Sync opencraft-release/quince.1 with Upstream 20240520-1716214773 #658
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The url was renamed from session_language to update_language but it was still referred to in some html templates
…#34404) Co-authored-by: Dima Alipov <[email protected]>
…ce-4.2.11 chore: update Django to 4.2.11 for Quince - Security Patch
…tadata response Currently, openedx/frontend-app-authoring#517 faces an issue when the progress graph toggle is enabled/disabled but the settings are not respected, the disable_progress_graph attribute will allow the frontend-app-learning repo to use this attribute to respect the settings authored from frontend-app-course-authoring and ultimately fix openedx/frontend-app-authoring#517.
…s-graph feat: Adds disable_progress_graph attribute to the returned course_me…
…nedx#34485) Co-authored-by: Dima Alipov <[email protected]>
* fix: Social link parsing approach changed * fix: fix tests * fix: better approach
…enedx#34466) "Course organization display string" option in Advanced settings doesn't influence certificate. Co-authored-by: Dima Alipov <[email protected]>
… discussion is enabled (openedx#34426) Co-authored-by: Jason Wesson <[email protected]>
Open edX implements its a JwtAuthentication class in edx-drf-extensions (in edx_rest_framework_extensions.auth.jwt.authentication). This class updates the local User database entry to match certain values in the token. It's used as a way to automatically provision and update users with their LMS user information on other Open edX services like ecommerce. Since LMS and Studio keep the record of truth in its database tables, they should *not* update their database user information based on the JWT. Doing so would allow stale JWTs to incorrectly reset user values after they had been changed in the LMS. This is done by having the EDX_DRF_EXTENSIONS['JWT_PAYLOAD_USER_ATTRIBUTE_MAPPING'] setting be an empty dictionary, and was set correctly for the LMS in its common.py env settings module. Unfortunately, this was *not* being set for Studio. This commit adds the same setting to Studio's common settings module. Prior to this commit, it was possible for a stale JWT to reset user attributes if the user hit a Studio API endpoint that used JWT for auth (e.g. endpoints used by the Course Authoring MFE). This opened up a potential security issue where a global staff user (is_staff=True) that had their global staff status removed (is_staff=False) could have up to a one hour window in which they could use their stale-but-still-valid global-staff JWT token to regain global staff status by calling a Studio endpoint with their browser.
Agrendalath
approved these changes
May 20, 2024
Agrendalath
deleted the
sync-open-release/quince.master-20240520-1716214773
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Syncing opencraft-release/quince.1 with Upstream
Important❗
Please always use the "Create a merge commit" option as it avoids issues when checking diffs with upstream.
Note on Conflicts⚠️
In cases of conflicts you can go ahead and resolve it here on Github if it is simple enough. However if it is a more complicated conflict please follow the steps below:
sync-open-release/quince.master-20240520-1716214773locally:opencraft-release/quince.1into that branch, make sure your[REMOTE]is pointing toopencraft-release/quince.1:sync-open-release/quince.master-20240520-1716214773to update this PRNote: Please use the "Create a merge commit" option as it avoids issues when checking diffs with upstream.