feat: add studio write access validation (#55)

* feat: add studio write access validation

https://jira.2u.com/browse/ACADEMIC-16359

* feat: add edx-drf-extensions lib

* Add SessionAuthentication
* Add JwtAuthentication

* feat: Update CHANGELOG.rst

Author: germanolleunlp

CHANGELOG.rst

@@ -14,6 +14,15 @@ Change Log
 Unreleased
 **********
 
+3.5.0 – 2023-09-04
+**********************************************
+
+* Add edx-drf-extensions lib.
+* Add JwtAuthentication checks before each request.
+* Add SessionAuthentication checks before each request.
+* Add HasStudioWriteAccess permissions checks before each request.
+
+
 3.4.0 – 2023-08-30
 **********************************************
 

ai_aside/__init__.py

@@ -2,6 +2,6 @@
 A plugin containing xblocks and apps supporting GPT and other LLM use on edX.
 """
 
-__version__ = '3.4.0'
+__version__ = '3.5.0'
 
 default_app_config = "ai_aside.apps.AiAsideConfig"

ai_aside/config_api/api.py

@@ -1,7 +1,8 @@
 """
 Implements an API for updating unit and course settings.
 """
-from ai_aside.config_api.internal import NotFoundError, _get_course, _get_course_units, _get_unit
+from ai_aside.config_api.exceptions import AiAsideNotFoundException
+from ai_aside.config_api.internal import _get_course, _get_course_units, _get_unit
 from ai_aside.models import AIAsideCourseEnabled, AIAsideUnitEnabled
 from ai_aside.waffle import summaries_configuration_enabled
 
@@ -28,7 +29,7 @@ def set_course_settings(course_key, settings):
     Expects: settings to be a dictionary of the form:
         `{'enabled': bool}`
 
-    Raises NotFoundError if the settings are not found.
+    Raises AiAsideNotFoundException if the settings are not found.
     """
     enabled = settings['enabled']
 
@@ -47,7 +48,7 @@ def delete_course_settings(course_key):
     """
     Deletes the settings of a course.
 
-    Raises NotFoundError if the settings are not found.
+    Raises AiAsideNotFoundException if the settings are not found.
     """
     reset_course_unit_settings(course_key)
     record = _get_course(course_key)
@@ -84,7 +85,7 @@ def set_unit_settings(course_key, unit_key, settings):
     Expects: settings as a dictionary of the form:
         `{'enabled': bool}`
 
-    Raises NotFoundError if the settings are not found.
+    Raises AiAsideNotFoundException if the settings are not found.
     """
     enabled = settings['enabled']
 
@@ -104,7 +105,7 @@ def delete_unit_settings(course_key, unit_key):
     """
     Deletes the settings of a unit.
 
-    Raises NotFoundError if the settings are not found.
+    Raises AiAsideNotFoundException if the settings are not found.
     """
     record = _get_unit(course_key, unit_key)
     record.delete()
@@ -127,7 +128,7 @@ def is_course_settings_present(course_key):
     try:
         course = _get_course(course_key)
         return course is not None
-    except NotFoundError:
+    except AiAsideNotFoundException:
         return False
 
 
@@ -147,12 +148,12 @@ def is_summary_enabled(course_key, unit_key=None):
 
             if unit is not None:
                 return unit.enabled
-        except NotFoundError:
+        except AiAsideNotFoundException:
             pass
 
     try:
         course = _get_course(course_key)
-    except NotFoundError:
+    except AiAsideNotFoundException:
         return False
 
     if course is not None:

ai_aside/config_api/exceptions.py

@@ -0,0 +1,18 @@
+"""
+Custom exceptions for ai-aside
+"""
+from rest_framework import status
+
+
+class AiAsideException(Exception):
+    """
+    A common base class for all exceptions
+    """
+    http_status = status.HTTP_400_BAD_REQUEST
+
+
+class AiAsideNotFoundException(AiAsideException):
+    """
+    A 404 exception class
+    """
+    http_status = status.HTTP_404_NOT_FOUND

ai_aside/config_api/internal.py

@@ -1,21 +1,18 @@
 """
 Internal methods for the API.
 """
+from ai_aside.config_api.exceptions import AiAsideNotFoundException
 from ai_aside.models import AIAsideCourseEnabled, AIAsideUnitEnabled
 
