Context
openedx_authz currently imports from edx-platform internals to implement behavior that's really owned by one consuming service's domain. PermissionValidationMeView's course-authoring flag awareness is an example of this: a generic-looking endpoint (validate an action against a scope) ended up CMS-specific in behavior, and authz had to reach into openedx-platform to check a flag that belongs to Studio's domain, not to the API itself.
The dependency direction is usually backwards from where it should end up. Consumers (edx-platform, frontend-app-admin-console, and any future consumer) should depend on and extend authz, not the other way around. Right now it's the reverse for at least this one case, and the REST API surface in general was designed around the admin console MFE's current, entirely CMS-oriented needs, so more cases like this are likely to show up as that surface grows.
Definition of Done
Context
openedx_authz currently imports from edx-platform internals to implement behavior that's really owned by one consuming service's domain.
PermissionValidationMeView's course-authoring flag awareness is an example of this: a generic-looking endpoint (validate an action against a scope) ended up CMS-specific in behavior, and authz had to reach into openedx-platform to check a flag that belongs to Studio's domain, not to the API itself.The dependency direction is usually backwards from where it should end up. Consumers (edx-platform, frontend-app-admin-console, and any future consumer) should depend on and extend authz, not the other way around. Right now it's the reverse for at least this one case, and the REST API surface in general was designed around the admin console MFE's current, entirely CMS-oriented needs, so more cases like this are likely to show up as that surface grows.
Definition of Done
permissions/validate/meneed a per-service extension point, so this doesn't keep growing as more service-specific conditionals.