From 78753bf57d357e7e887ccf1eed40ed38102c772f Mon Sep 17 00:00:00 2001
From: Alex Rocha <rochaa@tacc.utexas.edu>
Date: Fri, 10 Sep 2021 17:02:27 -0500
Subject: [PATCH 01/31] Adding support for CMS auth via core portal

---
 .dockerignore                                 |   3 +
 .gitignore                                    |   3 +
 Makefile                                      |   2 +-
 taccsite_cms/default_secrets.py               | 305 -------------
 taccsite_cms/remote_cms_auth.py               |  88 ++++
 taccsite_cms/settings.py                      | 406 +++++++-----------
 .../templates/assets_site_delayed.html        |   2 +-
 taccsite_cms/templates/header.html            |   4 +-
 taccsite_cms/urls.py                          |  16 +-
 taccsite_custom                               |   2 +-
 10 files changed, 271 insertions(+), 560 deletions(-)
 delete mode 100644 taccsite_cms/default_secrets.py
 create mode 100644 taccsite_cms/remote_cms_auth.py

diff --git a/.dockerignore b/.dockerignore
index 2a717da57..39f410288 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,6 +1,9 @@
 # Version Control
 .git
 
+**settings_custom.py
+**settings_local.py
+
 # Python
 *.pyc
 *.pyo
diff --git a/.gitignore b/.gitignore
index 634ac29e1..f477e717f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -107,3 +107,6 @@ publish
 # build script local files
 web/build/buildinfo.properties
 web/build/config/buildinfo.properties
+
+*settings_custom.py
+*settings_local.py
diff --git a/Makefile b/Makefile
index f5e456abb..cd8476388 100644
--- a/Makefile
+++ b/Makefile
@@ -1,4 +1,4 @@
-DOCKERHUB_REPO := taccwma/$(shell cat ./docker_repo.var)
+DOCKERHUB_REPO := taccwma/core-portal-cms
 DOCKER_TAG ?= $(shell git rev-parse --short HEAD)
 DOCKER_IMAGE := $(DOCKERHUB_REPO):$(DOCKER_TAG)
 DOCKER_IMAGE_LATEST := $(DOCKERHUB_REPO):latest
diff --git a/taccsite_cms/default_secrets.py b/taccsite_cms/default_secrets.py
deleted file mode 100644
index 1d27a45ba..000000000
--- a/taccsite_cms/default_secrets.py
+++ /dev/null
@@ -1,305 +0,0 @@
-# TACC CMS SITE TEMPLATE SETTINGS.
-# DEFAULT VALUES.
-# CHANGE BEFOR DEV/PREPROD/PRODUCTION DEPLOYMENT.
-
-########################
-# DJANGO SETTINGS
-########################
-
-_SECRET_KEY = 'replacethiswithareallysecureandcomplexsecretkeystring'
-_DEBUG = True       # False for Prod.
-_CONSOLE_LOG_ENABLED = False    # Boolean check to turn on/off console logging statements.
-
-# Specify allowed hosts or use an asterisk to allow any host and simplify the config.
-# _ALLOWED_HOSTS = ['hostname.tacc.utexas.edu', 'host.ip.v4.address', '0.0.0.0', 'localhost', '127.0.0.1']   # In production.
-_ALLOWED_HOSTS = ['0.0.0.0', '127.0.0.1', 'localhost', '*']   # In development.
-
-# Boolean check to see if ldap is being used by the site.
-# Requires django-auth-ldap ≥ 2.0.0
-_LDAP_ENABLED = False
-
-# Boolean check to determine the appropriate database settings when using containers.
-_USING_CONTAINERS = True
-
-########################
-# DATABASE SETTINGS
-########################
-
-if _USING_CONTAINERS:
-    # used in container deployments.
-    _DATABASES = {
-        'default': {
-            'ENGINE': 'django.db.backends.postgresql_psycopg2',
-            'PORT': '5432',
-            'NAME': 'taccsite',
-            'USER': 'postgresadmin',
-            'PASSWORD': 'taccforever', # Change before live deployment.
-            'HOST': 'core_cms_postgres'
-        }
-    }
-else:
-    # used in local dev, venv or manual deployments.
-    _DATABASES = {
-        'default': {
-            'ENGINE': 'django.db.backends.postgresql_psycopg2',
-            'PORT': '5432',
-            'NAME': 'taccsite',
-            'USER': 'postgresadmin',
-            'PASSWORD': 'taccforever', # Change before live deployment.
-            'HOST': 'localhost'
-        }
-    }
-
-########################
-# DJANGO CMS SETTINGS
-########################
-
-# CMS Site (allows for multiple sites on a single CMS)
-_SITE_ID = 1
-_CMS_TEMPLATES = (
-    # Customize this list in per-project `secrets.py`
-    # FAQ: First template is default template
-    # REF: http://docs.django-cms.org/en/latest/how_to/install.html#templates
-
-    # For standard pages (has Container and Breadcrumbs)
-    ('standard.html', 'Standard'),
-    # For content that spans full window width (no Container nor Breadcrumbs)
-    ('fullwidth.html', 'Full Width'),
-
-    # Any project that needs per-project styles must have a custom template
-    # FAQ: This is a tedious solution until a cleaner solution is devised
-    # TODO: Automate per-project asset load and update exisitng sites as needed
-    # ('name-of-project/templates/fullwidth.html', 'Fullwidth (Custom)'),
-    # NOTE: If project later uses custom template, then for that project:
-    #       1. Rename standard default template to "DEPRECATED […]".
-    #       2. Update all pages to use the custom default template.
-    #       3. Disable standard default template (remove from `_CMS_TEMPLATES`).
-    # ('fullwidth.html', 'DEPRECATED Fullwidth'),
-
-    # Any portal whose homepage has NO design must enable and use this template
-    # ('home_portal.html', 'Standard Portal Homepage'),
-
-    # All portals should enable all of these templates
-    # FAQ: If this becomes mandatory, then in `settings.py`:
-    #      `if _PORTAL: [ manually add these entries ]`
-    # ('guide.html', 'Guide'),
-    # ('guides/getting_started.html', 'Guide: Getting Started'),
-    # ('guides/data_transfer.html', 'Guide: Data Transfer'),
-    # ('guides/data_transfer.globus.html', 'Guide: Globus Data Transfer'),
-    # ('guides/portal_technology.html', 'Guide: Portal Technology Stack'),
-
-    # For now, only Core portal should enable this template
-    # FAQ: We know not yet how to auto-replicate pages and plugins across sites
-    # ('style_guide.html', 'Style Guide'),
-)
-
-########################
-# GOOGLE ANALYTICS
-########################
-
-# To use during dev, Tracking Protection in browser needs to be turned OFF.
-_GOOGLE_ANALYTICS_PROPERTY_ID = "UA-123ABC@%$&-#"
-_GOOGLE_ANALYTICS_PRELOAD = True
-
-########################
-# CMS FORMS
-########################
-
-# Create CMS Forms
-# SEE: https://pypi.org/project/djangocms-forms/
-# SEE: https://www.google.com/recaptcha/admin/create
-_DJANGOCMS_FORMS_RECAPTCHA_PUBLIC_KEY = ""
-_DJANGOCMS_FORMS_RECAPTCHA_SECRET_KEY = ""
-
-########################
-# ELASTICSEARCH
-########################
-
-_ES_AUTH = 'username:password'
-_ES_HOSTS = 'http://elasticsearch:9200'
-_ES_INDEX_PREFIX = 'cms-dev-{}'
-_ES_DOMAIN = 'http://localhost:8000'
-
-########################
-# FEATURES
-########################
-
-"""
-Features for the CMS that can be turned either ON or OFF
-
-Usage:
-
-- For baked-in features, like BRANDING or PORTAL, see relevant section instead.
-- For optional features, look below, and enable feature(s) via _FEATURES list.
-
-Baked-In Feature Setting Example.
-
-# Desctipion of feature X
-# SEE: [link to user/div guide about feature]
-_FEATURE_A = "someValue"
-
-Optional Feature Toggle Example.
-
-_FEATURES = {
-    # Desctipion of feature X
-    # SEE: [link to user/dev guide about feature]
-    "X": True,
-
-    # Desctipion of feature Y
-    # SEE: [link to user/dev guide about feature]
-    "Y": False,
-
-    # Desctipion of feature Z
-    # SEE: [link to user/dev guide about feature]
-    "Z": True,
-}
-
-"""
-
-_FEATURES = {
-    # Blog/News & Social Media Metadata
-    # GL-42: Split this into two features
-    # SEE: https://confluence.tacc.utexas.edu/x/EwDeCg
-    # SEE: https://confluence.tacc.utexas.edu/x/FAA9Cw
-    "blog": False,
-}
-
-########################
-# BRANDING & LOGOS & FAVICON
-########################
-# TODO: GH-59: Use Dict Not Array for Branding Settings
-
-# Branding settings for portal and navigation.
-
-"""
-Additional Branding and Portal Logos for Partner & Affiliate Organizations
-
-Usage:
-
-- For each beand used in the templating, add corresponding new settings values to this file  (see example below).
-- New branding settings must be added to the _BRANDING list to render in the template.
-- The order of the _BRANDING list determines the rendering order of the elements in the template.
-- The portal logo setting must be assigned to the _LOGO variable to render in the template.
-- The following VALUES for new elements set in the configuration object must exist in the portal css as well:
-    - Any new selectors or css styles (add to /taccsite_cms/static/site_cms/css/src/_imports/branding_logos.css)
-    - Image files being references (add to /taccsite_cms/static/site_cms/img/org_logos)
-
-Values to populate (for an array):
-
-_SETTING_NAME = [                # The name of the branding or logo config setting object.
-    "org_name",                    # The name of the organization the branding belongs too.
-    "img_file_src",                # Path and filename relative to the static files folder.
-    "img_element_classes",         # The list of selectors to apply to the rendered element, these need to exist in the css/scss.
-    "a_target_url",                # The href link to follow when clicked, use "/" for portal logos.
-    "a_target_type",               # The target to open the new link in, use _blank for external links, _self for internal links.
-    "alt_text",                    # The text to read or render for web assistance standards.
-    "cors_setting",                # The CORS setting for the image, set to anonymous by default.
-    "visibility"                   # Toggles wether or not to display the element in the template, use True to render, False to hide.
-]
-
-Values to populate (for a dict):
-
-_SETTING_NAME = {                  # The name of the favicon config setting object.
-    "img_file_src": "…",             # Path and filename relative to the static files folder.
-}
-
-Branding Configuration Example.
-
-_ANORG_BRANDING = [
-   "anorg",
-   "site_cms/img/org_logos/anorg-logo.png"
-   "branding-anorg",
-   "https://www.anorg.com/"
-   "_blank",
-   "ANORG Logo",
-   "anonymous",
-   "True"
-]
-
-Logo Configuration Example.
-
-_ANORG_LOGO = [
-   "anorg",
-   "site_cms/img/org_logos/anorg-logo.png"
-   "branding-anorg",
-   "/"
-   "_self",
-   "ANORG Logo",
-   "anonymous",
-   "True"
-]
-
-Favicon Configuration Example.
-
-_ANORG_FAVICON = {
-    "img_file_src": "site_cms/img/favicons/favicon.ico"
-}
-"""
-
-########################
-# BRANDING
-
-_TACC_BRANDING = [
-    "tacc",
-    "site_cms/img/org_logos/tacc-white.png",
-    "branding-tacc",
-    "https://www.tacc.utexas.edu/",
-    "_blank",
-    "TACC Logo",
-    "anonymous",
-    "True"
-]
-
-_UTEXAS_BRANDING = [
-    "utexas",
-    "site_cms/img/org_logos/utaustin-white.png",
-    "branding-utaustin",
-    "https://www.utexas.edu/",
-    "_blank",
-    "University of Texas at Austin Logo",
-    "anonymous",
-    "True"
-]
-
-_NSF_BRANDING = [
-    "nsf",
-    "site_cms/img/org_logos/nsf-white.png",
-    "branding-nsf",
-    "https://www.nsf.gov/",
-    "_blank",
-    "NSF Logo",
-    "anonymous",
-    "True"
-]
-
-_BRANDING = [ _TACC_BRANDING, _UTEXAS_BRANDING ]        # Default TACC Portal.
-# _BRANDING = [ _NSF_BRANDING, _TACC_BRANDING, _UTEXAS_BRANDING ]       # NSF Funded TACC Portal.
-
-########################
-# LOGOS
-
-_PORTAL_LOGO = [
-    "portal",
-    "site_cms/img/org_logos/portal.png",
-    "",
-    "/",
-    "_self",
-    "Portal Logo",
-    "anonymous",
-    "True"
-]
-
-_LOGO = _PORTAL_LOGO                # Default Portal Logo.
-
-########################
-# FAVICON
-
-_FAVICON = {
-    "img_file_src": "site_cms/img/favicons/favicon.ico"
-}
-
-########################
-# PORTAL
-########################
-
-_PORTAL = False     # True for any CMS that is part of a Portal.
diff --git a/taccsite_cms/remote_cms_auth.py b/taccsite_cms/remote_cms_auth.py
new file mode 100644
index 000000000..5357ea4bf
--- /dev/null
+++ b/taccsite_cms/remote_cms_auth.py
@@ -0,0 +1,88 @@
+import inspect
+from django.http import HttpResponse, HttpResponseRedirect
+from django.contrib.auth.backends import ModelBackend
+from django.contrib.auth import get_user_model
+from django.contrib import auth as auth
+import requests
+import logging
+from django.conf import settings
+UserModel = get_user_model()
+
+logger = logging.getLogger(__name__)
+
+
+def verify_and_auth(request):
+    user = auth.authenticate(request)
+    if user:
+        # User is valid.  Set request.user and persist user in the session by logging the user in.
+        request.user = user
+        auth.login(request, user)
+        response = HttpResponseRedirect(request.GET.get('next', '/workbench/dashboard/'))
+    else:
+        response = HttpResponseRedirect('/')
+    return response
+
+class CorePortalAuthBackend(ModelBackend):
+    """
+        Validates core portal session
+        Extends Django ModelBackend, parts of this were taken from Django's source:
+        https://github.com/django/django/blob/stable/2.2.x/django/contrib/auth/backends.py#L128
+    """
+    create_unknown_user = True
+
+    def authenticate(self, request):
+        response = requests.get('{0}/api/users/auth/'.format(\
+            getattr(settings,'CEP_AUTH_VERIFICATION_ENDPOINT','http://django:6000')),
+                                cookies={'coresessionid': request.COOKIES.get('coresessionid')})
+        user_data = response.json()
+        if user_data is None or user_data['username'] is None:
+            return None
+        username = user_data['username']
+        email = user_data['email']
+
+        if request.user.is_authenticated:
+            self._remove_invalid_user(request)
+
+        if self.create_unknown_user:
+            user, created = UserModel._default_manager.get_or_create(**{
+                UserModel.USERNAME_FIELD: username, UserModel.EMAIL_FIELD: email
+            })
+            if created:
+                args = (request, user)
+                try:
+                    inspect.getcallargs(self.configure_user, request, user)
+                except TypeError:
+                    args = (user,)
+                    warnings.warn(
+                        'Update %s.configure_user() to accept `request` as '
+                        'the first argument.'
+                        % self.__class__.__name__, RemovedInDjango31Warning
+                    )
+                user = self.configure_user(*args)
+        else:
+            try:
+                user = UserModel._default_manager.get_by_natural_key(username)
+            except UserModel.DoesNotExist:
+                pass
+        return user if self.user_can_authenticate(user) else None
+
+    def _remove_invalid_user(self, request):
+        """
+        Remove the current authenticated user
+        """
+        try:
+            stored_backend = load_backend(request.session.get(auth.BACKEND_SESSION_KEY, ''))
+        except ImportError:
+            # backend failed to load
+            auth.logout(request)
+        else:
+            if isinstance(stored_backend, RemoteUserBackend):
+                auth.logout(request)
+
+    def configure_user(self, request, user):
+        """
+        Configure a user after creation and return the updated user.
+        By default, return the user unmodified.
+        """
+        return user
+
diff --git a/taccsite_cms/settings.py b/taccsite_cms/settings.py
index 66794e77b..d8ff22e43 100644
--- a/taccsite_cms/settings.py
+++ b/taccsite_cms/settings.py
@@ -1,13 +1,9 @@
-# taccsite_cms/settings.py
 
