Add unit learning objectives report API endpoint

[AllanOXDi]

Summary

This PR adds a new endpoint that returns aggregatedpre/posttest scores for every learner assigned to a unit, broken down by learning objective. Learner test attempts are located via UUID5 synthetic content IDs (derived from learner, course session, and unit IDs) that encode the A/B item-set split.

The endpoint is restricted to coach/admin roles and is accompanied by a comprehensive test suite covering permissions, response shape, scoring logic, and learner-group filtering.
closes #14165

References

#14165

Reviewer guidance

1. Confirm that GET /api/coach/coursesession/<id>/unit/<id>/report/ returns 403 for an unauthenticated request and 200 for the coach.
2. Verify the response contains per-learner, per-LO correct-answer counts under both "pre_test" and "post_test" keys.
3. Confirm a learner who has not attempted either test is present in learners but absent from the score maps (not present as a null entry).
4. Confirm the pre_test. status / post_test.status fields reflect the closed state of the corresponding UnitTestAssignment records

AI usage

Gemini and Cloud AI helped in refining my thinking and testing my hypothesis

[github-actions]

Build Artifacts

Asset type	Download link
PEX file	kolibri-0.19.4.dev0_git.20260323184332.pex
Windows Installer (EXE)	kolibri-0.19.4.dev0+git.20260323184332-windows-setup-unsigned.exe
Debian Package	kolibri_0.19.4.dev0+git.20260323184332-0ubuntu1_all.deb
Mac Installer (DMG)	kolibri-0.19.4.dev0+git.20260323184332.dmg
Android Package (APK)	kolibri-0.19.4.dev0+git.20260323184332-0.1.7-debug.apk
Raspberry Pi Image	kolibri-pi-image-0.19.4.dev0+git.20260323184332.zip
TAR file	kolibri-0.19.4.dev0+git.20260323184332.tar.gz
WHL file	kolibri-0.19.4.dev0+git.20260323184332-py2.py3-none-any.whl

Smoke test screenshot

Download screenshot

[rtibblesbot]

New read-only API endpoint for unit pre/post test report with per-learner, per-LO scoring.

CI passing (only Handle pull request events check present). No UI files — visual review skipped.

• blocking: PR description is empty — summary, references, reviewer guidance, and AI usage sections are all unfilled placeholders. No linked issues either, so there are no acceptance criteria to review against. Please fill in the description so reviewers understand the intent and can verify completeness.
• blocking: PR targets release-v0.19.x but the repo default branch is develop. If this feature is meant for the release branch, please confirm. Otherwise, retarget to develop.
• suggestion: unit_contentnode_id is not validated as an actual unit — any ContentNode pk would be accepted, returning an empty-ish response with a misleading unit_title. See inline comment.
• praise: Thorough test suite — permissions, response shape, scoring logic, edge cases (null options, partial credit, retakes, duplicate attempts, learner groups, dual-role exclusion). See inline comment.
• praise: SQLite chunking with _IN_CHUNK_SIZE and clear rationale. See inline comment.

---

@rtibblesbot's comments are generated by an LLM, and should be evaluated accordingly

How was this generated?

Reviewed the pull request diff checking for:

• Correctness: bugs, edge cases, undocumented behavior, resource leaks, hardcoded values
• Design: unnecessary complexity, naming, readability, comment accuracy, redundant state
• Architecture: duplicated concerns, minimal interfaces, composition over inheritance
• Testing: behavior-based assertions, mocks only at hard boundaries, accurate coverage
• Completeness: missing dependencies, unupdated usages, i18n, accessibility, security
• Principles: DRY (same reason to change), SRP, Rule of Three (no premature abstraction)
• Checked CI status and linked issue acceptance criteria
• For UI changes: inspected screenshots for layout, visual completeness, and consistency

[rtibblesbot]

suggestion: No validation that unit_contentnode_id refers to a content node with modality == UNIT. Passing any arbitrary ContentNode pk would return a 200 with empty learning objectives and a potentially confusing unit_title. Consider adding a filter like get_object_or_404(ContentNode, pk=unit_contentnode_id, modality=modalities.UNIT) to return 404 for non-unit nodes — or accept this as intentional if the frontend is the only caller and always passes valid unit IDs.

[rtibblesbot]

praise: Good defensive coding for SQLite's variable limit. The constant, chunk size rationale, and the generic _chunked helper are all clear and well-documented.

[rtibblesbot]

praise: Excellent test coverage. The test_only_most_recent_complete_mastery_log_used test carefully constructs two mastery logs sharing one ContentSummaryLog (respecting the morango UNIQUE constraint) with opposite correctness outcomes — this is a high-value edge case that's easy to get wrong. The overall suite covers pure functions, API integration, permissions, response shape, scoring, learner groups, and dual-role exclusion.

[rtibblesbot]

suggestion: The _course_session side-effect cache on the view instance is pragmatic and documented, but couples the permission class to the view's internal expectations. A small comment on the view side (near line 289) noting this dependency would help — the getattr fallback is good, but a future refactor that removes UnitReportPermissions would silently add an extra query without any visible indication that the optimization was lost.

[AllanOXDi]

@rtibbles we are caching _course_session on the view to avoid a second DB query in retrieve. This creates coupling between the permission class and the viewset. would this be OK! or should we either (a) accept the second query and remove the side effect, or (b) introduce a shared helper (e.g. get_course_session_403) that both call?

[rtibbles]

I think let's just skip this for now - it's an optimization. We can focus on getting the core logic correct and then optimize.

[rtibblesbot]

Delta re-review of the unit learning objectives report API.

