feat: extract overridable permission methods from ObjectTagView

Extract 4 overridable methods from ObjectTagView so downstream
platforms can substitute their own permission logic without
duplicating parent view code.

Serializers (ObjectTagsByTaxonomySerializer, ObjectTagMinimalSerializer)
now delegate can_tag_object and can_delete_objecttag computation to the
view when available, falling back to the existing _can() method.

No behavior change for existing consumers.

Co-authored-by: Kiro <kiro@amazon.com>

Author: wgu-taylor-payne

src/openedx_core/__init__.py

@@ -6,4 +6,4 @@
 """
 
 # The version for the entire repository
-__version__ = "0.39.2"
+__version__ = "0.40.0"

src/openedx_tagging/rest_api/v1/serializers.py

@@ -147,6 +147,10 @@ def get_can_delete_objecttag(self, instance) -> bool | None:
         """
         Returns True if the current request user may delete object tags on this taxonomy
         """
+        view = self.context.get("view")
+        request = self.context.get("request")
+        if view and request and hasattr(view, "get_can_delete_objecttag_value"):
+            return view.get_can_delete_objecttag_value(request.user, instance.object_id)
         perm_name = f'{self.app_label}.remove_objecttag_objectid'
         return self._can(perm_name, instance.object_id)
 
@@ -179,6 +183,8 @@ def to_representation(self, instance: list[ObjectTag]) -> dict:
         # Allows consumers like edx-platform to override this
         ObjectTagViewMinimalSerializer = self.context["view"].minimal_serializer_class
 
+        view = self.context.get("view")
+        request = self.context.get("request")
         can_tag_object_perm = f"{self.app_label}.can_tag_object"
         by_object: dict[str, dict[str, Any]] = {}
         for obj_tag in instance:
@@ -189,10 +195,14 @@ def to_representation(self, instance: list[ObjectTag]) -> dict:
             taxonomies = by_object[obj_tag.object_id]["taxonomies"]
             tax_entry = next((t for t in taxonomies if t["taxonomy_id"] == obj_tag.taxonomy_id), None)
             if tax_entry is None:
+                if view and request and hasattr(view, "get_can_tag_object_value"):
+                    can_tag_object = view.get_can_tag_object_value(request.user, obj_tag)
+                else:
+                    can_tag_object = self._can(can_tag_object_perm, obj_tag)
                 tax_entry = {
                     "name": obj_tag.taxonomy.name if obj_tag.taxonomy else None,
                     "taxonomy_id": obj_tag.taxonomy_id,
-                    "can_tag_object": self._can(can_tag_object_perm, obj_tag),
+                    "can_tag_object": can_tag_object,
                     "tags": [],
                     "export_id": obj_tag.export_id,
                 }

src/openedx_tagging/rest_api/v1/views.py

@@ -31,7 +31,7 @@
 from ...data import TagDataQuerySet
 from ...import_export.api import export_tags, import_tags
 from ...import_export.parsers import ParserFormat
-from ...models import Tag, Taxonomy
+from ...models import ObjectTag, Tag, Taxonomy
 from ...rules import ObjectTagPermissionItem
 from ..paginators import MAX_FULL_DEPTH_THRESHOLD, DisabledTagsPagination, TagsPagination, TaxonomyPagination
 from ..utils import view_auth_classes
@@ -454,6 +454,58 @@ class ObjectTagView(
     lookup_field = "object_id"
     lookup_value_regex = r'[\w\.\+\-@:]+'
 