 """
-Django settings for taccsite_cms project.
-
+Django settings
 Generated by 'django-admin startproject' using Django 1.11.22.
-
 For more information on this file, see
 https://docs.djangoproject.com/en/2.2/topics/settings/
-
 For the full list of settings and their values, see
 https://docs.djangoproject.com/en/2.2/ref/settings/
 """
@@ -15,90 +11,162 @@
 import logging
 import os
 from glob import glob
+import ldap
+from django_auth_ldap.config import LDAPSearch, GroupOfNamesType
 
-
+SECRET_KEY = 'CHANGE_ME'
 def gettext(s): return s
 
+DATA_DIR = os.path.dirname(os.path.dirname(__file__))
 
-# Import secret values dynamically without breaking portal.
-def getsecrets():
-    new_secrets = {};                                                                           # Var to hold secret values once imported succesfully.
-    # Check for production secrets.
-    try:
-        print('Checking for secret production values')
-        import taccsite_cms.secrets as secrets                                       # Prod/Staging/Local Dev values (used instead of the default values if present)
-        new_secrets = secrets
-        print('Production secrets found, using values')
-    except ModuleNotFoundError as err:
-        # Error handling
-        print(err)
-        print('No production secrets found')
-        pass
-        # Check for the default secret values.
-        try:
-            print('Checking for default secret values')
-            import taccsite_cms.default_secrets as default_secrets            # Default demo values (works for basic local dev out of the box)
-            new_secrets = default_secrets
-            print('Default secrets found, using default values')
-        except ModuleNotFoundError as err:
-            # Error handling
-            print(err)
-            print('No default secrets found')
-            print('Check that you have a secrets.py or default_secrets.py')
-    finally:
-        # Return the secret values if they are found.
-        return new_secrets
-
-# Assign secret settings values.
-current_secrets = getsecrets()
-
-# Boolean check to turn on/off console logging statements.
-CONSOLE_LOG_ENABLED = current_secrets._CONSOLE_LOG_ENABLED
-
-# Verifying console logging is on.
-if CONSOLE_LOG_ENABLED:
-    print("--> Variable CONSOLE_LOG_ENABLED: ", CONSOLE_LOG_ENABLED)
-
-LDAP_ENABLED = current_secrets._LDAP_ENABLED
-
-if CONSOLE_LOG_ENABLED:
-    print("--> Variable LDAP_ENABLED: ", LDAP_ENABLED)
-
-if LDAP_ENABLED:
-    import ldap
-    from django_auth_ldap.config \
-        import LDAPSearch, GroupOfNamesType
+BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
 
-DATA_DIR = os.path.dirname(os.path.dirname(__file__))
+###################################################################################################
 
-if CONSOLE_LOG_ENABLED:
-    print("--> Variable DATA_DIR: ", DATA_DIR)
 
-# Build paths inside the project like this: os.path.join(BASE_DIR, ...)
-BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
+DEBUG = True       # False for Prod.
+
+# Specify allowed hosts or use an asterisk to allow any host and simplify the config.
+# ALLOWED_HOSTS = ['hostname.tacc.utexas.edu', 'host.ip.v4.address', '0.0.0.0', 'localhost', '127.0.0.1']   # In production.
+ALLOWED_HOSTS = ['0.0.0.0', '127.0.0.1', 'localhost', '*']   # In development.
 
