From 26091dcda1c20405b303a7bf7f7f6d5762083616 Mon Sep 17 00:00:00 2001
From: Shadi Naif <shadinaif@gmail.com>
Date: Thu, 17 Mar 2022 14:29:42 +0300
Subject: [PATCH 1/5] Security Patch - BLACK-1545

---
 .../lib/xmodule/xmodule/backcompat_module.py  | 10 ++--
 .../xmodule/js/fixtures/imageinput.underscore | 16 +++---
 .../xmodule/js/src/video/04_video_control.js  |  2 +-
 .../js/capa/chemical_equation_preview.js      | 11 +++-
 .../static/js/capa/drag_and_drop/targets.js   | 56 +++++++++----------
 .../js/components/header/views/header.js      | 47 +++++++++-------
 lms/static/js/course_survey.js                | 15 +++--
 lms/static/js/customwmd.js                    |  4 +-
 lms/static/js/edxnotes/views/tab_item.js      |  7 ++-
 lms/static/js/edxnotes/views/tab_panel.js     | 12 ++--
 lms/static/js/leanModal.js                    |  5 +-
 .../views/collection_list_view.js             |  2 +-
 12 files changed, 105 insertions(+), 82 deletions(-)

diff --git a/common/lib/xmodule/xmodule/backcompat_module.py b/common/lib/xmodule/xmodule/backcompat_module.py
index 7b0fa690fade..9e911ab9e3b3 100644
--- a/common/lib/xmodule/xmodule/backcompat_module.py
+++ b/common/lib/xmodule/xmodule/backcompat_module.py
@@ -7,6 +7,8 @@
 
 from lxml import etree
 
+from openedx.core.djangolib.markup import Text
+
 from .x_module import XModuleDescriptor
 
 log = logging.getLogger(__name__)
@@ -72,8 +74,8 @@ def from_xml(cls, xml_data, system, id_generator):
         the child element
         """
         xml_object = etree.fromstring(xml_data)
-        system.error_tracker("WARNING: the <{0}> tag is deprecated.  Please do not use in new content."
-                             .format(xml_object.tag))
+        system.error_tracker(Text("WARNING: the <{tag=}> tag is deprecated.  Please do not use in new content.")
+                             .format(tag=xml_object.tag))
 
         if len(xml_object) == 1:
             for (key, val) in xml_object.items():
@@ -96,8 +98,8 @@ def from_xml(cls, xml_data, system, id_generator):
         """
 
         xml_object = etree.fromstring(xml_data)
-        system.error_tracker('WARNING: the <{tag}> tag is deprecated.  '
-                             'Instead, use <customtag impl="{tag}" attr1="..." attr2="..."/>. '
+        system.error_tracker(Text('WARNING: the <{tag}> tag is deprecated.  '
+                             'Instead, use <customtag impl="{tag}" attr1="..." attr2="..."/>. ')
                              .format(tag=xml_object.tag))
 
         tag = xml_object.tag
diff --git a/common/lib/xmodule/xmodule/js/fixtures/imageinput.underscore b/common/lib/xmodule/xmodule/js/fixtures/imageinput.underscore
index bafdd797c9a2..a6ec5dc894b8 100644
--- a/common/lib/xmodule/xmodule/js/fixtures/imageinput.underscore
+++ b/common/lib/xmodule/xmodule/js/fixtures/imageinput.underscore
@@ -2,24 +2,24 @@
 <!-- ${width}  = 300   -->
 <!-- ${height} = 400   -->
 
-<div class="imageinput capa_inputtype" id="inputtype_<%=id%>">
+<div class="imageinput capa_inputtype" id="inputtype_<%-id%>">
     <input
         type="hidden"
         class="imageinput"
         src=""
-        name="input_<%=id%>"
-        id="input_<%=id%>"
+        name="input_<%-id%>"
+        id="input_<%-id%>"
         value=""
     />
 
     <div style="position:relative;">
         <div
-            id="imageinput_<%=id%>"
-            style="width: <%=width%>px; height: <%=height%>px; position: relative; left: 0; top: 0; visibility: hidden;"
+            id="imageinput_<%-id%>"
+            style="width: <%-width%>px; height: <%-height%>px; position: relative; left: 0; top: 0; visibility: hidden;"
         >
             <!-- image will go here -->
         </div>
-        <div id="answer_<%=id%>" data-width="100" data-height="100"></div>
+        <div id="answer_<%-id%>" data-width="100" data-height="100"></div>
     </div>
 
