted (May 2023) |
There was a problem hiding this comment.
lets keep it In-Progress for now.
| Context | ||
| ======== | ||
|
|
||
| Frontend App Publisher (MFE) uses course APIs in Discovery to view, create and edit courses. |
There was a problem hiding this comment.
Course, CourseRun, Organization, Collaborator, Staff -- there are different APIs. Just stick with Discovery APIs to avoid confusion.
| Frontend App Publisher (MFE) uses course APIs in Discovery to view, create and edit courses. | ||
| This has been an internal tool that only allows Course Editors to perform these actions. | ||
| With the inclusion of other product lines in the Catalog, there has been a need to allow external users to be able to perform actions like viewing and updating their courses through Publisher. | ||
| These external users should have Course Editor access to be able to visit Publisher and should only be able to view and edit their own courses only and the legacy courses should be kept hidden from them. |
There was a problem hiding this comment.
Instead of legacy, mention they should have access to their own source products.
| With the inclusion of other product lines in the Catalog, there has been a need to allow external users to be able to perform actions like viewing and updating their courses through Publisher. | ||
| These external users should have Course Editor access to be able to visit Publisher and should only be able to view and edit their own courses only and the legacy courses should be kept hidden from them. | ||
| Currently, these products are created and added in Discovery using `csv_loader`_ and `degrees_loader`_ | ||
| The external users should not be able to create these products through Publisher. |
There was a problem hiding this comment.
To add -> A note that Degrees are not authored on Publisher
There was a problem hiding this comment.
Programs aren't support for the moment this is being written. Is this really necessary to add this here?
There was a problem hiding this comment.
It will be good for historical purposes.
| .. _csv_loader: https://github.com/openedx/course-discovery/blob/master/course_discovery/apps/course_metadata/data_loaders/csv_loader.py#L32 | ||
| .. _degrees_loader: https://github.com/openedx/course-discovery/blob/master/course_discovery/apps/course_metadata/data_loaders/degrees_loader.py#L25 |
There was a problem hiding this comment.
nit: No need to pin to a specific line.
| The access checks will be implemented using role based authorization using `edx-rbac`_ | ||
|
|
||
| * A feature-based role will be created for each product line in Discovery. Each role will have product_source(s) and course_type(s) which will be used in permissions and filtering. | ||
| * The role will be assigned to external users within Discovery. The role can be assigned by an exposed endpoint. The role assignment will contain other information, such as the assignment date, the reason for giving access, access history, etc. |
There was a problem hiding this comment.
The role will be accessed by an exposed endpoint and that user would only be able to see its assigned role.
|
|
||
| The access checks will be implemented using role based authorization using `edx-rbac`_ | ||
|
|
||
| * A feature-based role will be created for each product line in Discovery. Each role will have product_source(s) and course_type(s) which will be used in permissions and filtering. |
There was a problem hiding this comment.
Examples here would be +1
There was a problem hiding this comment.
What kind of examples? example of how a role would look like for a usecase?
There was a problem hiding this comment.
Showcase what a role would look like and if we can add in multiple sources and/or types in a single role.
| @@ -0,0 +1,42 @@ | |||
| 23. External Source based course filtering for Publisher | |||
There was a problem hiding this comment.
The file has incorrect spelling for external (externnal)
Ali-D-Akbar
force-pushed
the
aakbar/PROD-3327
branch
from
1a60982
to
9be67c4
Compare
| Alternates Considered | ||
| ----------------------- | ||
|
|
||
| * Using Django User group, assign the users the new group, and make decisions based on the group. Additional information like product_source and course_type specific to each user group was to be added in the django groups. This approach, however, falls short in adding metadata of the role assignment. |
There was a problem hiding this comment.
What is meant by metadata of the assignment?
There was a problem hiding this comment.
To keep data related to each role assignment like when was it added, who added it, reason to assign role etc
|
Closing this as this is out of scope and wont be needed anytime soon. |
PROD-3327
ADR for granting access to external users in Publisher consumed APIs.