Prior findings

Resolved:

• PR description empty (blocking) — now filled in with summary, references, reviewer guidance, AI usage, and closes #14165
• PR targets release-v0.19.x (blocking) — confirmed intentional; multiple merged PRs target this branch as part of the v0.19.x release workflow
• unit_contentnode_id not validated as a unit (suggestion) — modality=modalities.UNIT added to get_object_or_404
• _course_session cache comment (suggestion) — expanded comment at lines 288-290 documents the dependency and fallback rationale

4/4 prior findings resolved.

CI passing (only Handle pull request events check). No UI files — visual review skipped. All acceptance criteria from #14165 verified.

---

@rtibblesbot's comments are generated by an LLM, and should be evaluated accordingly

How was this generated?

Compared the current PR state against findings from a prior review:

• Retrieved prior bot reviews deterministically via the GitHub API
• Classified each prior finding as RESOLVED, UNADDRESSED, ACKNOWLEDGED, or CONTESTED
• Only raised NEW findings for newly introduced code
• Reviewed the pull request diff checking for correctness, design, architecture, testing, completeness, and adherence to DRY/SRP principles
• Checked CI status and linked issue acceptance criteria

[rtibblesbot]

praise: Clean fix for the prior suggestion — modality=modalities.UNIT on the get_object_or_404 call returns a proper 404 for non-unit content nodes, and the expanded comment above (lines 288-290) documents the _course_session cache dependency for future maintainers.

[rtibbles]

There's an error in the spec that we need to rectify, but even if it wasn't there, that wouldn't have helped because of the parallel (and divergent) implementation of content_id generation for the tests.

I would have liked to see either more reuse of existing code, and/or more copying of existing patterns for the queries.

[rtibbles]

This says it must match the generation logic used on the learner side - it absolutely does not.

https://github.com/learningequality/kolibri/blob/release-v0.19.x/kolibri/core/logger/api.py#L393

We should be using exactly the same id here.

However, I suspect we have made a mistake there - there we are including the user_id in the synthetic content_id, but that makes the querying much more complicated, what would be more helpful is to user the same synthetic content_id per user.

We should update the logger api.py synthetic content_id generation logic to not include the user_id (so separating it slightly from the deterministic hash used for A and B types), and make it reusable here, rather than implementing a completely parallel id generation strategy.

[AllanOXDi]

Okay, I will just extract in to pre_post_test.py without user_id in the key. so that both logger and unit report api can now import from there

[rtibbles]

We shouldn't be reimplementing this - we should move the api.py logic in the logger app to a place where it is reusable here.

[rtibbles]

I am not entirely sure what, but this feels more complicated than it needs to be. We have a lot of the logic for querying these kinds of values in bulk in the coach_summary API endpoint, so I think we could look there for examples of how to simplify somewhat.

[rtibbles]

I think let's just skip this for now - it's an optimization. We can focus on getting the core logic correct and then optimize.

[rtibbles]

This was never asked for in the issue, and adds unnecessary complexity here.

[rtibbles]

I think there may be some existing logic in the course app that we could potentially reuse here.

[rtibbles]

Not sure there's any need to coerce these to a list and manipulate them in Python?

The logic below could be handled with some fairly quick exists checks, or at least a minimal fetch if you're worried about doing too many queries - but here you're loading entire models for every assignment and checking them, so that has its own performance implications.

[AllanOXDi]

Fair point on removing the list coercion. I've updated get_test_status to accept the queryset directly. But my thought was that the exists() path fires up to 3 queries per test type to check for any assignments, then filters if the first returns True, whereas fetching .values("test_type", "closed"). Since there can only ever be one pre- and one post assignment per course_session, unit, loading them is essentially free. I could also go this way to avoids full model instantiation

def get_test_status(assignments_qs):
    rows = list(assignments_qs.values("closed"))
    if not rows:
        return TEST_STATUS_NOT_ACTIVATED
    if any(not r["closed"] for r in rows):
        return TEST_STATUS_OPEN
    return TEST_STATUS_CLOSED

In case it's relevant.

[rtibbles]

The Django Silk page at /profile/ on your devserver could help show what is actually faster here - as we're probably not talking a lot of assignments at once ever, it may well be that doing the values query once is faster.

[rtibbles]

A couple more questions, but I think this is close to merge.

[rtibbles]

Let's call this something more specific, as we're using it for _PRE_POST_TEST_SYNTHETIC_CONTENT_ID_NAMESPACE?

[AllanOXDi]

Good point!_SYNTHETIC_CONTENT_ID_NAMESPACEis ambiguous.

[rtibbles]

I think you should just be able to use the KolibriAuthPermissions class here - did that not work?

[AllanOXDi]

CourseSession has RoleBasedPermissions(can_be_read_by=(ADMIN, COACH)) so KolibriAuthPermissions should work, has_object_permissiondelegates to request.user.can_read(obj) which will use those. So since UnitReportViewSet is a plain ViewSet, we'd need to call self.check_object_permissions(request, course_session) explicitly inretrieve()after fetching the session. But that would also change the nonexistent session response from 403 to 404? I am happy to make the change if you're okay with 404 there.

[rtibbles]

So since UnitReportViewSet is a plain ViewSet, we'd need to call self.check_object_permissions(request, course_session) explicitly inretrieve()after fetching the session.

We would? Why? Do we do that in any other ViewSet?

But that would also change the nonexistent session response from 403 to 404?

This is fine.

[AllanOXDi]

Okay, looking atClassSummaryViewSet, the existing pattern is a custom permission class that does the full check in has_permission that returns True for all GET. ama update it shortly!

[rtibbles]

Good to merge - one minor thing to consider is whether the independent tests of the compute_test_scores give any additional useful coverage over covering the same scenarios in API tests - it's only used in that context, so independently testing it may not be necessary.