 
@@ -27,8 +27,8 @@
         <span
             class="unanswered"
             style="display: inline-block;"
-            id="status_<%=id%>"
-            aria-describedby="input_<%=id%>"
+            id="status_<%-id%>"
+            aria-describedby="input_<%-id%>"
         >
             <span class="sr">Status: unanswered</span>
         </span>
diff --git a/common/lib/xmodule/xmodule/js/src/video/04_video_control.js b/common/lib/xmodule/xmodule/js/src/video/04_video_control.js
index f80c0edd9feb..fc6557160c94 100644
--- a/common/lib/xmodule/xmodule/js/src/video/04_video_control.js
+++ b/common/lib/xmodule/xmodule/js/src/video/04_video_control.js
@@ -154,7 +154,7 @@
                 var endTime = (this.config.endTime !== null) ? this.config.endTime : params.duration;
                 // in case endTime is accidentally specified as being greater than the video
                 endTime = Math.min(endTime, params.duration);
-                this.videoControl.vidTimeEl.html(Time.format(params.time) + ' / ' + Time.format(endTime));
+                this.videoControl.vidTimeEl.text(Time.format(params.time) + ' / ' + Time.format(endTime));
             }
         }
     );
diff --git a/common/static/js/capa/chemical_equation_preview.js b/common/static/js/capa/chemical_equation_preview.js
index 85a1c2ac6780..d23d8e51d3f6 100644
--- a/common/static/js/capa/chemical_equation_preview.js
+++ b/common/static/js/capa/chemical_equation_preview.js
@@ -3,9 +3,16 @@
         function create_handler(saved_div) {
             return (function(response) {
                 if (response.error) {
-                    saved_div.html("<span class='error'>" + response.error + '</span>');
+                    edx.HtmlUtils.setHtml(
+                        saved_div,
+                        edx.HtmlUtils.joinHtml(
+                            edx.HtmlUtils.HTML("<span class='error'>"),
+                            response.error,
+                            edx.HtmlUtils.HTML('</span>')
+                        )
+                    );
                 } else {
-                    saved_div.html(response.preview);
+                    saved_div.html(edx.HtmlUtils.HTML(response.preview).toString());
                 }
             });
         }
diff --git a/common/static/js/capa/drag_and_drop/targets.js b/common/static/js/capa/drag_and_drop/targets.js
index ffbf47f1e8b9..a6787d3d5d5e 100644
--- a/common/static/js/capa/drag_and_drop/targets.js
+++ b/common/static/js/capa/drag_and_drop/targets.js
@@ -1,5 +1,5 @@
 (function(requirejs, require, define) {
-    define([], function() {
+    define(['edx-ui-toolkit/js/utils/html-utils'], function(HtmlUtils) {
         return {
             initializeBaseTargets: initializeBaseTargets,
             initializeTargetField: initializeTargetField,
@@ -76,17 +76,19 @@
             }
 
             $targetEl = $(
-            '<div ' +
-                'style=" ' +
-                    'display: block; ' +
-                    'position: absolute; ' +
-                    'width: ' + obj.w + 'px; ' +
-                    'height: ' + obj.h + 'px; ' +
-                    'top: ' + obj.y + 'px; ' +
-                    'left: ' + obj.x + 'px; ' +
-                    borderCss +
-                '" ' +
-            'aria-dropeffect=""></div>'
+                HtmlUtils.joinHtml(
+                    HtmlUtils.HTML('<div style="display: block; position: absolute; width: '),
+                    obj.w,
+                    HtmlUtils.HTML('px; height: '),
+                    obj.h,
+                    HtmlUtils.HTML('px; top: '),
+                    obj.y,
+                    HtmlUtils.HTML('px; left: '),
+                    obj.x,
+                    HtmlUtils.HTML('px; '),
+                    borderCss,
+                    HtmlUtils.HTML('"aria-dropeffect=""></div>')
+                ).toString()
         );
             if (fromTargetField === true) {
                 $targetEl.appendTo(draggableObj.iconEl);
@@ -100,23 +102,17 @@
 
             if (state.config.onePerTarget === false) {
                 $numTextEl = $(
-                '<div ' +
-                    'style=" ' +
-                        'display: block; ' +
-                        'position: absolute; ' +
-                        'width: 24px; ' +
-                        'height: 24px; ' +
-                        'top: ' + obj.y + 'px; ' +
-                        'left: ' + (obj.x + obj.w - 24) + 'px; ' +
-                        'border: 1px solid black; ' +
-                        'text-align: center; ' +
-                        'z-index: 500; ' +
-                        'background-color: white; ' +
-                        'font-size: 0.95em; ' +
-                        'color: #009fe2; ' +
-                    '" ' +
-                '>0</div>'
-            );
+                    HtmlUtils.joinHtml(
+                        HtmlUtils.HTML('<div style=" display: block; position: absolute;'),
+                        HtmlUtils.HTML('width: 24px; height: 24px; top: '),
+                        obj.y,
+                        HtmlUtils.HTML('px; left: '),
+                        obj.x,
+                        obj.w - 24,
+                        HtmlUtils.HTML('px; border: 1px solid black; text-align: center; z-index: 500;'),
+                        HtmlUtils.HTML('background-color: white; font-size: 0.95em; color: #009fe2; ">0</div>')
+                    ).toString()
+                );
             } else {
                 $numTextEl = null;
             }
@@ -263,7 +259,7 @@
 
