Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sync opencraft-release/quince.1 with Upstream 20240520-1716214773 #658

Conversation

opencraft-requirements-bot

Syncing opencraft-release/quince.1 with Upstream

Important❗

Please always use the "Create a merge commit" option as it avoids issues when checking diffs with upstream.

Note on Conflicts ⚠️

In cases of conflicts you can go ahead and resolve it here on Github if it is simple enough. However if it is a more complicated conflict please follow the steps below:

  1. Check out sync-open-release/quince.master-20240520-1716214773 locally:
  2. Pull latest changes from opencraft-release/quince.1 into that branch, make sure your [REMOTE] is pointing to opencraft-release/quince.1:
git pull [REMOTE] opencraft-release/quince.1
  1. Resolve the conflicts locally, then commit the result. This will create a new merge commit.
  2. Push the new merge commit to sync-open-release/quince.master-20240520-1716214773 to update this PR
  3. Review the PR again and merge when ready!
    Note: Please use the "Create a merge commit" option as it avoids issues when checking diffs with upstream.

magajh and others added 13 commits March 31, 2024 21:28
The url was renamed from session_language to update_language but it was still referred to in some html templates
…ce-4.2.11

chore: update Django to 4.2.11 for Quince - Security Patch
…tadata response

Currently, openedx/frontend-app-authoring#517 faces an issue when the
progress graph toggle is enabled/disabled but the settings are not respected, the disable_progress_graph
attribute will allow the frontend-app-learning repo to use this attribute to respect the settings authored
from frontend-app-course-authoring and ultimately fix openedx/frontend-app-authoring#517.
…s-graph

feat: Adds disable_progress_graph attribute to the returned course_me…
* fix: Social link parsing approach changed

* fix: fix tests

* fix: better approach
…enedx#34466)

"Course organization display string" option in Advanced settings
doesn't influence certificate.

Co-authored-by: Dima Alipov <[email protected]>
Open edX implements its a JwtAuthentication class in edx-drf-extensions
(in edx_rest_framework_extensions.auth.jwt.authentication). This class
updates the local User database entry to match certain values in the
token. It's used as a way to automatically provision and update users
with their LMS user information on other Open edX services like
ecommerce.

Since LMS and Studio keep the record of truth in its database tables,
they should *not* update their database user information based on the
JWT. Doing so would allow stale JWTs to incorrectly reset user values
after they had been changed in the LMS. This is done by having the
EDX_DRF_EXTENSIONS['JWT_PAYLOAD_USER_ATTRIBUTE_MAPPING'] setting be an
empty dictionary, and was set correctly for the LMS in its common.py env
settings module. Unfortunately, this was *not* being set for Studio.

This commit adds the same setting to Studio's common settings module.
Prior to this commit, it was possible for a stale JWT to reset user
attributes if the user hit a Studio API endpoint that used JWT for  auth
(e.g. endpoints used by the Course Authoring MFE). This opened up a
potential security issue where a global staff user (is_staff=True) that
had their global staff status removed (is_staff=False) could have up to
a one hour window in which they could use their stale-but-still-valid
global-staff JWT token to regain global staff status by calling a Studio
endpoint with their browser.
@Agrendalath Agrendalath merged commit 13eaa68 into opencraft-release/quince.1 May 20, 2024
42 checks passed
@Agrendalath Agrendalath deleted the sync-open-release/quince.master-20240520-1716214773 branch May 20, 2024 15:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.