-# Quick-start development settings - unsuitable for production
-# See https://docs.djangoproject.com/en/2.2/howto/deployment/checklist/
+# Requires django-auth-ldap ≥ 2.0.0
+LDAP_ENABLED = True
 
-# SECURITY WARNING: keep the secret key used in production secret!
-SECRET_KEY = current_secrets._SECRET_KEY
 
-# SECURITY WARNING: don't run with debug turned on in production!
-DEBUG = current_secrets._DEBUG
+########################
+# DATABASE SETTINGS
+########################
 
-# Host Access.
-ALLOWED_HOSTS = current_secrets._ALLOWED_HOSTS
+DATABASES = {
+    'default': {
+        'ENGINE': 'django.db.backends.postgresql_psycopg2',
+        'PORT': '5432',
+        'NAME': 'taccsite',
+        'USER': 'postgresadmin',
+        'PASSWORD': 'taccforever',  # Change before live deployment.
+        'HOST': 'core_cms_postgres'
+    }
+}
 
-# Custom Branding.
-BRANDING = current_secrets._BRANDING
-LOGO = current_secrets._LOGO
-FAVICON = current_secrets._FAVICON
+AUTHENTICATION_BACKENDS = [
+    "django.contrib.auth.backends.ModelBackend",
+    "taccsite_cms.remote_cms_auth.CorePortalAuthBackend",
+    "django_auth_ldap.backend.LDAPBackend"
+]
+
+''' LDAP Auth Settings '''
+AUTH_LDAP_SERVER_URI = "ldap://ldap.tacc.utexas.edu"
+AUTH_LDAP_CONNECTION_OPTIONS = {ldap.OPT_REFERRALS: 0}
+AUTH_LDAP_START_TLS = True
+AUTH_LDAP_BIND_AS_AUTHENTICATING_USER = True
 
-# Configure Portal.
-PORTAL = current_secrets._PORTAL
+AUTH_LDAP_BIND_DN = ""
+AUTH_LDAP_BIND_PASSWORD = ""
+AUTH_LDAP_USER_SEARCH = LDAPSearch(
+    "ou=People,dc=tacc,dc=utexas,dc=edu", ldap.SCOPE_SUBTREE, "(uid=%(user)s)"
+)
 
-# Optional features.
-FEATURES = current_secrets._FEATURES
+AUTH_LDAP_AUTHORIZE_ALL_USERS = True
+
+AUTH_LDAP_USER_ATTR_MAP = {
+    "first_name": "givenName",
+    "last_name": "sn",
+    "email": "mail",
+}
+
+SITE_ID = 1
+CMS_TEMPLATES = (
+    ('standard.html', 'Standard'),
+    ('fullwidth.html', 'Full Width'),
+)
+
+########################
+# GOOGLE ANALYTICS
+########################
+
+# To use during dev, Tracking Protection in browser needs to be turned OFF.
+GOOGLE_ANALYTICS_PROPERTY_ID = "UA-123ABC@%$&-#"
+GOOGLE_ANALYTICS_PRELOAD = True
+
+########################
+# CMS FORMS
+########################
+
+# Create CMS Forms
+# SEE: https://pypi.org/project/djangocms-forms/
+# SEE: https://www.google.com/recaptcha/admin/create
+DJANGOCMS_FORMS_RECAPTCHA_PUBLIC_KEY = ""
+DJANGOCMS_FORMS_RECAPTCHA_SECRET_KEY = ""
+
+########################
+# ELASTICSEARCH
+########################
+
+ES_AUTH = 'username:password'
+ES_HOSTS = 'http://elasticsearch:9200'
+ES_INDEX_PREFIX = 'cms-dev-{}'
+ES_DOMAIN = 'http://localhost:8000'
+
+TACC_BRANDING = [
+    "tacc",
+    "site_cms/img/org_logos/tacc-white.png",
+    "branding-tacc",
+    "https://www.tacc.utexas.edu/",
+    "_blank",
+    "TACC Logo",
+    "anonymous",
+    "True"
+]
+
+UTEXAS_BRANDING = [
+    "utexas",
+    "site_cms/img/org_logos/utaustin-white.png",
+    "branding-utaustin",
+    "https://www.utexas.edu/",
+    "_blank",
+    "University of Texas at Austin Logo",
+    "anonymous",
+    "True"
+]
+
+NSF_BRANDING = [
+    "nsf",
+    "site_cms/img/org_logos/nsf-white.png",
+    "branding-nsf",
+    "https://www.nsf.gov/",
+    "_blank",
+    "NSF Logo",
+    "anonymous",
+    "True"
+]
+
+BRANDING = [ TACC_BRANDING, UTEXAS_BRANDING ]
+
+PORTAL_LOGO = [
+    "portal",
+    "site_cms/img/org_logos/portal.png",
+    "",
+    "/",
+    "_self",
+    "Portal Logo",
+    "anonymous",
+    "True"
+]
+
+LOGO = PORTAL_LOGO
+
+FAVICON = {
+    "img_file_src": "site_cms/img/favicons/favicon.ico"
+}
+
+INCLUDES_CORE_PORTAL = True
+LOGOUT_REDIRECT_URL='/'
+## using container name to avoid cep.dev dns issues locally
+## this will need to be updated for dev/pprd/prod systems
+## for example, CEP_AUTH_VERIFICATION_ENDPOINT=https://dev.cep.tacc.utexas.edu
+CEP_AUTH_VERIFICATION_ENDPOINT='http://django:6000'
+###################################################################################################
 
 # Application definition
 ROOT_URLCONF = 'taccsite_cms.urls'
@@ -108,9 +176,6 @@ def getsecrets():
 STATIC_URL = '/static/'
 STATIC_ROOT = os.path.join(DATA_DIR, 'static')
 
-if CONSOLE_LOG_ENABLED:
-    print("--> Variable STATIC_ROOT: ", STATIC_ROOT)
-
 STATICFILES_DIRS = (
     os.path.join(BASE_DIR, 'taccsite_cms', 'static'),
     # os.path.join(BASE_DIR, 'taccsite_cms', 'en', 'static'),
@@ -118,16 +183,9 @@ def getsecrets():
     os.path.join(BASE_DIR, 'taccsite_custom', '*', 'static')
 ))
 
-if CONSOLE_LOG_ENABLED:
-    print("--> Variable STATICFILES_DIRS: ", STATICFILES_DIRS)
-
 # User Uploaded Files Location.
 MEDIA_URL = '/media/'
 MEDIA_ROOT = os.path.join(DATA_DIR, 'media')
-
-if CONSOLE_LOG_ENABLED:
-    print("--> Variable MEDIA_ROOT: ", MEDIA_ROOT)
-
 TEMPLATES = [
     {
         'BACKEND': 'django.template.backends.django.DjangoTemplates',
@@ -168,9 +226,6 @@ def getsecrets():
     },
 ]
 
-if CONSOLE_LOG_ENABLED:
-    print("--> Variable TEMPLATES: ", TEMPLATES)
-
 MIDDLEWARE = [
     'cms.middleware.utils.ApphookReloadMiddleware',
     'django.contrib.sessions.middleware.SessionMiddleware',
@@ -206,10 +261,8 @@ def getsecrets():
     'djangocms_text_ckeditor',
     'filer',
     'easy_thumbnails',
-    # 'djangocms_audio',
     'djangocms_column',
     'djangocms_file',
-    # 'djangocms_forms', # FP-416: Pending full support
     'djangocms_link',
     'djangocms_picture',
     'djangocms_style',
@@ -234,15 +287,10 @@ def getsecrets():
     'djangocms_bootstrap4.contrib.bootstrap4_utilities',
     'haystack',
     'aldryn_apphooks_config',
-    # For faster testing, disable migrations during database creation
-    # SEE: https://stackoverflow.com/a/37150997
     'test_without_migrations',
     'taccsite_cms',
-    # Restore djangocms plugins that bootstrap4 hides
     'taccsite_cms.contrib.bootstrap4_djangocms_link',
     'taccsite_cms.contrib.bootstrap4_djangocms_picture',
-    # TODO: Extract TACC CMS UI components into pip-installable plugins
-    # FAQ: The djangocms_bootstrap4 library can serve as an example
     'taccsite_cms.contrib.taccsite_sample',
     'taccsite_cms.contrib.taccsite_system_monitor',
     'taccsite_cms.contrib.taccsite_data_list'
@@ -269,77 +317,12 @@ def get_subdirs_as_module_names(path):
 INSTALLED_APPS_APPEND = get_subdirs_as_module_names(CUSTOM_CMS_DIR)
 INSTALLED_APPS = INSTALLED_APPS + INSTALLED_APPS_APPEND
 
-
-if CONSOLE_LOG_ENABLED:
-    print("--> Variable INSTALLED_APPS: ", INSTALLED_APPS)
-
-AUTHENTICATION_BACKENDS = [
-    "django.contrib.auth.backends.ModelBackend",
-]
-
-if LDAP_ENABLED:
-    AUTHENTICATION_BACKENDS.insert(0,
-        "django_auth_ldap.backend.LDAPBackend"
-    )
-
-    ''' LDAP Auth Settings '''
-    AUTH_LDAP_SERVER_URI = "ldap://ldap.tacc.utexas.edu"
-    AUTH_LDAP_CONNECTION_OPTIONS = {ldap.OPT_REFERRALS: 0}
-    AUTH_LDAP_START_TLS = True
-    AUTH_LDAP_BIND_AS_AUTHENTICATING_USER = True
-
-    AUTH_LDAP_BIND_DN = ""
-    AUTH_LDAP_BIND_PASSWORD = ""
-    AUTH_LDAP_USER_SEARCH = LDAPSearch(
-        "ou=People,dc=tacc,dc=utexas,dc=edu", ldap.SCOPE_SUBTREE, "(uid=%(user)s)"
-    )
-
-    AUTH_LDAP_AUTHORIZE_ALL_USERS = True
-
-    AUTH_LDAP_USER_ATTR_MAP = {
-        "first_name": "givenName",
-        "last_name": "sn",
-        "email": "mail",
-    }
-
-    '''
-     # More customizations
-
-     AUTH_LDAP_REQUIRE_GROUP = "cn=TACC-ACI-WMA,ou=Groups,dc=tacc,dc=utexas,dc=edu"
-     AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
-         "ou=Groups,dc=tacc,dc=utexas,dc=edu",
-         ldap.SCOPE_SUBTREE,
-         "(objectClass=groupOfUniqueNames)",
-     )
-     AUTH_LDAP_GROUP_TYPE = GroupOfNamesType(name_attr="cn")
-    '''
-    ''' End LDAP Auth Settings '''
-
-if getattr(current_secrets, '_CACHES', None):
-    CACHES = secrets._CACHES                        # Are we actually using this setting?
-
-DATABASES = current_secrets._DATABASES
-
 MIGRATION_MODULES = { }
-
-# SSL Setup.
-# SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
-# SECURE_SSL_REDIRECT = True
-# SESSION_COOKIE_SECURE = True
-# CSRF_COOKIE_SECURE = True
-
-# Internationalization
-# https://docs.djangoproject.com/en/2.2/topics/i18n/
-
 LANGUAGE_CODE = 'en'
 TIME_ZONE = 'America/Chicago'
 USE_I18N = True
 USE_L10N = True
 USE_TZ = True
-
-# DjangoCMS Setup.
-SITE_ID = current_secrets._SITE_ID
-
 LANGUAGES = (
     # Customize this
     ('en', gettext('en')),
@@ -363,7 +346,6 @@ def get_subdirs_as_module_names(path):
     },
 }
 
-CMS_TEMPLATES = current_secrets._CMS_TEMPLATES
 CMS_PERMISSION = True
 CMS_PLACEHOLDER_CONF = {}
 
@@ -375,52 +357,6 @@ def get_subdirs_as_module_names(path):
     'easy_thumbnails.processors.filters'
 )
 
-
-# FEATURES.
-if CONSOLE_LOG_ENABLED:
-    print("--> Variable FEATURES: ")
-    for feature in FEATURES:
-        print(feature + ": ", FEATURES[feature])
-
-if current_secrets._FEATURES['blog']:
-    # Install required apps
-    INSTALLED_APPS += [
-        # Blog/News
-        # 'filer',              # Already added
-        # 'easy_thumbnails',    # Already added
-        'parler',
-        'taggit',
-        'taggit_autosuggest',
-        'meta',                 # also supports `djangocms_page_meta`
-        'sortedm2m',
-        'djangocms_blog',
-
-        # Metadata
-        'djangocms_page_meta',
-    ]
-
-    # Metadata: Configure
-    META_SITE_PROTOCOL = 'http'
-    META_USE_SITES = True
-    META_USE_OG_PROPERTIES = True
-    META_USE_TWITTER_PROPERTIES = True
-    META_USE_GOOGLEPLUS_PROPERTIES = True # django-meta 1.x+
-    # META_USE_SCHEMAORG_PROPERTIES=True  # django-meta 2.x+
-
-    # Blog/News: Set custom paths for templates
-    BLOG_PLUGIN_TEMPLATE_FOLDERS = (
-        ('plugins/default', 'Default template'),    # i.e. `templates/djangocms_blog/plugins/default/`
-        ('plugins/default-clone', 'Clone of default template'),  # i.e. `templates/djangocms_blog/plugins/default-clone/`
-    )
-
-    # Blog/News: Change default values for the auto-setup of one `BlogConfig`
-    # SEE: https://github.com/nephila/djangocms-blog/issues/629
-    BLOG_AUTO_SETUP = True
-    BLOG_AUTO_HOME_TITLE ='Home'
-    BLOG_AUTO_BLOG_TITLE = 'News'
-    BLOG_AUTO_APP_TITLE = 'News'
-
-
 DJANGOCMS_PICTURE_NESTING = True
 DJANGOCMS_PICTURE_RESPONSIVE_IMAGES = True
 DJANGOCMS_PICTURE_RESPONSIVE_IMAGES_VIEWPORT_BREAKPOINTS = [
@@ -436,39 +372,19 @@ def get_subdirs_as_module_names(path):
 FILE_UPLOAD_PERMISSIONS = 0o644
 FILE_UPLOAD_MAX_MEMORY_SIZE = 20000000 # 20MB
 
-# Custom picture templates - if required.
-# DJANGOCMS_PICTURE_TEMPLATES = [
-#     ('background', _('Background image')), # Need to design these first!
-# ]
-
 DJANGOCMS_AUDIO_ALLOWED_EXTENSIONS = ['mp3', 'ogg', 'wav']
-# Custom audio templates - if required.
-# DJANGOCMS_AUDIO_TEMPLATES = [
-#     ('feature', _('Featured Version')),
-# ]
 
 # Djangocms Forms Settings.
 # SEE: https://github.com/mishbahr/djangocms-forms#configuration
 DJANGOCMS_FORMS_PLUGIN_MODULE = ('Generic')
 DJANGOCMS_FORMS_PLUGIN_NAME = ('Form')
-# DJANGOCMS_FORMS_DEFAULT_TEMPLATE = 'djangocms_forms/form_template/default.html'
+
 DJANGOCMS_FORMS_TEMPLATES = (
     ('djangocms_forms/form_template/default.html', ('Default')),
 )
 DJANGOCMS_FORMS_USE_HTML5_REQUIRED = False
-# DJANGOCMS_FORMS_WIDGET_CSS_CLASSES = {'__all__': ('form-control', ) }
-DJANGOCMS_FORMS_REDIRECT_DELAY = 10000  # 10 seconds
-
-DJANGOCMS_FORMS_RECAPTCHA_PUBLIC_KEY = current_secrets._DJANGOCMS_FORMS_RECAPTCHA_PUBLIC_KEY
-DJANGOCMS_FORMS_RECAPTCHA_SECRET_KEY = current_secrets._DJANGOCMS_FORMS_RECAPTCHA_SECRET_KEY
 
-# Google Analytics.
-GOOGLE_ANALYTICS_PROPERTY_ID  = current_secrets._GOOGLE_ANALYTICS_PROPERTY_ID
-GOOGLE_ANALYTICS_PRELOAD = current_secrets._GOOGLE_ANALYTICS_PRELOAD
-
-# SETTINGS VARIABLE EXPORTS.
-# Use a custom namespace (using default settings.VARIABLE configuration)
-SETTINGS_EXPORT_VARIABLE_NAME = 'settings'
+DJANGOCMS_FORMS_REDIRECT_DELAY = 1
 
 # Elasticsearch Indexing
 HAYSTACK_ROUTERS = ['aldryn_search.router.LanguageRouter',]
@@ -478,27 +394,37 @@ def get_subdirs_as_module_names(path):
 HAYSTACK_CONNECTIONS = {
     'default': {
         'ENGINE': 'haystack.backends.elasticsearch_backend.ElasticsearchSearchEngine',
-        'URL': current_secrets._ES_HOSTS,
-        'INDEX_NAME': current_secrets._ES_INDEX_PREFIX.format('cms'),
-        'KWARGS': {'http_auth': current_secrets._ES_AUTH }
+        'URL': ES_HOSTS,
+        'INDEX_NAME': 'cms',
+        'KWARGS': {'http_auth': ES_AUTH }
     }
 }
 
-ES_DOMAIN = current_secrets._ES_DOMAIN
+SETTINGS_EXPORT_VARIABLE_NAME = 'settings'
+DEBUG = True
+FEATURES = ''
 
-# Exported settings.
 SETTINGS_EXPORT = [
     'DEBUG',
+    'FEATURES',
     'BRANDING',
     'LOGO',
     'FAVICON',
-    'PORTAL',
-    'FEATURES',
+    'INCLUDES_CORE_PORTAL',
     'GOOGLE_ANALYTICS_PROPERTY_ID',
     'GOOGLE_ANALYTICS_PRELOAD'
 ]
 
-if CONSOLE_LOG_ENABLED:
-    print("--> Variable SETTINGS_EXPORT: ")
-    for setting in SETTINGS_EXPORT:
-        print(setting)
+try:
+    from taccsite_cms import settings_custom
+except:
+    None
+    # do nothing
+
+try:
+    from taccsite_cms import settings_local
+except:
+    None
+    # do nothing
+
+
diff --git a/taccsite_cms/templates/assets_site_delayed.html b/taccsite_cms/templates/assets_site_delayed.html
index 398724f1d..6d9df5ff3 100644
--- a/taccsite_cms/templates/assets_site_delayed.html
+++ b/taccsite_cms/templates/assets_site_delayed.html
@@ -18,7 +18,7 @@
 
 <!-- Site Assets (Delayed): Font Icons -->
 {# FAQ: Not loaded in `assets_font.html` because these is NOT font for content which should avoid FOUT, FOIT, FOFT; but decorative, thus superfluous, icons #}
-{% if settings.PORTAL %}
+{% if settings.INCLUDES_CORE_PORTAL %}
 <!-- FP-526: Stop using Font Awesome icons; start using Cortal icons -->
 <link id="css-portal-font" rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.12.0/css/all.min.css" />
 {% endif %}
diff --git a/taccsite_cms/templates/header.html b/taccsite_cms/templates/header.html
index d02a41c53..62eed4674 100644
--- a/taccsite_cms/templates/header.html
+++ b/taccsite_cms/templates/header.html
@@ -6,7 +6,7 @@
 {% include "header_branding.html" %}
 
 <!-- Navigation Bar -->
-<nav id="s-header" class="s-header  navbar {% if settings.PORTAL %}navbar-expand-xl{% else %}navbar-expand-lg{% endif %} navbar-dark">
+<nav id="s-header" class="s-header  navbar {% if settings.INCLUDES_CORE_PORTAL %}navbar-expand-xl{% else %}navbar-expand-lg{% endif %} navbar-dark">
   <!-- Portal Logo -->
   {% include "header_logo.html" %}
 
@@ -18,7 +18,7 @@
   <!-- Navbar Links -->
   <div class="collapse navbar-collapse" id="navbarsExpandTarget">
     {# GL-6: Remove need for different `className` values #}
-    {% if settings.PORTAL %}
+    {% if settings.INCLUDES_CORE_PORTAL %}
       {# FAQ: If template were included with `only`, then it would NOT render `show_menu` #}
       {% include "nav_cms.html" with className="navbar-nav" %}
 
diff --git a/taccsite_cms/urls.py b/taccsite_cms/urls.py
index ea9000848..a3a859a35 100755
--- a/taccsite_cms/urls.py
+++ b/taccsite_cms/urls.py
@@ -6,13 +6,14 @@
 from django.conf.urls.static import static
 from django.conf.urls import include, url
 from django.contrib import admin
+from django.contrib.auth import views
 from django.contrib.sitemaps.views import sitemap
 from django.contrib.staticfiles.urls import staticfiles_urlpatterns
 from django.views.static import serve
+from taccsite_cms import remote_cms_auth as remote_cms_auth
 
 from django.http import request
 from django.views.generic.base import RedirectView
-
 admin.autodiscover()
 
 urlpatterns = [
@@ -20,9 +21,11 @@
         {'sitemaps': {'cmspages': CMSSitemap}}),
 
     url(r'^admin/', admin.site.urls),  # NOQA
+    url(r'^admin/', admin.site.urls),  # NOQA
+    url(r'^cms/logout/', views.LogoutView.as_view(), name='logout'),
 ]
 
-if settings.PORTAL:
+if getattr(settings, 'INCLUDES_CORE_PORTAL', True):
     from django.views.generic.base import TemplateView
     urlpatterns += [
         # FAQ: Allow direct access to markup for Portal and User Guide to render
@@ -30,18 +33,11 @@
         url(r'^cms/nav/pages/markup/$', TemplateView.as_view(template_name='nav_cms.raw.html'), name='menu_pages_markup'),
         url(r'^cms/header/branding/markup/$', TemplateView.as_view(template_name='header_branding.html'), name='header_branding_markup'),
         url(r'^cms/header/logo/markup/$', TemplateView.as_view(template_name='header_logo.html'), name='header_logo_markup'),
-    ]
-
-if settings.FEATURES['blog']:
-    urlpatterns += [
-        # Support `taggit_autosuggest` (from `djangocms-blog`)
-        url(r'^taggit_autosuggest/', include('taggit_autosuggest.urls')),
+        url(r'^remote/login/$', remote_cms_auth.verify_and_auth, name='verify_and_auth'),
     ]
 
 urlpatterns += [
     url(r'^', include('cms.urls')),
-    # url(r'^$', RedirectView.as_view(url=request.build_absolute_uri('/')), name='home')
-    # url(r'^', include('djangocms_forms.urls')), # FP-416: Pending full support
 ]
 
 # This is only needed when using runserver.
diff --git a/taccsite_custom b/taccsite_custom
index 50882bb83..5a6f0ecf1 160000
--- a/taccsite_custom
+++ b/taccsite_custom
@@ -1 +1 @@
-Subproject commit 50882bb83f7e65d49437d846f11662ab52996bbe
+Subproject commit 5a6f0ecf13bb8e466e4e785fc0c0fc38c67945b0

From 24e8834d714fc43ec3e99288cca496bba0f51f5b Mon Sep 17 00:00:00 2001
From: Alex Rocha <rochaa@tacc.utexas.edu>
Date: Sat, 11 Sep 2021 09:44:10 -0500
Subject: [PATCH 02/31] removing duplicate urls entry

---
 taccsite_cms/urls.py | 1 -
 1 file changed, 1 deletion(-)

diff --git a/taccsite_cms/urls.py b/taccsite_cms/urls.py
index a3a859a35..85f9a4092 100755
--- a/taccsite_cms/urls.py
+++ b/taccsite_cms/urls.py
@@ -20,7 +20,6 @@
     url(r'^sitemap\.xml$', sitemap,
         {'sitemaps': {'cmspages': CMSSitemap}}),
 
-    url(r'^admin/', admin.site.urls),  # NOQA
     url(r'^admin/', admin.site.urls),  # NOQA
     url(r'^cms/logout/', views.LogoutView.as_view(), name='logout'),
 ]

From ef969abe77c7510095925c6a4523fefa03cbd0b7 Mon Sep 17 00:00:00 2001
From: Alex Rocha <rochaa@tacc.utexas.edu>
Date: Tue, 14 Sep 2021 11:26:09 -0500
Subject: [PATCH 03/31] Restoring docker_repo var in makefile; setting/updating
 email,first name, last name on remote CMS auth

---
 Makefile                        | 2 +-
 taccsite_cms/remote_cms_auth.py | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index cd8476388..f5e456abb 100644
--- a/Makefile
+++ b/Makefile
@@ -1,4 +1,4 @@
-DOCKERHUB_REPO := taccwma/core-portal-cms
+DOCKERHUB_REPO := taccwma/$(shell cat ./docker_repo.var)
 DOCKER_TAG ?= $(shell git rev-parse --short HEAD)
 DOCKER_IMAGE := $(DOCKERHUB_REPO):$(DOCKER_TAG)
 DOCKER_IMAGE_LATEST := $(DOCKERHUB_REPO):latest
diff --git a/taccsite_cms/remote_cms_auth.py b/taccsite_cms/remote_cms_auth.py
index 5357ea4bf..84f524188 100644
--- a/taccsite_cms/remote_cms_auth.py
+++ b/taccsite_cms/remote_cms_auth.py
@@ -39,6 +39,8 @@ def authenticate(self, request):
             return None
         username = user_data['username']
         email = user_data['email']
+        first_name = user_data['first_name']
+        last_name = user_data['last_name']
 
         if request.user.is_authenticated:
             self._remove_invalid_user(request)
@@ -47,6 +49,9 @@ def authenticate(self, request):
             user, created = UserModel._default_manager.get_or_create(**{
                 UserModel.USERNAME_FIELD: username, UserModel.EMAIL_FIELD: email
             })
+            user.first_name = first_name
+            user.last_name = last_name
+            user.save()
             if created:
                 args = (request, user)
                 try:

From 24d92cfecd3d9a4cf2069618bc6685784c9993aa Mon Sep 17 00:00:00 2001
From: Alex Rocha <rochaa@tacc.utexas.edu>
Date: Wed, 15 Sep 2021 14:44:55 -0500
Subject: [PATCH 04/31] ensuring we update email addres in the event email
 associated with username changes

---
 taccsite_cms/remote_cms_auth.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/taccsite_cms/remote_cms_auth.py b/taccsite_cms/remote_cms_auth.py
index 84f524188..e253d1786 100644
--- a/taccsite_cms/remote_cms_auth.py
+++ b/taccsite_cms/remote_cms_auth.py
@@ -47,8 +47,9 @@ def authenticate(self, request):
 
         if self.create_unknown_user:
             user, created = UserModel._default_manager.get_or_create(**{
-                UserModel.USERNAME_FIELD: username, UserModel.EMAIL_FIELD: email
+                UserModel.USERNAME_FIELD: username
             })
+            user.email = email
             user.first_name = first_name
             user.last_name = last_name
             user.save()

From 374a279efefff9a4f4c5dacc3aa628c4f1e80310 Mon Sep 17 00:00:00 2001
From: Alex Rocha <rochaa@tacc.utexas.edu>
Date: Wed, 15 Sep 2021 15:27:35 -0500
Subject: [PATCH 05/31] Adding an example settings_custom file

---
 taccsite_cms/settings_custom.example.py | 43 +++++++++++++++++++++++++
 1 file changed, 43 insertions(+)
 create mode 100644 taccsite_cms/settings_custom.example.py

diff --git a/taccsite_cms/settings_custom.example.py b/taccsite_cms/settings_custom.example.py
new file mode 100644
index 000000000..6ea8dac74
--- /dev/null
+++ b/taccsite_cms/settings_custom.example.py
@@ -0,0 +1,43 @@
+
+'''
+
+settings_custom.py file can be used to override default values in settings.py
+
+The settings_custom.py file is loaded after default settings but before settings assignment is complete,
+giving us the opportunity to override settings in either settings_custom.py (usually set in custom sites)
+or in settings_local.py (usually used in a local dev environment).
+
+To override a setting,
+simply copy/paste the default settings and set the new/custom values
+
+If a setting override is for a custom site in an existing submodule, the change is made in
+the settings_custom.py file of that submodules site directory and (if not a secret) can be committed
+
+
+Unless modifying default behavior for the default cms and all custom sites (which probably means that
+setting should be in the settings.py file), the settings_custom.py file that should be modified is
+the one in the appropriate taccsite_custom site directory.
+
+'''
+
+# For example if we want to change LDAP auth settings for a custome site, let's say frontera-cms
+# we simply copy the setting from settings.py, and
+# assign the new value in "Core-CMS/taccsite_custom/frontera-cms/settings_custom.py"
+''' Example LDAP Auth Setting change where we just changing the ldap url '''
+AUTH_LDAP_SERVER_URI = "ldap://cluster.ldap.tacc.utexas.edu"
+
+#The same goes for other more commonly customized values like below
+# A customization to this default would be applied in settings_custom.py of the appropriate custom site
+PORTAL_LOGO = [
+    "portal",
+    "site_cms/img/org_logos/portal.png",
+    "",
+    "/",
+    "_self",
+    "Portal Logo",
+    "anonymous",
+    "True"
+]
+
+LOGO = PORTAL_LOGO
+

From 5884b0e87a4a217db846686f0e3fbab2c389c84f Mon Sep 17 00:00:00 2001
From: Alex Rocha <rochaa@tacc.utexas.edu>
Date: Wed, 15 Sep 2021 17:19:43 -0500
Subject: [PATCH 06/31] adding custom settings to core cms

---
 taccsite_custom | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/taccsite_custom b/taccsite_custom
index 5a6f0ecf1..c69dec9cd 160000
--- a/taccsite_custom
+++ b/taccsite_custom
@@ -1 +1 @@
-Subproject commit 5a6f0ecf13bb8e466e4e785fc0c0fc38c67945b0
+Subproject commit c69dec9cd1e48004cd73df37dafdc2790d7d669e

From feff8fa3718f8ab9fdddfcd3465dcf9a20ca73b7 Mon Sep 17 00:00:00 2001
From: Alex Rocha <rochaa@tacc.utexas.edu>
Date: Wed, 15 Sep 2021 17:26:31 -0500
Subject: [PATCH 07/31] importing settings_secret in settings file

---
 taccsite_cms/settings.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/taccsite_cms/settings.py b/taccsite_cms/settings.py
index d8ff22e43..c5683cc22 100644
--- a/taccsite_cms/settings.py
+++ b/taccsite_cms/settings.py
@@ -421,6 +421,12 @@ def get_subdirs_as_module_names(path):
     None
     # do nothing
 
+try:
+    from taccsite_cms import settings_secret
+except:
+    None
+    # do nothing
+
 try:
     from taccsite_cms import settings_local
 except:

From 75bef6f69eeced2b8f440c5c0f940570ac579697 Mon Sep 17 00:00:00 2001
From: Alex Rocha <rochaa@tacc.utexas.edu>
Date: Wed, 15 Sep 2021 18:44:49 -0500
Subject: [PATCH 08/31] updating name secrets file name, cms uses secrets.py
 instead of settings_secret, explicitly importing all values

---
 taccsite_cms/settings.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/taccsite_cms/settings.py b/taccsite_cms/settings.py
index c5683cc22..6fd92a94b 100644
--- a/taccsite_cms/settings.py
+++ b/taccsite_cms/settings.py
@@ -416,19 +416,19 @@ def get_subdirs_as_module_names(path):
 ]
 
 try:
-    from taccsite_cms import settings_custom
+    from taccsite_cms.settings_custom import *
 except:
     None
     # do nothing
 
 try:
-    from taccsite_cms import settings_secret
+    from taccsite_cms.secrets import *
 except:
     None
     # do nothing
 
 try:
-    from taccsite_cms import settings_local
+    from taccsite_cms.settings_local import *
 except:
     None
     # do nothing