         function updateNumTextEl() {
             if (this.numTextEl !== null) {
-                this.numTextEl.html(this.draggableList.length);
+                this.numTextEl.text(this.draggableList.length);
             }
         }
     }); // End-of: define([], function () {
diff --git a/lms/static/js/components/header/views/header.js b/lms/static/js/components/header/views/header.js
index 2c4ca3621126..0f584f5242d7 100644
--- a/lms/static/js/components/header/views/header.js
+++ b/lms/static/js/components/header/views/header.js
@@ -3,26 +3,33 @@
  */
 (function(define) {
     'use strict';
-    define(['backbone', 'text!templates/components/header/header.underscore'],
-           function(Backbone, headerTemplate) {
-               var HeaderView = Backbone.View.extend({
-                   initialize: function(options) {
-                       this.template = _.template(headerTemplate);
-                       this.headerActionsView = options.headerActionsView;
-                       this.listenTo(this.model, 'change', this.render);
-                       this.render();
-                   },
+    define([
+        'backbone',
+        'text!templates/components/header/header.underscore',
+        'edx-ui-toolkit/js/utils/html-utils'
+    ],
+    function(Backbone, headerTemplate, HtmlUtils) {
+        var HeaderView = Backbone.View.extend({
+            initialize: function(options) {
+                this.template = HtmlUtils.template(headerTemplate);
+                this.headerActionsView = options.headerActionsView;
+                this.listenTo(this.model, 'change', this.render);
+                this.render();
+            },
 
-                   render: function() {
-                       var json = this.model.attributes;
-                       this.$el.html(this.template(json));
-                       if (this.headerActionsView) {
-                           this.headerActionsView.setElement(this.$('.page-header-secondary')).render();
-                       }
-                       return this;
-                   }
-               });
+            render: function() {
+                var json = this.model.attributes;
+                HtmlUtils.setHtml(
+                    this.$el,
+                    this.template(json)
+                );
+                if (this.headerActionsView) {
+                    this.headerActionsView.setElement(this.$('.page-header-secondary')).render();
+                }
+                return this;
+            }
+        });
 
-               return HeaderView;
-           });
+        return HeaderView;
+    });
 }).call(this, define || RequireJS.define);
diff --git a/lms/static/js/course_survey.js b/lms/static/js/course_survey.js
index 286cd26b13e5..90c65f09d89c 100644
--- a/lms/static/js/course_survey.js
+++ b/lms/static/js/course_survey.js
@@ -23,22 +23,25 @@ $(function() {
         var cancel_submit = false;
 
         $inputs.each(function() {
+            var val, fieldLabel;
             /* see if it is a required field and - if so - make sure user presented all information */
             if (typeof $(this).attr('required') !== typeof undefined) {
-                var val = $(this).val();
+                val = $(this).val();
                 if (typeof(val) === 'string') {
                     if (val.trim().length === 0) {
-                        var field_label = $(this).parent().find('label');
+                        fieldLabel = $(this).parent().find('label');
                         $(this).parent().addClass('field-error');
-                        $('.status.message.submission-error .message-copy').append("<li class='error-item'>" + field_label.text() + '</li>');
+                        // eslint-disable-next-line max-len
+                        $('.status.message.submission-error .message-copy').append(edx.HtmlUtils.joinHtml(edx.HtmlUtils.HTML("<li class='error-item'>"), fieldLabel.text(), edx.HtmlUtils.HTML('</li>')).toString());
                         cancel_submit = true;
                     }
                 } else if (typeof(val) === 'object') {
                     /* for SELECT statements */
                     if (val === null || val.length === 0 || val[0] === '') {
-                        var field_label = $(this).parent().find('label');
+                        fieldLabel = $(this).parent().find('label');
                         $(this).parent().addClass('field-error');
-                        $('.status.message.submission-error .message-copy').append("<li class='error-item'>" + field_label.text() + '</li>');
+                        // eslint-disable-next-line max-len
+                        $('.status.message.submission-error .message-copy').append(edx.HtmlUtils.joinHtml(edx.HtmlUtils.HTML("<li class='error-item'>"), fieldLabel.text(), edx.HtmlUtils.HTML('</li>')).toString());
                         cancel_submit = true;
                     }
                 }
@@ -70,7 +73,7 @@ $(function() {
         json = $.parseJSON(jqXHR.responseText);
         $('.status.message.submission-error').addClass('is-shown').focus();
         $('.status.message.submission-error .message-copy').
-            html(gettext('There has been an error processing your survey.')).
+            text(gettext('There has been an error processing your survey.')).
             stop().
             css('display', 'block');
     });
diff --git a/lms/static/js/customwmd.js b/lms/static/js/customwmd.js
index e0ad1b547324..0f4cfccaeecb 100644
--- a/lms/static/js/customwmd.js
+++ b/lms/static/js/customwmd.js
@@ -201,8 +201,8 @@ Mostly adapted from math.stackexchange.com: http://cdn.sstatic.net/js/mathjax-ed
                               .append($("<textarea>")
                               .addClass("wmd-input")
                               .attr("id", wmdInputId)
-                              .html(initialText))
-                              .append($wmdPreviewContainer); // xss-lint: disable=javascript-jquery-html
+                              .html(initialText)) // xss-lint: disable=javascript-jquery-html
+                              .append($wmdPreviewContainer);
         $elem.append($wmdPanel);
       }
       converter = Markdown.getMathCompatibleConverter(postProcessor);
diff --git a/lms/static/js/edxnotes/views/tab_item.js b/lms/static/js/edxnotes/views/tab_item.js
index b6d1dc814ad3..b5ca38c7ba08 100644
--- a/lms/static/js/edxnotes/views/tab_item.js
+++ b/lms/static/js/edxnotes/views/tab_item.js
@@ -1,7 +1,8 @@
 (function(define, undefined) {
     'use strict';
-    define(['gettext', 'underscore', 'jquery', 'backbone', 'js/edxnotes/utils/template'],
-function(gettext, _, $, Backbone, templateUtils) {
+    define(['gettext', 'underscore',
+        'jquery', 'backbone', 'js/edxnotes/utils/template', 'edx-ui-toolkit/js/utils/html-utils'],
+function(gettext, _, $, Backbone, templateUtils, HtmlUtils) {
     var TabItemView = Backbone.View.extend({
         tagName: 'li',
         className: 'tab',
@@ -34,7 +35,7 @@ function(gettext, _, $, Backbone, templateUtils) {
 
         render: function() {
             var html = this.template(this.model.toJSON());
-            this.$el.html(html);
+            this.$el.html(HtmlUtils.HTML(html).toString());
             return this;
         },
 
diff --git a/lms/static/js/edxnotes/views/tab_panel.js b/lms/static/js/edxnotes/views/tab_panel.js
index 0f9dd4503469..4cc67fd41b1d 100644
--- a/lms/static/js/edxnotes/views/tab_panel.js
+++ b/lms/static/js/edxnotes/views/tab_panel.js
@@ -1,13 +1,14 @@
 (function(define, undefined) {
     'use strict';
     define(['gettext', 'underscore', 'backbone', 'js/edxnotes/views/note_item',
-        'common/js/components/views/paging_header', 'common/js/components/views/paging_footer'],
-function(gettext, _, Backbone, NoteItemView, PagingHeaderView, PagingFooterView) {
+        'common/js/components/views/paging_header', 'common/js/components/views/paging_footer',
+        'edx-ui-toolkit/js/utils/html-utils'],
+function(gettext, _, Backbone, NoteItemView, PagingHeaderView, PagingFooterView, HtmlUtils) {
     var TabPanelView = Backbone.View.extend({
         tagName: 'section',
         className: 'tab-panel',
         title: '',
-        titleTemplate: _.template('<h2 class="sr"><%- text %></h2>'),
+        titleTemplate: HtmlUtils.template('<h2 class="sr"><%- text %></h2>'),
         attributes: {
             tabindex: -1
         },
@@ -25,7 +26,10 @@ function(gettext, _, Backbone, NoteItemView, PagingHeaderView, PagingFooterView)
         },
 