+    def check_view_object_tags_permission(self, object_id: str, taxonomy=None) -> None:
+        """
+        Check if the current user can view object tags for the given object.
+        Raises PermissionDenied if not. Override to customize permission logic.
+        """
+        perm_obj = ObjectTagPermissionItem(taxonomy=taxonomy, object_id=object_id)
+        if not self.request.user.has_perm(
+            "oel_tagging.view_objecttag",
+            perm_obj,  # type: ignore[arg-type]
+        ):
+            raise PermissionDenied(
+                "You do not have permission to view object tags for this taxonomy or object_id."
+            )
+
+    def check_can_tag_object_permission(self, object_id: str, taxonomy) -> None:
+        """
+        Check if the current user can tag the given object with the given taxonomy.
+        Raises PermissionDenied if not. Override to customize permission logic.
+        """
+        perm_obj = ObjectTagPermissionItem(taxonomy=taxonomy, object_id=object_id)
+        if not self.request.user.has_perm(
+            "oel_tagging.can_tag_object",
+            perm_obj,  # type: ignore[arg-type]
+        ):
+            raise PermissionDenied(f"""
+                You do not have permission to change object tags
+                for Taxonomy: {str(taxonomy)} or Object: {object_id}.
+            """)
+
+    def get_can_tag_object_value(self, user, obj_tag) -> bool | None:
+        """
+        Return whether the user can tag the object associated with obj_tag.
+        Used by serializers to populate the can_tag_object field.
+        Override to customize permission logic.
+        """
+        perm_name = f"{self.app_label}.can_tag_object"
+        return user.has_perm(perm_name, obj_tag)
+
+    def get_can_delete_objecttag_value(self, user, object_id: str) -> bool | None:
+        """
+        Return whether the user can delete object tags for the given object_id.
+        Used by serializers to populate the can_delete_objecttag field.
+        Override to customize permission logic.
+        """
+        perm_name = f"{self.app_label}.remove_objecttag_objectid"
+        return user.has_perm(perm_name, object_id)
+
+    @property
+    def app_label(self) -> str:
+        """Returns the app_label for permission name construction."""
+        return ObjectTag._meta.app_label  # pylint: disable=protected-access
+
     def get_queryset(self) -> models.QuerySet:
         """
         Return a queryset of object tags for a given object.
@@ -477,14 +529,7 @@ def get_queryset(self) -> models.QuerySet:
             # objects, e.g. if object_id.endswith("*") then it results in a object_id__startswith query. However, for
             # now we have no use case for that so we retrieve tags for one object at a time.
         else:
-            if not self.request.user.has_perm(
-                "oel_tagging.view_objecttag",
-                # The obj arg expects a model, but we are passing an object
-                ObjectTagPermissionItem(taxonomy=taxonomy, object_id=object_id),  # type: ignore[arg-type]
-            ):
-                raise PermissionDenied(
-                    "You do not have permission to view object tags for this taxonomy or object_id."
-                )
+            self.check_view_object_tags_permission(object_id, taxonomy)
 
         return get_object_tags(object_id, taxonomy_id)
 
@@ -556,7 +601,6 @@ def update(self, request, *args, **kwargs) -> Response:
             raise MethodNotAllowed("PATCH", detail="PATCH not allowed")
 
         object_id = kwargs.pop('object_id')
-        perm = "oel_tagging.can_tag_object"
         body = ObjectTagUpdateBodySerializer(data=request.data)
         body.is_valid(raise_exception=True)
 
@@ -568,20 +612,7 @@ def update(self, request, *args, **kwargs) -> Response:
         # Check permissions
         for tagsData in data:
             taxonomy = tagsData.get("taxonomy")
-
-            perm_obj = ObjectTagPermissionItem(
-                taxonomy=taxonomy,
-                object_id=object_id,
-            )
-            if not request.user.has_perm(
-                perm,
-                # The obj arg expects a model, but we are passing an object
-                perm_obj,  # type: ignore[arg-type]
-            ):
-                raise PermissionDenied(f"""
-                    You do not have permission to change object tags
-                    for Taxonomy: {str(taxonomy)} or Object: {object_id}.
-                """)
+            self.check_can_tag_object_permission(object_id, taxonomy)
 
         # Tag object_id per taxonomy
         for tagsData in data: