fixup! feat: check authz permissions for course tagging

wgu-taylor-payne · wgu-taylor-payne · commit 09ed8db4903a · 2026-04-24T16:11:11.000-06:00
diff --git a/openedx/core/djangoapps/content_tagging/rest_api/v1/views.py b/openedx/core/djangoapps/content_tagging/rest_api/v1/views.py
@@ -3,6 +3,9 @@
 """
 from __future__ import annotations
 
+import functools
+from typing import TYPE_CHECKING
+
 from django.db.models import Count
 from django.http import StreamingHttpResponse
 from openedx_authz import api as authz_api
@@ -31,6 +34,10 @@
 )
 from ...auth import has_view_object_tags_access, should_use_authz_for_object
 from ...rules import get_admin_orgs
+
+if TYPE_CHECKING:
+    from opaque_keys.edx.keys import CourseKey
+
 from .filters import ObjectTagTaxonomyOrgFilterBackend, UserOrgFilterBackend
 from .serializers import (
     ObjectTagCopiedMinimalSerializer,
@@ -161,15 +168,17 @@ class ObjectTagOrgView(ObjectTagView):
 
     filter_backends = [ObjectTagTaxonomyOrgFilterBackend]
 
-    def _should_use_authz(self) -> bool:
+    @functools.cached_property
+    def _authz_check(self) -> tuple[bool, CourseKey | None]:
         """
-        Determine if we should use openedx-authz for the current object_id.
+        Cache the authz toggle + key-parsing result for the current object_id.
+
+        Safe to cache per-instance because DRF creates a new view instance per request.
         """
         object_id = self.kwargs.get('object_id')
         if object_id:
-            should_use_authz, _ = should_use_authz_for_object(object_id)
-            return should_use_authz
-        return False
+            return should_use_authz_for_object(object_id)
+        return False, None
 
     def get_permissions(self):
         """
@@ -179,7 +188,7 @@ def get_permissions(self):
         permission classes set by the parent ObjectTagView so that only openedx-authz
         permissions are used.
         """
-        if self._should_use_authz():
+        if self._authz_check[0]:
             return [IsAuthenticated()]
 
         return super().get_permissions()
@@ -190,7 +199,7 @@ def ensure_has_view_object_tag_permission(self, user, taxonomy, object_id):
 
         This method is overridden to conditionally use openedx-authz when the toggle is enabled.
         """
-        should_use_authz, course_key = should_use_authz_for_object(object_id)
+        should_use_authz, course_key = self._authz_check
         if should_use_authz and not authz_api.is_user_allowed(
             user.username, COURSES_VIEW_COURSE.identifier, str(course_key)
         ):
@@ -208,7 +217,7 @@ def ensure_user_has_can_tag_object_permissions(self, user, tags_data, object_id)
         When using openedx-authz, if the user has manage tags permission for the course,
         they can tag the object regardless of the taxonomy.
         """
-        should_use_authz, course_key = should_use_authz_for_object(object_id)
+        should_use_authz, course_key = self._authz_check
         if should_use_authz and not authz_api.is_user_allowed(
             user.username, COURSES_MANAGE_TAGS.identifier, str(course_key)
         ):