         render: function() {
-            this.$el.html(this.getTitle());
+            HtmlUtils.setHtml(
+                this.$el,
+                this.getTitle()
+            );
             this.renderView(this.pagingHeaderView);
             this.renderContent();
             this.renderView(this.pagingFooterView);
diff --git a/lms/static/js/leanModal.js b/lms/static/js/leanModal.js
index 468a36706d09..586b63fdd697 100644
--- a/lms/static/js/leanModal.js
+++ b/lms/static/js/leanModal.js
@@ -20,7 +20,10 @@
             };
             var overlay = '<div id="lean_overlay"></div>';
             if ($('#lean_overlay').length === 0) {
-                $('body').append($(overlay));
+                edx.HtmlUtils.append(
+                    $('body'),
+                    $(overlay)
+                );
             }
 
             options = $.extend(defaults, options);  // eslint-disable-line no-param-reassign
diff --git a/lms/static/js/learner_dashboard/views/collection_list_view.js b/lms/static/js/learner_dashboard/views/collection_list_view.js
index 46a807ebc5f9..4237c4fe1c74 100644
--- a/lms/static/js/learner_dashboard/views/collection_list_view.js
+++ b/lms/static/js/learner_dashboard/views/collection_list_view.js
@@ -33,7 +33,7 @@ class CollectionListView extends Backbone.View {
         this.$el.before(HtmlUtils.ensureHtml(this.getTitleHtml()).toString());
       }
 
-      this.$el.html(childList);
+      this.$el.html(HtmlUtils.HTML(childList).toString());
     }
   }
 

From 57c0fca7e385622a8d77259a5735858cecd1258c Mon Sep 17 00:00:00 2001
From: adeelehsan <adeel.ehsan@arbisoft.com>
Date: Thu, 14 Feb 2019 14:09:31 +0500
Subject: [PATCH 2/5] Disbale third party login if user password is unusable
 then disable third party login

LEARNER-6183
---
 common/djangoapps/third_party_auth/pipeline.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/common/djangoapps/third_party_auth/pipeline.py b/common/djangoapps/third_party_auth/pipeline.py
index 8941e0c4c1fb..87547cd949a7 100644
--- a/common/djangoapps/third_party_auth/pipeline.py
+++ b/common/djangoapps/third_party_auth/pipeline.py
@@ -81,6 +81,8 @@ def B(*args, **kwargs):
 import student
 from edxmako.shortcuts import render_to_string
 from eventtracking import tracker
+
+from util.json_request import JsonResponse
 from openedx.core.djangoapps.site_configuration import helpers as configuration_helpers
 from third_party_auth.utils import user_exists
 from lms.djangoapps.verify_student.models import SSOVerification
@@ -657,6 +659,9 @@ def set_logged_in_cookies(backend=None, user=None, strategy=None, auth_entry=Non
 
     """
     if not is_api(auth_entry) and user is not None and user.is_authenticated:
+        if not user.has_usable_password():
+            msg = "Your account is disabled"
+            return JsonResponse(msg, status=403)
         request = strategy.request if strategy else None
         # n.b. for new users, user.is_active may be False at this point; set the cookie anyways.
         if request is not None:

From 5f5748985270509b17cf6d7eb1f0923a5b2e0262 Mon Sep 17 00:00:00 2001
From: John Eskew <jeskew@edx.org>
Date: Wed, 22 Aug 2018 14:42:40 -0400
Subject: [PATCH 3/5] Add email address to retirement cancel success & test.

---
 .../management/commands/cancel_user_retirement_request.py    | 2 +-
 .../user_api/management/tests/test_cancel_retirement.py      | 5 ++++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/openedx/core/djangoapps/user_api/management/commands/cancel_user_retirement_request.py b/openedx/core/djangoapps/user_api/management/commands/cancel_user_retirement_request.py
index 0b7f8f85bcd7..208c1e049c3b 100644
--- a/openedx/core/djangoapps/user_api/management/commands/cancel_user_retirement_request.py
+++ b/openedx/core/djangoapps/user_api/management/commands/cancel_user_retirement_request.py
@@ -56,4 +56,4 @@ def handle(self, *args, **options):
         # No need to delete the accompanying "permanent" retirement request record - it gets done via Django signal.
         retirement_status.delete()
 
-        print("Successfully cancelled retirement request for user with email address '{}'.")
+        print("Successfully cancelled retirement request for user with email address '{}'.".format(email_address))
diff --git a/openedx/core/djangoapps/user_api/management/tests/test_cancel_retirement.py b/openedx/core/djangoapps/user_api/management/tests/test_cancel_retirement.py
index 609c8356549a..d2ec952492f9 100644
--- a/openedx/core/djangoapps/user_api/management/tests/test_cancel_retirement.py
+++ b/openedx/core/djangoapps/user_api/management/tests/test_cancel_retirement.py
@@ -15,11 +15,12 @@
 pytestmark = pytest.mark.django_db
 
