feat: adds django-rules based permissions for tagging app

Also:
* Adds rules requirement and app settings to enable it
* Adds mock to test requirements, so we can test system taxonomy rules
* ADR: Clarifies that rules will be enforced in the views, not the model or APIs

docs/decisions/0009-tagging-administrators.rst

@@ -26,6 +26,8 @@ But because permissions #2 + #3 require access to the edx-platform CMS model `Co
 
 Per `OEP-9`_, ``openedx_tagging`` will allow applications to use the standard Django API to query permissions, for example: ``user.has_perm('openedx_tagging.edit_taxonomy', taxonomy)``, and the appropriate permissions will be applied in that application's context.
 
+These rules will be enforced in the tagging `views`_, not the API or models, so that external code using this library need not have a logged-in user in order to call the API. So please use with care.
+
 Rejected Alternatives
 ---------------------
 
@@ -37,3 +39,4 @@ This is a standard way to grant access in Django apps, but it is not used in Ope
 .. _get_organizations: https://github.com/openedx/edx-platform/blob/4dc35c73ffa6d6a1dcb6e9ea1baa5bed40721125/cms/djangoapps/contentstore/views/course.py#L1958
 .. _CourseCreator: https://github.com/openedx/edx-platform/blob/4dc35c73ffa6d6a1dcb6e9ea1baa5bed40721125/cms/djangoapps/course_creators/models.py#L27
 .. _OEP-9: https://open-edx-proposals.readthedocs.io/en/latest/best-practices/oep-0009-bp-permissions.html
+.. _views: https://github.com/dfunckt/django-rules#permissions-in-views

openedx_tagging/core/tagging/rules.py

@@ -0,0 +1,74 @@
+"""Django rules-based permissions for tagging"""
+
+import rules
+
+# Global staff are taxonomy admins.
+# (Superusers can already do anything)
+is_taxonomy_admin = rules.is_staff
+
+
+@rules.predicate
+def can_view_taxonomy(user, taxonomy=None):
+    """
+    Anyone can view an enabled taxonomy,
+    but only taxonomy admins can view a disabled taxonomy.
+    """
+    return (taxonomy and taxonomy.enabled) or is_taxonomy_admin(user)
+
+
+@rules.predicate
+def can_change_taxonomy(user, taxonomy=None):
+    """
+    Even taxonomy admins cannot change system taxonomies.
+    """
+    return is_taxonomy_admin(user) and (
+        not taxonomy or not taxonomy or (taxonomy and not taxonomy.system_defined)
+    )
+
+
+@rules.predicate
+def can_change_taxonomy_tag(user, tag=None):
+    """
+    Even taxonomy admins cannot add tags to system taxonomies (their tags are system-defined), or free-text taxonomies
+    (these don't have predefined tags).
+    """
+    return is_taxonomy_admin(user) and (
+        not tag
+        or not tag.taxonomy
+        or (
+            tag.taxonomy
+            and not tag.taxonomy.allow_free_text
+            and not tag.taxonomy.system_defined
+        )
+    )
+
+
+@rules.predicate
+def can_change_object_tag(user, object_tag=None):
+    """
+    Taxonomy admins can create or modify object tags on enabled taxonomies.
+    """
+    return is_taxonomy_admin(user) and (
+        not object_tag
+        or not object_tag.taxonomy
+        or (object_tag.taxonomy and object_tag.taxonomy.enabled)
+    )
+
+
+# Taxonomy
+rules.add_perm("oel_tagging.add_taxonomy", can_change_taxonomy)
+rules.add_perm("oel_tagging.change_taxonomy", can_change_taxonomy)
+rules.add_perm("oel_tagging.delete_taxonomy", can_change_taxonomy)
+rules.add_perm("oel_tagging.view_taxonomy", can_view_taxonomy)
+
+# Tag
+rules.add_perm("oel_tagging.add_tag", can_change_taxonomy_tag)
+rules.add_perm("oel_tagging.change_tag", can_change_taxonomy_tag)
+rules.add_perm("oel_tagging.delete_tag", is_taxonomy_admin)
+rules.add_perm("oel_tagging.view_tag", rules.always_allow)
+
+# ObjectTag
+rules.add_perm("oel_tagging.add_object_tag", can_change_object_tag)
+rules.add_perm("oel_tagging.change_object_tag", can_change_object_tag)
+rules.add_perm("oel_tagging.delete_object_tag", is_taxonomy_admin)
+rules.add_perm("oel_tagging.view_object_tag", rules.always_allow)

projects/dev.py

@@ -41,13 +41,19 @@
     # REST API
     "rest_framework",
     "openedx_learning.rest_api.apps.RESTAPIConfig",
+    # django-rules based authorization
+    'rules.apps.AutodiscoverRulesConfig',
     # Tagging Core Apps
     "openedx_tagging.core.tagging.apps.TaggingConfig",
 