From c072d3d571e77a95439c6264a91e70ec46d2e0ef Mon Sep 17 00:00:00 2001
From: Alex Rocha <rochaa@tacc.utexas.edu>
Date: Thu, 16 Sep 2021 16:11:42 -0500
Subject: [PATCH 09/31] adding auth endpoint to core cms custom settings

---
 taccsite_custom | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/taccsite_custom b/taccsite_custom
index c69dec9cd..6b4075eda 160000
--- a/taccsite_custom
+++ b/taccsite_custom
@@ -1 +1 @@
-Subproject commit c69dec9cd1e48004cd73df37dafdc2790d7d669e
+Subproject commit 6b4075eda58e5ca54f95e98b5a2c08521be006de

From 0fe713467d1eba4d732b91889a89e5ede76a2053 Mon Sep 17 00:00:00 2001
From: Alex Rocha <rochaa@tacc.utexas.edu>
Date: Thu, 16 Sep 2021 16:27:54 -0500
Subject: [PATCH 10/31] ensuring custom settings can be added to image

---
 .dockerignore | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.dockerignore b/.dockerignore
index 39f410288..b0631b58d 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,7 +1,6 @@
 # Version Control
 .git
 
-**settings_custom.py
 **settings_local.py
 
 # Python

From 8c1077b44931a66e4fc705c0cc7128899708572c Mon Sep 17 00:00:00 2001
From: John Gentle <taoteg@gmail.com>
Date: Fri, 17 Sep 2021 00:35:29 -0500
Subject: [PATCH 11/31] Update settings.py

By placing the SETTINGS_EXPORT object at the very end it fixes an issue with trying to overwrite branding and other values. Cannot overwrite the SETTINGS_EXPORT easilly, so best to do it all at the end when all the values have been imported and overridden.
---
 taccsite_cms/settings.py | 22 ++++++++++------------
 1 file changed, 10 insertions(+), 12 deletions(-)

diff --git a/taccsite_cms/settings.py b/taccsite_cms/settings.py
index 6fd92a94b..7757c81aa 100644
--- a/taccsite_cms/settings.py
+++ b/taccsite_cms/settings.py
@@ -404,17 +404,6 @@ def get_subdirs_as_module_names(path):
 DEBUG = True
 FEATURES = ''
 
-SETTINGS_EXPORT = [
-    'DEBUG',
-    'FEATURES',
-    'BRANDING',
-    'LOGO',
-    'FAVICON',
-    'INCLUDES_CORE_PORTAL',
-    'GOOGLE_ANALYTICS_PROPERTY_ID',
-    'GOOGLE_ANALYTICS_PRELOAD'
-]
-
 try:
     from taccsite_cms.settings_custom import *
 except:
@@ -433,4 +422,13 @@ def get_subdirs_as_module_names(path):
     None
     # do nothing
 
-
+SETTINGS_EXPORT = [
+    'DEBUG',
+    'FEATURES',
+    'BRANDING',
+    'LOGO',
+    'FAVICON',
+    'INCLUDES_CORE_PORTAL',
+    'GOOGLE_ANALYTICS_PROPERTY_ID',
+    'GOOGLE_ANALYTICS_PRELOAD'
+]

From f75395ea5fa095ee206e37b2702bd010f8880b24 Mon Sep 17 00:00:00 2001
From: John Gentle <taoteg@gmail.com>
Date: Fri, 17 Sep 2021 01:21:21 -0500
Subject: [PATCH 12/31] Update settings.py

Missing setting needed by all CMS.
---
 taccsite_cms/settings.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/taccsite_cms/settings.py b/taccsite_cms/settings.py
index 7757c81aa..ccba73b92 100644
--- a/taccsite_cms/settings.py
+++ b/taccsite_cms/settings.py
@@ -76,11 +76,14 @@ def gettext(s): return s
 }
 
 SITE_ID = 1
+
 CMS_TEMPLATES = (
     ('standard.html', 'Standard'),
     ('fullwidth.html', 'Full Width'),
 )
 
+CMS_PERMISSION = True
+
 ########################
 # GOOGLE ANALYTICS
 ########################

From 1d1d527e046522fb30c3a8670512cb4ffe3d3dc1 Mon Sep 17 00:00:00 2001
From: John Gentle <taoteg@gmail.com>
Date: Fri, 17 Sep 2021 01:28:26 -0500
Subject: [PATCH 13/31] Update settings.py

Additional formatting.
---
 taccsite_cms/settings.py | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/taccsite_cms/settings.py b/taccsite_cms/settings.py
index ccba73b92..a09022445 100644
--- a/taccsite_cms/settings.py
+++ b/taccsite_cms/settings.py
@@ -21,9 +21,6 @@ def gettext(s): return s
 
 BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
 
-###################################################################################################
-
-
 DEBUG = True       # False for Prod.
 
 # Specify allowed hosts or use an asterisk to allow any host and simplify the config.
@@ -33,7 +30,6 @@ def gettext(s): return s
 # Requires django-auth-ldap ≥ 2.0.0
 LDAP_ENABLED = True
 
-
 ########################
 # DATABASE SETTINGS
 ########################
@@ -60,15 +56,14 @@ def gettext(s): return s
 AUTH_LDAP_CONNECTION_OPTIONS = {ldap.OPT_REFERRALS: 0}
 AUTH_LDAP_START_TLS = True
 AUTH_LDAP_BIND_AS_AUTHENTICATING_USER = True
-
 AUTH_LDAP_BIND_DN = ""
 AUTH_LDAP_BIND_PASSWORD = ""
+AUTH_LDAP_AUTHORIZE_ALL_USERS = True
+
 AUTH_LDAP_USER_SEARCH = LDAPSearch(
     "ou=People,dc=tacc,dc=utexas,dc=edu", ldap.SCOPE_SUBTREE, "(uid=%(user)s)"
 )
 
-AUTH_LDAP_AUTHORIZE_ALL_USERS = True
-
 AUTH_LDAP_USER_ATTR_MAP = {
     "first_name": "givenName",
     "last_name": "sn",
@@ -164,12 +159,17 @@ def gettext(s): return s
 }
 
 INCLUDES_CORE_PORTAL = True
+
 LOGOUT_REDIRECT_URL='/'
+
 ## using container name to avoid cep.dev dns issues locally
 ## this will need to be updated for dev/pprd/prod systems
 ## for example, CEP_AUTH_VERIFICATION_ENDPOINT=https://dev.cep.tacc.utexas.edu
 CEP_AUTH_VERIFICATION_ENDPOINT='http://django:6000'
-###################################################################################################
+
+########################
+# CLIENT BUILD SETTINGS
+########################
 
 # Application definition
 ROOT_URLCONF = 'taccsite_cms.urls'
@@ -189,6 +189,7 @@ def gettext(s): return s
 # User Uploaded Files Location.
 MEDIA_URL = '/media/'
 MEDIA_ROOT = os.path.join(DATA_DIR, 'media')
+
 TEMPLATES = [
     {
         'BACKEND': 'django.template.backends.django.DjangoTemplates',
@@ -317,6 +318,7 @@ def get_subdirs_as_module_names(path):
 # Append CMS project paths as module names to INSTALLED_APPS
 # FAQ: This automatically looks into `/taccsite_custom` and creates an "App" for each directory within
 CUSTOM_CMS_DIR = os.path.join(BASE_DIR, 'taccsite_custom')
+
 INSTALLED_APPS_APPEND = get_subdirs_as_module_names(CUSTOM_CMS_DIR)
 INSTALLED_APPS = INSTALLED_APPS + INSTALLED_APPS_APPEND
 
@@ -326,6 +328,7 @@ def get_subdirs_as_module_names(path):
 USE_I18N = True
 USE_L10N = True
 USE_TZ = True
+
 LANGUAGES = (
     # Customize this
     ('en', gettext('en')),

From cc65d5a71e2af001bcdc3218185da5037165984a Mon Sep 17 00:00:00 2001
From: John Gentle <taoteg@gmail.com>
Date: Fri, 17 Sep 2021 01:48:05 -0500
Subject: [PATCH 14/31] Pinning submodule to FP-1194--assist branch to build
 CMS images.

---
 taccsite_custom | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/taccsite_custom b/taccsite_custom
index 6b4075eda..9c5a6e9b7 160000
--- a/taccsite_custom
+++ b/taccsite_custom
@@ -1 +1 @@
-Subproject commit 6b4075eda58e5ca54f95e98b5a2c08521be006de
+Subproject commit 9c5a6e9b740f8b7c7a2ab92823e492dd8d5c40c6

From 8d29afdddbfdfdb2f64f4768b2f196f74e80757e Mon Sep 17 00:00:00 2001
From: John Gentle <taoteg@gmail.com>
Date: Fri, 17 Sep 2021 03:24:46 -0500
Subject: [PATCH 15/31] Update settings.py

Second DEBUG setting overriding default. Incorrect.
---
 taccsite_cms/settings.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/taccsite_cms/settings.py b/taccsite_cms/settings.py
index a09022445..9612f1ca2 100644
--- a/taccsite_cms/settings.py
+++ b/taccsite_cms/settings.py
@@ -407,7 +407,7 @@ def get_subdirs_as_module_names(path):
 }
 
 SETTINGS_EXPORT_VARIABLE_NAME = 'settings'
-DEBUG = True
+
 FEATURES = ''
 
 try:

From 093ce6433f91801bc4ee12b188156c916a0d16b1 Mon Sep 17 00:00:00 2001
From: John Gentle <taoteg@gmail.com>
Date: Fri, 17 Sep 2021 03:37:21 -0500
Subject: [PATCH 16/31] Update settings.py

Unused settings lurking in here.
---
 taccsite_cms/settings.py | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/taccsite_cms/settings.py b/taccsite_cms/settings.py
index 9612f1ca2..e2dfd7e14 100644
--- a/taccsite_cms/settings.py
+++ b/taccsite_cms/settings.py
@@ -141,7 +141,7 @@ def gettext(s): return s
 