 
-def test_successful_cancellation(setup_retirement_states, logged_out_retirement_request):  # pylint: disable=redefined-outer-name, unused-argument
+def test_successful_cancellation(setup_retirement_states, logged_out_retirement_request, capsys):  # pylint: disable=redefined-outer-name, unused-argument
     """
     Test a successfully cancelled retirement request.
     """
     call_command('cancel_user_retirement_request', logged_out_retirement_request.original_email)
+    output = capsys.readouterr().out
     # Confirm that no retirement status exists for the user.
     with pytest.raises(UserRetirementStatus.DoesNotExist):
         UserRetirementStatus.objects.get(original_email=logged_out_retirement_request.user.email)
@@ -28,6 +29,8 @@ def test_successful_cancellation(setup_retirement_states, logged_out_retirement_
         UserRetirementRequest.objects.get(user=logged_out_retirement_request.user)
     # Ensure user can be retrieved using the original email address.
     User.objects.get(email=logged_out_retirement_request.original_email)
+    assert "Successfully cancelled retirement request for user with email address" in output
+    assert logged_out_retirement_request.original_email in output
 
 
 def test_cancellation_in_unrecoverable_state(setup_retirement_states, logged_out_retirement_request):  # pylint: disable=redefined-outer-name, unused-argument

From ad7e738e6025e83f8bd49536b2fad9ba4773291d Mon Sep 17 00:00:00 2001
From: Bill DeRusha <bderusha@C02X31WFJGH5.tld>
Date: Thu, 20 Sep 2018 12:27:17 -0400
Subject: [PATCH 4/5] Set usable password when canceling user retirement

---
 .../support/templates/manage_user.underscore     |  2 +-
 lms/djangoapps/support/views/manage_user.py      | 16 +++++++++++++---
 .../commands/cancel_user_retirement_request.py   |  2 ++
 .../management/tests/test_cancel_retirement.py   |  5 ++++-
 4 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/lms/djangoapps/support/static/support/templates/manage_user.underscore b/lms/djangoapps/support/static/support/templates/manage_user.underscore
index 96027d11fdfb..eedca0af1349 100644
--- a/lms/djangoapps/support/static/support/templates/manage_user.underscore
+++ b/lms/djangoapps/support/static/support/templates/manage_user.underscore
@@ -32,7 +32,7 @@
         <td><% print(user_profile.get('status')) %></td>
         <td>
           <button class="disable-account-btn">
-            <%- gettext('Disable Account') %>
+            <%- gettext('Toggle Account Password (Usable/Unusable)') %>
           </button>
         </td>
       </tr>
diff --git a/lms/djangoapps/support/views/manage_user.py b/lms/djangoapps/support/views/manage_user.py
index 02ce16ef5f07..9b64d69d5887 100644
--- a/lms/djangoapps/support/views/manage_user.py
+++ b/lms/djangoapps/support/views/manage_user.py
@@ -13,6 +13,7 @@
 from edxmako.shortcuts import render_to_response
 from lms.djangoapps.support.decorators import require_support_permission
 from openedx.core.djangoapps.user_api.accounts.serializers import AccountUserSerializer
+from openedx.core.djangoapps.user_api.accounts.utils import generate_password
 from util.json_request import JsonResponse
 
 
@@ -64,7 +65,16 @@ def post(self, request, username_or_email):
         user = get_user_model().objects.get(
             Q(username=username_or_email) | Q(email=username_or_email)
         )
-        user.set_unusable_password()
+        if user.has_usable_password():
+            user.set_unusable_password()
+        else:
+            user.set_password(generate_password(length=25))
         user.save()
-        password_status = _('Usable') if user.has_usable_password() else _('Unusable')
-        return JsonResponse({'success_msg': _('User Disabled Successfully'), 'status': password_status})
+
+        if user.has_usable_password():
+            password_status = _('Usable')
+            msg = _('User Enabled Successfully')
+        else:
+            password_status = _('Unusable')
+            msg = _('User Disabled Successfully')
+        return JsonResponse({'success_msg': msg, 'status': password_status})
diff --git a/openedx/core/djangoapps/user_api/management/commands/cancel_user_retirement_request.py b/openedx/core/djangoapps/user_api/management/commands/cancel_user_retirement_request.py
index 208c1e049c3b..62ef39c856a9 100644
--- a/openedx/core/djangoapps/user_api/management/commands/cancel_user_retirement_request.py
+++ b/openedx/core/djangoapps/user_api/management/commands/cancel_user_retirement_request.py
@@ -8,6 +8,7 @@
 import logging
 
 from django.core.management.base import BaseCommand, CommandError
+from openedx.core.djangoapps.user_api.accounts.utils import generate_password
 from openedx.core.djangoapps.user_api.models import UserRetirementStatus
 
