feat: feature flag to disable Advanced Settings

[0x29a]

Description

Adds the new Studio feature flag, DISABLE_ADVANCED_SETTINGS, which disables access to course advanced settings for non-staff users. Also, it removes "Advanced Settings" from the "Settings" dropdown.

Testing instructions

1. Apply this patch:

   diff --git a/cms/envs/common.py b/cms/envs/common.py
   index 56ba9187c6..f6dce2edb8 100644
   --- a/cms/envs/common.py
   +++ b/cms/envs/common.py
   @@ -524,7 +524,7 @@ FEATURES = {
        # .. toggle_use_cases: open_edx
        # .. toggle_creation_date: 2023-03-31
        # .. toggle_tickets: https://github.com/openedx/edx-platform/pull/32015
   -    'DISABLE_ADVANCED_SETTINGS': False,
   +    'DISABLE_ADVANCED_SETTINGS': True,
    }
    
    # .. toggle_name: ENABLE_COPPA_COMPLIANCE

2. Verify that that any user except Django admin staff neither can see the "Advanced Settings" dropdown element nor access the page directly.

private-ref

[openedx-webhooks]

Thanks for the pull request, @0x29a! Please note that it may take us up to several weeks or months to complete a review and merge your PR.

Feel free to add as much of the following information to the ticket as you can:

• supporting documentation
• Open edX discussion forum threads
• timeline information ("this must be merged by XX date", and why that is)
• partner information ("this is a course on edx.org")
• any other information that can help Product understand the context for the PR

All technical communication about the code itself will be done via the GitHub pull request interface. As a reminder, our process documentation is here.

Please let us know once your PR is ready for our review and all tests are green.

[farhaanbukhsh]

👍

@0x29a I have added few nits, but it looks good overall!

• ✅ I tested this on master devstack
• ✅ I read through the code
• ❌ I checked for accessibility issues
• ✅ Includes documentation
• ❌ I made sure any change in configuration variables is reflected in the corresponding client's configuration-secure repository.

[farhaanbukhsh]

Suggested change

	'advance_settings_url': reverse_course_url('advanced_settings_handler', course_block.id),
	'advance_settings_url': reverse_course_url('advanced_settings_handler', course_block.id) if has_advanced_settings_access(request.user) else None,

[0x29a]

@farhaanbukhsh, I did the same initially, but then I noticed this code above in this same file:

edx-platform/cms/templates/widgets/header.html

Lines 27 to 48 in 9caa31b

	% if context_course:
	<%
	course_key = context_course.id
	url_encoded_course_key = quote(six.text_type(course_key).encode('utf-8'), safe='')
	index_url = reverse('course_handler', kwargs={'course_key_string': six.text_type(course_key)})
	course_team_url = reverse('course_team_handler', kwargs={'course_key_string': six.text_type(course_key)})
	assets_url = reverse('assets_handler', kwargs={'course_key_string': six.text_type(course_key)})
	textbooks_url = reverse('textbooks_list_handler', kwargs={'course_key_string': six.text_type(course_key)})
	videos_url = reverse('videos_handler', kwargs={'course_key_string': six.text_type(course_key)})
	import_url = reverse('import_handler', kwargs={'course_key_string': six.text_type(course_key)})
	course_info_url = reverse('course_info_handler', kwargs={'course_key_string': six.text_type(course_key)})
	export_url = reverse('export_handler', kwargs={'course_key_string': six.text_type(course_key)})
	settings_url = reverse('settings_handler', kwargs={'course_key_string': six.text_type(course_key)})
	grading_url = reverse('grading_handler', kwargs={'course_key_string': six.text_type(course_key)})
	advanced_settings_url = reverse('advanced_settings_handler', kwargs={'course_key_string': six.text_type(course_key)})
	tabs_url = reverse('tabs_handler', kwargs={'course_key_string': six.text_type(course_key)})
	certificates_url = ''
	if settings.FEATURES.get("CERTIFICATES_HTML_VIEW") and context_course.cert_html_view_enabled:
	certificates_url = reverse('certificates_list_handler', kwargs={'course_key_string': six.text_type(course_key)})
	checklists_url = reverse('checklists_handler', kwargs={'course_key_string': six.text_type(course_key)})
	pages_and_resources_mfe_enabled = ENABLE_PAGES_AND_RESOURCES_MICROFRONTEND.is_enabled(context_course.id)
	%>

So, if context_course is True, the button will be showed despite DISABLE_ADVANCED_SETTINGS set to True.

[farhaanbukhsh]

Makes sense :)

[farhaanbukhsh]

Suggested change

	% if advance_settings_access:
	% if advanced_settings_url:

[0x29a]

Same concern as #32015 (comment).

[farhaanbukhsh]

Few nits ;)

[farhaanbukhsh]

Should we also add global admin to this? Doesn't make sense to have staff but not admin!

[0x29a]

Done, @farhaanbukhsh.

[farhaanbukhsh]

Makes sense :)

[mphilbrick211]

Hi @0x29a @farhaanbukhsh - is this ready to merge? If so, @farhaanbukhsh are you able to do so?

[pdpinch]

Can you clarify what is meant by 'staff' here? Is it django staff, or course staff?

[0x29a]

@pdpinch, done.

[0x29a]

Hi @mphilbrick211, neither me nor @farhaanbukhsh have merge rights. We just do our internal review before asking core contributors to make a final review.

[farhaanbukhsh]

Hi @mphilbrick211, neither me nor @farhaanbukhsh have merge rights. We just do our internal review before asking core contributors to make a final review.

@0x29a @mphilbrick211 I do have the merge access :)

[openedx-webhooks]

@0x29a 🎉 Your pull request was merged! Please take a moment to answer a two question survey so we can improve your experience in the future.

[edx-pipeline-bot]

EdX Release Notice: This PR has been deployed to the staging environment in preparation for a release to production.

[edx-pipeline-bot]

EdX Release Notice: This PR has been deployed to the production environment.

[pdpinch]

After this was merged, we saw some unexpected behavior on our QA deployment with the advanced settings in Studio -- users who used to have access don't anymore.

Can you clarify:

1. If we don't have a value set for DISABLE_ADVANCED_SETTINGS what is the expected behavior?
2. What, exactly, do you mean by "non-staff" users? Staff could mean "django admin staff" or "course staff". Will course admins still have access?

[0x29a]

@pdpinch, thank you for reporting this. Looking at the code, I can't immediately tell where is the issue. Should we create a revert PR?

If we don't have a value set for DISABLE_ADVANCED_SETTINGS what is the expected behavior?

If it's not set, course admins and course staff should have access.

What, exactly, do you mean by "non-staff" users? Staff could mean "django admin staff" or "course staff". Will course admins still have access?

I updated the PR description. No, course admins won't have access. Only Django admin staff and superusers.

[0x29a]

@pdpinch, upd: I think I could have overlooked some templates that lack advanced_settings_url context variable. ☹️ If that's the case, I'll prepare a fix. For now, let's revert this: #32062. Sorry for the inconvenience.

[farhaanbukhsh]

@0x29a I should have been more careful about testing this PR, also this points that we don't have enough test coverage we should make sure to add more tests in the new PR as well. cc: @pdpinch