     # Debugging
     "debug_toolbar",
 )
 
+AUTHENTICATION_BACKENDS = [
+    'rules.permissions.ObjectPermissionBackend',
+]
+
 MIDDLEWARE = [
     "debug_toolbar.middleware.DebugToolbarMiddleware",
     "django.middleware.security.SecurityMiddleware",

requirements/base.in

@@ -4,3 +4,5 @@
 Django<5.0                # Web application framework
 
 djangorestframework<4.0   # REST API
+
+rules<4.0                 # Django extension for rules-based authorization checks

requirements/base.txt

@@ -17,6 +17,8 @@ pytz==2023.3
     # via
     #   django
     #   djangorestframework
+rules==3.3
+    # via -r requirements/base.in
 sqlparse==0.4.4
     # via django
 typing-extensions==4.6.3

requirements/dev.txt

@@ -169,6 +169,8 @@ mdurl==0.1.2
     # via
     #   -r requirements/quality.txt
     #   markdown-it-py
+mock==5.0.2
+    # via -r requirements/quality.txt
 more-itertools==9.1.0
     # via
     #   -r requirements/quality.txt
@@ -296,6 +298,8 @@ rich==13.4.2
     # via
     #   -r requirements/quality.txt
     #   twine
+rules==3.3
+    # via -r requirements/quality.txt
 secretstorage==3.3.3
     # via
     #   -r requirements/quality.txt

requirements/doc.txt

@@ -83,6 +83,8 @@ markupsafe==2.1.3
     # via
     #   -r requirements/test.txt
     #   jinja2
+mock==5.0.2
+    # via -r requirements/test.txt
 mysqlclient==2.1.1
     # via -r requirements/test.txt
 packaging==23.1
@@ -139,6 +141,8 @@ requests==2.31.0
     # via sphinx
 restructuredtext-lint==1.4.0
     # via doc8
+rules==3.3
+    # via -r requirements/test.txt
 six==1.16.0
     # via bleach
 snowballstemmer==2.2.0

requirements/quality.txt

@@ -104,6 +104,8 @@ mccabe==0.7.0
     # via pylint
 mdurl==0.1.2
     # via markdown-it-py
+mock==5.0.2
+    # via -r requirements/test.txt
 more-itertools==9.1.0
     # via jaraco-classes
 mysqlclient==2.1.1
@@ -182,6 +184,8 @@ rfc3986==2.0.0
     # via twine
 rich==13.4.2
     # via twine
+rules==3.3
+    # via -r requirements/test.txt
 secretstorage==3.3.3
     # via keyring
 six==1.16.0

requirements/test.in

@@ -13,3 +13,4 @@ pytest-cov                # pytest extension for code coverage statistics
 pytest-django             # pytest extension for better Django support
 code-annotations          # provides commands used by the pii_check make target.
 ddt                       # supports data driven tests
+mock                      # supports overriding classes and methods in tests

requirements/test.txt

@@ -38,6 +38,8 @@ jinja2==3.1.2
     # via code-annotations
 markupsafe==2.1.3
     # via jinja2
+mock==5.0.2
+    # via -r requirements/test.in
 mysqlclient==2.1.1
     # via -r requirements/test.in
 packaging==23.1
@@ -64,6 +66,8 @@ pytz==2023.3
     #   djangorestframework
 pyyaml==6.0
     # via code-annotations
+rules==3.3
+    # via -r requirements/base.txt
 sqlparse==0.4.4
     # via
     #   -r requirements/base.txt

test_settings.py

@@ -35,13 +35,19 @@ def root(*args):
     # Admin
     #    'django.contrib.admin',
     #    'django.contrib.admindocs',
+    # django-rules based authorization
+    'rules.apps.AutodiscoverRulesConfig',
     # Our own apps
     "openedx_learning.core.components.apps.ComponentsConfig",
     "openedx_learning.core.contents.apps.ContentsConfig",
     "openedx_learning.core.publishing.apps.PublishingConfig",
     "openedx_tagging.core.tagging.apps.TaggingConfig",
 ]
 
+AUTHENTICATION_BACKENDS = [
+    'rules.permissions.ObjectPermissionBackend',
+]
+
 LOCALE_PATHS = [
     root("openedx_learning", "conf", "locale"),
 ]