From bc76a865f44ad35248ea6af50e95a545721670ca Mon Sep 17 00:00:00 2001
From: Pandi Ganesh <pganesh-apphelix@2U.com>
Date: Mon, 18 Aug 2025 16:42:02 +0530
Subject: [PATCH] fix: update role assignment conditions (#37188)

---
 lms/djangoapps/support/rest_api/v1/views.py | 42 ++++++++++++++++++---
 1 file changed, 37 insertions(+), 5 deletions(-)

diff --git a/lms/djangoapps/support/rest_api/v1/views.py b/lms/djangoapps/support/rest_api/v1/views.py
index 9ec8216a00..73bbdf04da 100644
--- a/lms/djangoapps/support/rest_api/v1/views.py
+++ b/lms/djangoapps/support/rest_api/v1/views.py
@@ -14,7 +14,6 @@ from rest_framework.response import Response
 
 from common.djangoapps.student.models import CourseEnrollment
 from common.djangoapps.student.models.user import CourseAccessRole
-from common.djangoapps.student.roles import CourseRole
 from openedx.core.djangoapps.content.course_overviews.models import CourseOverview
 
 from ..serializers import CourseTeamManageSerializer
@@ -510,20 +509,53 @@ class CourseTeamManageAPIView(GenericAPIView):
     def _perform_role_action(self, data, role, action, user, course_key):
         """Assign or revoke role for the user on the course."""
         try:
-            course_role = CourseRole(role, course_key)
             if action == "assign":
-                course_role.add_users(user)
-                CourseEnrollment.enroll(user, course_key)
+                self._assign_role(user, role, course_key)
             elif action == "revoke":
-                course_role.remove_users(user)
+                self._revoke_role(user, role, course_key)
             else:
                 return self._make_result(
                     data, "failed", "Invalid action. Use 'assign' or 'revoke'."
                 )
+            # Clear user roles cache
+            if hasattr(user, '_roles'):
+                del user._roles
             return self._make_result(data, "success")
         except Exception as exc:  # pylint: disable=broad-except
             return self._make_result(data, "failed", str(exc))
 
+    def _assign_role(self, user, role, course_key):
+        """
+        Assign role with single entry.
+        """
+        existing_role = CourseAccessRole.objects.filter(
+            user=user,
+            course_id=course_key,
+            org=course_key.org,
+            role__in=["staff", "instructor"]
+        ).first()
+
+        if existing_role:
+            existing_role.role = role
+            existing_role.save()
+        else:
+            CourseAccessRole.objects.create(
+                user=user,
+                role=role,
+                course_id=course_key,
+                org=course_key.org,
+            )
+        CourseEnrollment.enroll(user, course_key)
+
+    def _revoke_role(self, user, role, course_key):
+        """
+        Revoke role with cleanup - instructor revoke removes all access.
+        """
+        existing_roles = CourseAccessRole.objects.filter(
+            user=user, course_id=course_key, role__in=["staff", "instructor"]
+        )
+        existing_roles.delete()
+
     def _make_result(self, data, outcome, error=None):
         """
         Formats the response for each role assignment entry.