 BRANDING = [ TACC_BRANDING, UTEXAS_BRANDING ]
 
-PORTAL_LOGO = [
+LOGO = [
     "portal",
     "site_cms/img/org_logos/portal.png",
     "",
@@ -152,8 +152,6 @@ def gettext(s): return s
     "True"
 ]
 
-LOGO = PORTAL_LOGO
-
 FAVICON = {
     "img_file_src": "site_cms/img/favicons/favicon.ico"
 }
@@ -200,7 +198,6 @@ def gettext(s): return s
         ) + [
             os.path.join(BASE_DIR, 'taccsite_cms', 'templates')
         ],
-        # 'APP_DIRS': True,
         'OPTIONS': {
             'context_processors': [
                 'django.contrib.auth.context_processors.auth',

From 2df09588141366d4e6fa9a6aa80c318e5cf64200 Mon Sep 17 00:00:00 2001
From: Wesley Bomar <wbomar@tacc.utexas.edu>
Date: Fri, 17 Sep 2021 17:49:02 -0500
Subject: [PATCH 17/31] =?UTF-8?q?FP-1194:=20Test=20gettext=5Flazy=E2=86=92?=
 =?UTF-8?q?gettext=20for=20tup-cms?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

SEE: https://github.com/django-cms/django-cms/issues/6687
---
 taccsite_cms/contrib/bootstrap4_djangocms_link/cms_plugins.py   | 2 +-
 .../contrib/bootstrap4_djangocms_picture/cms_plugins.py         | 2 +-
 taccsite_cms/contrib/taccsite_data_list/cms_plugins.py          | 2 +-
 taccsite_cms/contrib/taccsite_data_list/models.py               | 2 +-
 taccsite_cms/contrib/taccsite_sample/cms_plugins.py             | 2 +-
 taccsite_cms/contrib/taccsite_system_monitor/cms_plugins.py     | 2 +-
 taccsite_cms/contrib/taccsite_system_monitor/models.py          | 2 +-
 7 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/taccsite_cms/contrib/bootstrap4_djangocms_link/cms_plugins.py b/taccsite_cms/contrib/bootstrap4_djangocms_link/cms_plugins.py
index 8fc6a7db2..6b287e6a8 100644
--- a/taccsite_cms/contrib/bootstrap4_djangocms_link/cms_plugins.py
+++ b/taccsite_cms/contrib/bootstrap4_djangocms_link/cms_plugins.py
@@ -6,7 +6,7 @@
     # SEE: https://github.com/django-cms/djangocms-bootstrap4/pull/138
     import copy
 
-    from django.utils.translation import gettext_lazy as _
+    from django.utils.translation import gettext as _
 
     from cms.plugin_pool import plugin_pool
 
diff --git a/taccsite_cms/contrib/bootstrap4_djangocms_picture/cms_plugins.py b/taccsite_cms/contrib/bootstrap4_djangocms_picture/cms_plugins.py
index 5f7bf7f42..262d4e623 100644
--- a/taccsite_cms/contrib/bootstrap4_djangocms_picture/cms_plugins.py
+++ b/taccsite_cms/contrib/bootstrap4_djangocms_picture/cms_plugins.py
@@ -2,7 +2,7 @@
 # FAQ: Bootstrap Image plugin has features not desirable in TACC plugins
 # FAQ: We must not break sites that already use Bootstrap Image plugin
 try:
-    from django.utils.translation import gettext_lazy as _
+    from django.utils.translation import gettext as _
 
     from cms.plugin_pool import plugin_pool
 
diff --git a/taccsite_cms/contrib/taccsite_data_list/cms_plugins.py b/taccsite_cms/contrib/taccsite_data_list/cms_plugins.py
index fece7a03f..82a7db1c9 100644
--- a/taccsite_cms/contrib/taccsite_data_list/cms_plugins.py
+++ b/taccsite_cms/contrib/taccsite_data_list/cms_plugins.py
@@ -1,6 +1,6 @@
 from cms.plugin_base import CMSPluginBase
 from cms.plugin_pool import plugin_pool
-from django.utils.translation import gettext_lazy as _
+from django.utils.translation import gettext as _
 
 from taccsite_cms.contrib.constants import TEXT_FOR_NESTED_PLUGIN_CONTENT_SWAP
 from taccsite_cms.contrib.helpers import concat_classnames
diff --git a/taccsite_cms/contrib/taccsite_data_list/models.py b/taccsite_cms/contrib/taccsite_data_list/models.py
index 750698739..431e874e8 100644
--- a/taccsite_cms/contrib/taccsite_data_list/models.py
+++ b/taccsite_cms/contrib/taccsite_data_list/models.py
@@ -1,7 +1,7 @@
 from cms.models.pluginmodel import CMSPlugin
 
 from django.db import models
-from django.utils.translation import gettext_lazy as _
+from django.utils.translation import gettext as _
 
 from djangocms_attributes_field import fields
 
diff --git a/taccsite_cms/contrib/taccsite_sample/cms_plugins.py b/taccsite_cms/contrib/taccsite_sample/cms_plugins.py
index f56b1d5a9..86b4d1e08 100644
--- a/taccsite_cms/contrib/taccsite_sample/cms_plugins.py
+++ b/taccsite_cms/contrib/taccsite_sample/cms_plugins.py
@@ -1,7 +1,7 @@
 from cms.plugin_base import CMSPluginBase
 from cms.plugin_pool import plugin_pool
 from cms.models.pluginmodel import CMSPlugin
-from django.utils.translation import gettext_lazy as _
+from django.utils.translation import gettext as _
 from django.utils.encoding import force_text
 
 from .models import TaccsiteSample
diff --git a/taccsite_cms/contrib/taccsite_system_monitor/cms_plugins.py b/taccsite_cms/contrib/taccsite_system_monitor/cms_plugins.py
index 2202609fa..d85811068 100644
--- a/taccsite_cms/contrib/taccsite_system_monitor/cms_plugins.py
+++ b/taccsite_cms/contrib/taccsite_system_monitor/cms_plugins.py
@@ -1,6 +1,6 @@
 from cms.plugin_base import CMSPluginBase
 from cms.plugin_pool import plugin_pool
-from django.utils.translation import gettext_lazy as _
+from django.utils.translation import gettext as _
 
 from taccsite_cms.contrib.helpers import concat_classnames
 
diff --git a/taccsite_cms/contrib/taccsite_system_monitor/models.py b/taccsite_cms/contrib/taccsite_system_monitor/models.py
index 91dbae3d6..6820012d6 100644
--- a/taccsite_cms/contrib/taccsite_system_monitor/models.py
+++ b/taccsite_cms/contrib/taccsite_system_monitor/models.py
@@ -1,5 +1,5 @@
 from cms.models.pluginmodel import CMSPlugin
-from django.utils.translation import gettext_lazy as _
+from django.utils.translation import gettext as _
 
 from django.db import models
 

From 5e345c7a353a33d0f2149b03c1eba72960b33411 Mon Sep 17 00:00:00 2001
From: Wesley Bomar <wbomar@tacc.utexas.edu>
Date: Mon, 20 Sep 2021 15:50:13 -0500
Subject: [PATCH 18/31] FP-1194: Submodule: Update all existing sites

SEE: https://github.com/TACC/Core-CMS-Resources/pull/74
---
 taccsite_custom | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/taccsite_custom b/taccsite_custom
index 9c5a6e9b7..81d42bed9 160000
--- a/taccsite_custom
+++ b/taccsite_custom
@@ -1 +1 @@
-Subproject commit 9c5a6e9b740f8b7c7a2ab92823e492dd8d5c40c6
+Subproject commit 81d42bed920bdd6c9e393699a9bc88f7f70a7c42

From 698c7ab1264c11e18ae9029311fb60562515b428 Mon Sep 17 00:00:00 2001
From: Alex Rocha <rochaa@tacc.utexas.edu>
Date: Mon, 20 Sep 2021 16:57:28 -0500
Subject: [PATCH 19/31] Allowing for configurable login redirect via settings
 when 'next' isn't set from core portal

---
 taccsite_cms/remote_cms_auth.py | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/taccsite_cms/remote_cms_auth.py b/taccsite_cms/remote_cms_auth.py
index e253d1786..4e767d795 100644
--- a/taccsite_cms/remote_cms_auth.py
+++ b/taccsite_cms/remote_cms_auth.py
@@ -6,6 +6,7 @@
 import requests
 import logging
 from django.conf import settings
+
 UserModel = get_user_model()
 
 logger = logging.getLogger(__name__)
@@ -17,11 +18,13 @@ def verify_and_auth(request):
         # User is valid.  Set request.user and persist user in the session by logging the user in.
         request.user = user
         auth.login(request, user)
-        response = HttpResponseRedirect(request.GET.get('next', '/workbench/dashboard/'))
+        response = HttpResponseRedirect(request.GET.get('next', \
+                                                        getattr(settings, 'LOGIN_REDIRECT_URL', '/workbench/dashboard/')))
     else:
         response = HttpResponseRedirect('/')
     return response
 
+
 class CorePortalAuthBackend(ModelBackend):
     """
         Validates core portal session
@@ -31,9 +34,9 @@ class CorePortalAuthBackend(ModelBackend):
     create_unknown_user = True
 
     def authenticate(self, request):
-        response = requests.get('{0}/api/users/auth/'.format(\
-            getattr(settings,'CEP_AUTH_VERIFICATION_ENDPOINT','http://django:6000')),
-                                cookies={'coresessionid': request.COOKIES.get('coresessionid')})
+        response = requests.get('{0}/api/users/auth/'.format( \
+            getattr(settings, 'CEP_AUTH_VERIFICATION_ENDPOINT', 'http://django:6000')),
+            cookies={'coresessionid': request.COOKIES.get('coresessionid')})
         user_data = response.json()
         if user_data is None or user_data['username'] is None:
             return None
@@ -91,4 +94,3 @@ def configure_user(self, request, user):
         By default, return the user unmodified.
         """
         return user
-

From 2b20c30215715c2c65dd748a62684831fdc39e7a Mon Sep 17 00:00:00 2001
From: Wesley Bomar <wbomar@tacc.utexas.edu>
Date: Mon, 20 Sep 2021 19:33:11 -0500
Subject: [PATCH 20/31] FP-1194: Submod: Cleanup & Add UTRC

---
 taccsite_custom | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/taccsite_custom b/taccsite_custom
index 81d42bed9..4671005e5 160000
--- a/taccsite_custom
+++ b/taccsite_custom
@@ -1 +1 @@
-Subproject commit 81d42bed920bdd6c9e393699a9bc88f7f70a7c42
+Subproject commit 4671005e5e6416cfef7cc331b1cce6a59a6f736e

From 06540a47da183ead7eb6545a85dc36e60ef826a6 Mon Sep 17 00:00:00 2001
From: John Gentle <taoteg@gmail.com>
Date: Tue, 21 Sep 2021 10:41:26 -0500
Subject: [PATCH 21/31] Pinning the Core CMS Submodule to use CMS SIte
 Resources main branch after getting CMS login and settings changes
 integrated.