 
@@ -50,6 +51,7 @@ def handle(self, *args, **options):
 
         # Load the user record using the retired email address -and- change the email address back.
         retirement_status.user.email = email_address
+        retirement_status.user.set_password(generate_password(length=25))
         retirement_status.user.save()
 
         # Delete the user retirement status record.
diff --git a/openedx/core/djangoapps/user_api/management/tests/test_cancel_retirement.py b/openedx/core/djangoapps/user_api/management/tests/test_cancel_retirement.py
index d2ec952492f9..8961e3f44863 100644
--- a/openedx/core/djangoapps/user_api/management/tests/test_cancel_retirement.py
+++ b/openedx/core/djangoapps/user_api/management/tests/test_cancel_retirement.py
@@ -2,6 +2,7 @@
 Test the cancel_user_retirement_request management command
 """
 import pytest
+from django.contrib.auth.hashers import UNUSABLE_PASSWORD_PREFIX
 from django.contrib.auth.models import User
 from django.core.management import CommandError, call_command
 
@@ -28,7 +29,9 @@ def test_successful_cancellation(setup_retirement_states, logged_out_retirement_
     with pytest.raises(UserRetirementRequest.DoesNotExist):
         UserRetirementRequest.objects.get(user=logged_out_retirement_request.user)
     # Ensure user can be retrieved using the original email address.
-    User.objects.get(email=logged_out_retirement_request.original_email)
+    user = User.objects.get(email=logged_out_retirement_request.original_email)
+    # Ensure the user has a usable password so they can go through the reset flow
+    assert not user.password.startswith(UNUSABLE_PASSWORD_PREFIX)
     assert "Successfully cancelled retirement request for user with email address" in output
     assert logged_out_retirement_request.original_email in output
 

From e7562aa33adeb17c0820b4c2567ff397dd48d090 Mon Sep 17 00:00:00 2001
From: Shadi Naif <shadinaif@gmail.com>
Date: Mon, 21 Mar 2022 17:58:43 +0300
Subject: [PATCH 5/5] Partial import of Koa Patch - BLACK-1545 Could not
 implement authentication.py part since it is outdated See details in JIRA

---
 .../djangoapps/third_party_auth/pipeline.py   |  4 +++-
 lms/djangoapps/support/views/manage_user.py   |  3 +++
 .../core/djangoapps/auth_exchange/forms.py    | 11 +++++++++++
 .../auth_exchange/tests/test_views.py         | 19 ++++++++++++++++---
 .../djangoapps/auth_exchange/tests/utils.py   |  2 +-
 .../core/djangoapps/auth_exchange/views.py    |  3 ++-
 6 files changed, 36 insertions(+), 6 deletions(-)

diff --git a/common/djangoapps/third_party_auth/pipeline.py b/common/djangoapps/third_party_auth/pipeline.py
index 87547cd949a7..20beff2989c4 100644
--- a/common/djangoapps/third_party_auth/pipeline.py
+++ b/common/djangoapps/third_party_auth/pipeline.py
@@ -69,6 +69,7 @@ def B(*args, **kwargs):
 import analytics
 from django.conf import settings
 from django.contrib.auth.models import User
+from django.contrib.auth import logout
 from django.core.mail.message import EmailMessage
 from django.urls import reverse
 from django.http import HttpResponseBadRequest
@@ -659,10 +660,11 @@ def set_logged_in_cookies(backend=None, user=None, strategy=None, auth_entry=Non
 
     """
     if not is_api(auth_entry) and user is not None and user.is_authenticated:
+        request = strategy.request if strategy else None
         if not user.has_usable_password():
             msg = "Your account is disabled"
+            logout(request)
             return JsonResponse(msg, status=403)
-        request = strategy.request if strategy else None
         # n.b. for new users, user.is_active may be False at this point; set the cookie anyways.
         if request is not None:
             # Check that the cookie isn't already set.
diff --git a/lms/djangoapps/support/views/manage_user.py b/lms/djangoapps/support/views/manage_user.py
index 9b64d69d5887..fd45b2e3e3ed 100644
--- a/lms/djangoapps/support/views/manage_user.py
+++ b/lms/djangoapps/support/views/manage_user.py
@@ -16,6 +16,8 @@
 from openedx.core.djangoapps.user_api.accounts.utils import generate_password
 from util.json_request import JsonResponse
 