 
-class NotFoundError(Exception):
-    "Raised when the course/unit is not found in the database"
-
-
 def _get_course(course_key):
     "Private method that gets a course based on an id"
     try:
         record = AIAsideCourseEnabled.objects.get(
             course_key=course_key,
         )
-    except AIAsideCourseEnabled.DoesNotExist as exc:
-        raise NotFoundError from exc
+    except AIAsideCourseEnabled.DoesNotExist as error:
+        raise AiAsideNotFoundException from error
 
     return record
 
@@ -27,8 +24,8 @@ def _get_unit(course_key, unit_key):
             course_key=course_key,
             unit_key=unit_key,
         )
-    except AIAsideUnitEnabled.DoesNotExist as exc:
-        raise NotFoundError from exc
+    except AIAsideUnitEnabled.DoesNotExist as error:
+        raise AiAsideNotFoundException from error
 
     return record
 

ai_aside/config_api/permissions.py

@@ -0,0 +1,27 @@
+""" Permissions for ai-aside API"""
+
+from rest_framework.permissions import BasePermission
+
+from ai_aside.config_api.validators import validate_course_key
+from ai_aside.platform_imports import can_change_summaries_settings
+
+
+class HasStudioWriteAccess(BasePermission):
+    """
+    Check if the user has studio write access to a course.
+    """
+    def has_permission(self, request, view):
+        """
+        Check permissions for this class.
+        """
+
+        if not request.user.is_authenticated:
+            return False
+
+        if not request.user.is_active:
+            return False
+
+        course_key_string = view.kwargs.get('course_id')
+        course_key = validate_course_key(course_key_string)
+
+        return can_change_summaries_settings(request.user, course_key)

ai_aside/config_api/validators.py

@@ -0,0 +1,32 @@
+"""
+Utilities related to API views
+"""
+
+from opaque_keys import InvalidKeyError
+from opaque_keys.edx.keys import CourseKey, UsageKey
+
+from ai_aside.config_api.exceptions import AiAsideException
+
+
+def validate_course_key(course_key_string: str) -> CourseKey:
+    """
+    Validate and parse a course_key string, if supported.
+    """
+    try:
+        course_key = CourseKey.from_string(course_key_string)
+    except InvalidKeyError as error:
+        raise AiAsideException(f"{course_key_string} is not a valid CourseKey") from error
+    if course_key.deprecated:
+        raise AiAsideException("Deprecated CourseKeys (Org/Course/Run) are not supported.")
+    return course_key
+
+
+def validate_unit_key(unit_key_string: str) -> UsageKey:
+    """
+    Validate and parse a unit_key string, if supported.
+    """
+    try:
+        usage_key = UsageKey.from_string(unit_key_string)
+    except InvalidKeyError as error:
+        raise AiAsideException(f"{unit_key_string} is not a valid UsageKey") from error
+    return usage_key

ai_aside/config_api/view_utils.py

@@ -0,0 +1,52 @@
+"""
+Config API Utilities
+"""
+import logging
+
+from edx_rest_framework_extensions.auth.jwt.authentication import JwtAuthentication
+from edx_rest_framework_extensions.auth.session.authentication import SessionAuthentication
+from rest_framework import status
+from rest_framework.response import Response
+from rest_framework.views import APIView
+
+from ai_aside.config_api.exceptions import AiAsideException
+from ai_aside.config_api.permissions import HasStudioWriteAccess
+
+log = logging.getLogger(__name__)
+
+
+def handle_ai_aside_exception(exc, name=None):  # pylint: disable=inconsistent-return-statements
+    """
+    Converts ai_aside exceptions into restframework responses
+    """
+    if isinstance(exc, AiAsideException):
+        log.exception(name)
+        return APIResponse(http_status=exc.http_status, data={'message': str(exc)})
+
+
+class APIResponse(Response):
+    """API Response"""
+    def __init__(self, data=None, http_status=None, content_type=None, success=False):
+        _status = http_status or status.HTTP_200_OK
+        data = data or {}
+        reply = {'response': {'success': success}}
+        reply['response'].update(data)
+        super().__init__(data=reply, status=_status, content_type=content_type)
+
+
+class AiAsideAPIView(APIView):
+    """
+    Base API View with authentication and permissions.
+    """
+
+    authentication_classes = (JwtAuthentication, SessionAuthentication,)
+    permission_classes = (HasStudioWriteAccess,)
+
+    def handle_exception(self, exc):
+        """
+        Converts ai-aside exceptions into standard restframework responses
+        """
+        resp = handle_ai_aside_exception(exc, name=self.__class__.__name__)
+        if not resp:
+            resp = super().handle_exception(exc)
+        return resp