feat: add object tag view permissions [FC-0036]

[rpenido]

Description

Add view permission for ObjectTag

• The oel_tagging.view_objecttag_objectid rule is used in the rest API view to check if the user has permission on the object_id to see its tags

Supporting Information

• [Tagging] Permissions for Taxonomies List Page and Taxonomy Detail Page modular-learning#129

Testing instructions

• Please ensure that the tests cover the expected behavior of the view

---

Private-ref: FAL-3518

[openedx-webhooks]

Thanks for the pull request, @rpenido! Please note that it may take us up to several weeks or months to complete a review and merge your PR.

Feel free to add as much of the following information to the ticket as you can:

• supporting documentation
• Open edX discussion forum threads
• timeline information ("this must be merged by XX date", and why that is)
• partner information ("this is a course on edx.org")
• any other information that can help Product understand the context for the PR

All technical communication about the code itself will be done via the GitHub pull request interface. As a reminder, our process documentation is here.

Please let us know once your PR is ready for our review and all tests are green.

[pomegranited]

@rpenido I don't think this PR is necessary -- We're anticipating functionality that's not specified yet, and that's gotten us into trouble before. I think it's enough for now to have this restriction in the content_tagging app.

CC @bradenmacdonald

[rpenido]

Hi @pomegranited! I agree with you regarding the filter, but I think the permission belongs here:

• We are overriding the retrieve method of the view to return a list. This is not the default behavior, so the DjangoModelPermissions will not work out of the box. We don't have a Model to check permission against, so we need to make explicit permission calls in the view code (like we did in the update):
  

  openedx-learning/openedx_tagging/core/tagging/rest_api/v1/views.py

  Lines 301 to 309 in 8ba0043

  	perm_obj = ChangeObjectTagPermissionItem(
  	taxonomy=taxonomy,
  	object_id=object_id,
  	)
  	if not request.user.has_perm(perm, perm_obj):
  	raise PermissionDenied(
  	"You do not have permission to change object tags for this taxonomy or object_id."
  	)

• The View is implemented here. To change the permission check to edx-platform we will need to reimplement the view code there.

I'll change the code to make it minimal. Let me know what you think!

[pomegranited]

I agree with you regarding the filter, but I think the permission belongs here:

Ok yes, I get your reasoning for putting the rules check and view change here. 👍

But why make oel_tagging.view_objecttag_objectid False by default?

[rpenido]

Hi @pomegranited! I think we are close! I made the requested changes.
Let me know if I miss something! If everything is right, I will squash it and send it to CC review.

[pomegranited]

👍 This is looking good, thank you @rpenido , and ready for CC review!

Could you make sure there's a version bump before it gets merged?

• I tested this by checking the unit tests, and by ensuring this branch is installed for the tests run by fix: update taxonomies permission rules edx-platform#33413
• I read through the code
• I checked for accessibility issues N/A
• Includes documentation -- good code comments
• Commit structure follows OEP-0051

[rpenido]

Thank you for the review @pomegranited!
@bradenmacdonald , can you make a CC review here?

[bradenmacdonald]

Nice! Just one minor question / change request, then I'll approve and merge.

[bradenmacdonald]

@rpenido Would you like me to merge this now?

[rpenido]

Sure @bradenmacdonald! I think we are good here!
We also need to tag the new version (I already bumped the version to 0.2.5

[openedx-webhooks]

@rpenido 🎉 Your pull request was merged! Please take a moment to answer a two question survey so we can improve your experience in the future.