+from openedx.core.djangolib.oauth2_retirement_utils import retire_dot_oauth2_models
+
 
 class ManageUserSupportView(View):
     """
@@ -67,6 +69,7 @@ def post(self, request, username_or_email):
         )
         if user.has_usable_password():
             user.set_unusable_password()
+            retire_dot_oauth2_models(request.user)
         else:
             user.set_password(generate_password(length=25))
         user.save()
diff --git a/openedx/core/djangoapps/auth_exchange/forms.py b/openedx/core/djangoapps/auth_exchange/forms.py
index c39f9642a621..ff9af191ae76 100644
--- a/openedx/core/djangoapps/auth_exchange/forms.py
+++ b/openedx/core/djangoapps/auth_exchange/forms.py
@@ -95,6 +95,17 @@ def clean(self):
             user = backend.do_auth(access_token, allow_inactive_user=True)
         except (HTTPError, AuthException):
             pass
+        # check if user is disabled
+        if isinstance(user, User) and not user.has_usable_password():
+            self.request.social_strategy.clean_partial_pipeline(access_token)
+            raise OAuthValidationError(
+                {
+                    "error": "account_disabled",
+                    "error_description": 'user account is disabled',
+                    "error_code": 403
+                }
+            )
+
         if user and isinstance(user, User):
             self.cleaned_data["user"] = user
         else:
diff --git a/openedx/core/djangoapps/auth_exchange/tests/test_views.py b/openedx/core/djangoapps/auth_exchange/tests/test_views.py
index f9ce0ab76020..a6b0e73832dd 100644
--- a/openedx/core/djangoapps/auth_exchange/tests/test_views.py
+++ b/openedx/core/djangoapps/auth_exchange/tests/test_views.py
@@ -40,13 +40,16 @@ def tearDown(self):
         super(AccessTokenExchangeViewTest, self).tearDown()
         Partial.objects.all().delete()
 
-    def _assert_error(self, data, expected_error, expected_error_description):
+    def _assert_error(self, data, expected_error, expected_error_description, error_code=None):
         response = self.csrf_client.post(self.url, data)
-        self.assertEqual(response.status_code, 400)
+        self.assertEqual(response.status_code, error_code if error_code else 400)
         self.assertEqual(response["Content-Type"], "application/json")
+        expected_data = {u"error": expected_error, u"error_description": expected_error_description}
+        if error_code:
+            expected_data['error_code'] = error_code
         self.assertEqual(
             json.loads(response.content),
-            {u"error": expected_error, u"error_description": expected_error_description}
+            expected_data
         )
 
     def _assert_success(self, data, expected_scopes):
@@ -104,6 +107,16 @@ def test_invalid_provider(self):
         response = self.client.post(url, self.data)
         self.assertEqual(response.status_code, 404)
 
+    def test_disabled_user(self):
+        """
+        Test if response status code is correct in case of disabled user.
+        """
+        self.user.set_unusable_password()
+        self.user.save()
+        self._setup_provider_response(success=True)
+        self._assert_error(self.data, "account_disabled", "user account is disabled", 403)
+
+
 
 # This is necessary because cms does not implement third party auth
 @unittest.skipUnless(TPA_FEATURE_ENABLED, TPA_FEATURES_KEY + " not enabled")
diff --git a/openedx/core/djangoapps/auth_exchange/tests/utils.py b/openedx/core/djangoapps/auth_exchange/tests/utils.py
index bdf36e707fdf..99078d4ae462 100644
--- a/openedx/core/djangoapps/auth_exchange/tests/utils.py
+++ b/openedx/core/djangoapps/auth_exchange/tests/utils.py
@@ -28,7 +28,7 @@ def setUp(self):  # pylint: disable=arguments-differ
             "client_id": self.client_id,
         }
 
-    def _assert_error(self, _data, _expected_error, _expected_error_description):
+    def _assert_error(self, _data, _expected_error, _expected_error_description, error_code):
         """
         Given request data, execute a test and check that the expected error
         was returned (along with any other appropriate assertions).
diff --git a/openedx/core/djangoapps/auth_exchange/views.py b/openedx/core/djangoapps/auth_exchange/views.py
index 38bf6292fb10..5ad9127d2aa9 100644
--- a/openedx/core/djangoapps/auth_exchange/views.py
+++ b/openedx/core/djangoapps/auth_exchange/views.py
@@ -143,7 +143,8 @@ def error_response(self, form_errors, **kwargs):
         """
         Return an error response consisting of the errors in the form
         """
-        return Response(status=400, data=form_errors, **kwargs)
+        error_code = form_errors.get('error_code', 400)
+        return Response(status=error_code, data=form_errors, **kwargs)
 
 
 class LoginWithAccessTokenView(APIView):