Technical task planning - AuthZ for Course Authoring

WIP: This document is a work in progress, being filled during technical discovery to keep track of the work that will be needed for this iteration.

Once the discovery is finished, these tasks will be formalized in GitHub.

• frontend-base: Implement authz utils into frontend-base

• openedx-authz: Multi scope roles: Implement support for glob permissions and validations

• openedx-authz: Multi scope roles: benchmark to identify any performance concerns with glob support

• openedx-authz: Multi scope roles: Make sure it doesn't introduce security concerns with risk of over-provisioning permissions

• openedx-authz: Implement auditability (research existing django utils or create model for keeping history)

• Define roles and permissions

• edx-platform: xblock endpoint: Identify use cases and match with permissions

• edx-platform: xblock endpoint: Implement permission checks

• edx-platform: /api/contentstore/v2/home/courses/: implement permission checks

• edx-platform: Implement permissions for course updates

• edx-platform: Implement permissions for pages & resources

• edx-platform: Implement permissions for files

• edx-platform: Implement permissions for videos

• edx-platform: Implement permissions for schedule & details

• edx-platform: Implement permissions for grading settings

• edx-platform: Implement permissions for group configurations

• edx-platform: Implement permissions for advanced settings

• edx-platform: Implement permissions for certificates

• edx-platform: Implement permissions for checklists

• openedx-auth: REST API for permission metadata (for Admin dashboard)

• edx-platform: Implement import/export permissions

• edx-platform: Implement feature flag to toggle between legacy and openedx-authz permission validation during development

• edx-platform: Implement compatibility layer on legacy endpoints that are used for configuring permissions, so legacy views (like the one in instructor-dashboard) continue to work

• Frontend: Accessibility assessment and fixes

• openedx-authz and/or edx-platform: Implement migration script for turning legacy role assignations to openedx-authz assignations.

• TODO: Add frontend tasks, work will be needed on frontend-app-authoring and frontend-app-admin-console

These tasks are required for keeping a clean architecture and prepare it for extensibility, but are not strictly needed for this iteration.

• openedx-authz: Define file format to define permissions and roles for a module

• openedx-authz: Implement mechanism for loading external, module-defined permissions and roles

• openedx-authz: Define mechanism for extending subject models for extensibility

• openedx-authz: Implement changes needed to support subject model extensibillity

• openedx-authz and edx-platform: Externalize existing library permissions definition to edx-platform

• openedx-authz and edx-platform: Externalize existing library subject model to edx-platform

• edx-platform: Implement permissions and roles definition for course authoring

• edx-platform: Implement subject models for course authoring

• edx-platform: Remove legacy permissions check for libraries