---
 taccsite_custom | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/taccsite_custom b/taccsite_custom
index 9c5a6e9b7..f52e86529 160000
--- a/taccsite_custom
+++ b/taccsite_custom
@@ -1 +1 @@
-Subproject commit 9c5a6e9b740f8b7c7a2ab92823e492dd8d5c40c6
+Subproject commit f52e86529e319b4207a2c34289059170fc14b517

From e55b260b6fe4e98c10a4d87db420f2d8b1400e46 Mon Sep 17 00:00:00 2001
From: Wesley Bomar <wbomar@tacc.utexas.edu>
Date: Tue, 21 Sep 2021 13:34:04 -0500
Subject: [PATCH 22/31] Merge branch 'main' into
 task/GH-191-support-light-navbar-for-dark-logos

---
 .dockerignore                                 |   2 +
 .gitignore                                    |   3 +
 .../bootstrap4_djangocms_link/cms_plugins.py  |  49 ++
 .../cms_plugins.py                            |  29 ++
 .../contrib/taccsite_data_list/cms_plugins.py |   2 +-
 .../migrations/0002_auto_20210824_0803.py     |  18 +
 .../contrib/taccsite_data_list/models.py      |   2 +-
 .../contrib/taccsite_sample/cms_plugins.py    |   2 +-
 .../taccsite_system_monitor/cms_plugins.py    |   2 +-
 .../contrib/taccsite_system_monitor/models.py |   2 +-
 taccsite_cms/default_secrets.py               | 316 -------------
 taccsite_cms/remote_cms_auth.py               |  96 ++++
 taccsite_cms/settings.py                      | 429 ++++++++----------
 taccsite_cms/settings_custom.example.py       |  43 ++
 .../templates/assets_site_delayed.html        |   2 +-
 taccsite_cms/templates/fullwidth.html         |  15 +-
 taccsite_cms/templates/header.html            |   4 +-
 taccsite_cms/urls.py                          |  15 +-
 taccsite_custom                               |   2 +-
 19 files changed, 443 insertions(+), 590 deletions(-)
 create mode 100644 taccsite_cms/contrib/bootstrap4_djangocms_link/cms_plugins.py
 create mode 100644 taccsite_cms/contrib/bootstrap4_djangocms_picture/cms_plugins.py
 create mode 100644 taccsite_cms/contrib/taccsite_data_list/migrations/0002_auto_20210824_0803.py
 delete mode 100644 taccsite_cms/default_secrets.py
 create mode 100644 taccsite_cms/remote_cms_auth.py
 create mode 100644 taccsite_cms/settings_custom.example.py

diff --git a/.dockerignore b/.dockerignore
index 2a717da57..b0631b58d 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,6 +1,8 @@
 # Version Control
 .git
 
+**settings_local.py
+
 # Python
 *.pyc
 *.pyo
diff --git a/.gitignore b/.gitignore
index 391987d8b..1945af29b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -108,3 +108,6 @@ publish
 # build script local files
 web/build/buildinfo.properties
 web/build/config/buildinfo.properties
+
+*settings_custom.py
+*settings_local.py
diff --git a/taccsite_cms/contrib/bootstrap4_djangocms_link/cms_plugins.py b/taccsite_cms/contrib/bootstrap4_djangocms_link/cms_plugins.py
new file mode 100644
index 000000000..6b287e6a8
--- /dev/null
+++ b/taccsite_cms/contrib/bootstrap4_djangocms_link/cms_plugins.py
@@ -0,0 +1,49 @@
+# To support generic Link plugin without uninstalling Bootstrap4's
+# FAQ: Bootstrap Link plugin has features not desirable within TACC plugins
+# FAQ: We must not break sites that already use Bootstrap Link plugin
+try:
+    # CAVEAT: Solution must be more than that for `bootstrap4_djangocms_picture`
+    # SEE: https://github.com/django-cms/djangocms-bootstrap4/pull/138
+    import copy
+
+    from django.utils.translation import gettext as _
+
+    from cms.plugin_pool import plugin_pool
+
+    from djangocms_link.cms_plugins import LinkPlugin
+    from djangocms_bootstrap4.contrib.bootstrap4_link.cms_plugins import Bootstrap4LinkPlugin
+
+    # To unlink Bootstrap's plugin fieldsets from Generic's
+    # SEE: https://github.com/django-cms/djangocms-bootstrap4/blob/2.0.0/djangocms_bootstrap4/contrib/bootstrap4_link/cms_plugins.py#L44
+    Bootstrap4LinkPlugin.fieldsets = copy.deepcopy(Bootstrap4LinkPlugin.fieldsets)
+
+    # To restore generic Link plugin fieldsets to state before Bootstrap's
+    # SEE: https://github.com/django-cms/djangocms-link/blob/3.0.0/djangocms_link/cms_plugins.py#L19-L24
+    # SEE: https://github.com/django-cms/djangocms-bootstrap4/blob/2.0.0/djangocms_bootstrap4/contrib/bootstrap4_link/cms_plugins.py#L38-L42
+    LinkPlugin.fieldsets[0] = (
+        None, {
+            'fields': (
+                'name',
+                ('external_link', 'internal_link'),
+            )
+        }
+    )
+
+    # To signal to users that plugin is not desirable
+    Bootstrap4LinkPlugin.name = _('⚠️ Link / Button')
+    Bootstrap4LinkPlugin.fieldsets.insert(0, (
+        None, {
+            'description': _('⚠️ This plugin is <strong>deprecated</strong>. Please use "Generic" > "Link" plugin instead.<br /><small>If the "Generic" > "Link" plugin is inadequate, please inform the CMS development team.</small>'),
+            'fields': ()
+        }
+    ))
+
+    # To re-register generic Link plugin
+    # SEE: https://github.com/django-cms/djangocms-bootstrap4/blob/master/djangocms_bootstrap4/contrib/bootstrap4_link/cms_plugins.py#L81
+    plugin_pool.register_plugin(LinkPlugin)
+
+# To avoid server crash if Boostrap plugin is not registered
+# CAVEAT: If import statement fails for reason other than Bootstrap presence,
+#         then that failure, and the failure of this plugin, is silent
+except ImportError:
+    pass
diff --git a/taccsite_cms/contrib/bootstrap4_djangocms_picture/cms_plugins.py b/taccsite_cms/contrib/bootstrap4_djangocms_picture/cms_plugins.py
new file mode 100644
index 000000000..262d4e623
--- /dev/null
+++ b/taccsite_cms/contrib/bootstrap4_djangocms_picture/cms_plugins.py
@@ -0,0 +1,29 @@
+# To support generic Image plugin without uninstalling Bootstrap's
+# FAQ: Bootstrap Image plugin has features not desirable in TACC plugins
+# FAQ: We must not break sites that already use Bootstrap Image plugin
+try:
+    from django.utils.translation import gettext as _
+
+    from cms.plugin_pool import plugin_pool
+
+    from djangocms_picture.cms_plugins import PicturePlugin
+    from djangocms_bootstrap4.contrib.bootstrap4_picture.cms_plugins import Bootstrap4PicturePlugin
+
+    # To signal to users that plugin is not desirable
+    Bootstrap4PicturePlugin.name = _('⚠️ Picture / Image')
+    Bootstrap4PicturePlugin.fieldsets.insert(0, (
+        None, {
+            'description': _('⚠️ This plugin is <strong>deprecated</strong>. Please use "Generic" > "Image" plugin instead.<br /><small>If the "Generic" > "Image" plugin is inadequate, please inform the CMS development team.</small>'),
+            'fields': ()
+        }
+    ))
+
+    # To re-register generic Picture plugin
+    # SEE: https://github.com/django-cms/djangocms-bootstrap4/blob/master/djangocms_bootstrap4/contrib/bootstrap4_picture/cms_plugins.py#L54
+    plugin_pool.register_plugin(PicturePlugin)
+
+# To avoid server crash if Boostrap plugin is not registered
+# CAVEAT: If import statement fails for reason other than Bootstrap presence,
+#         then that failure, and the failure of this plugin, is silent
+except ImportError:
+    pass
diff --git a/taccsite_cms/contrib/taccsite_data_list/cms_plugins.py b/taccsite_cms/contrib/taccsite_data_list/cms_plugins.py
index fece7a03f..82a7db1c9 100644
--- a/taccsite_cms/contrib/taccsite_data_list/cms_plugins.py
+++ b/taccsite_cms/contrib/taccsite_data_list/cms_plugins.py
@@ -1,6 +1,6 @@
 from cms.plugin_base import CMSPluginBase
 from cms.plugin_pool import plugin_pool
-from django.utils.translation import gettext_lazy as _
+from django.utils.translation import gettext as _
 
 from taccsite_cms.contrib.constants import TEXT_FOR_NESTED_PLUGIN_CONTENT_SWAP
 from taccsite_cms.contrib.helpers import concat_classnames
diff --git a/taccsite_cms/contrib/taccsite_data_list/migrations/0002_auto_20210824_0803.py b/taccsite_cms/contrib/taccsite_data_list/migrations/0002_auto_20210824_0803.py
new file mode 100644
index 000000000..2025d7782
--- /dev/null
+++ b/taccsite_cms/contrib/taccsite_data_list/migrations/0002_auto_20210824_0803.py
@@ -0,0 +1,18 @@
+# Generated by Django 2.2.16 on 2021-08-24 13:03
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('taccsite_data_list', '0001_initial'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='taccsitedatalistitem',
+            name='key',
+            field=models.CharField(blank=True, help_text='A label for the data value.', max_length=50, verbose_name='Label'),
+        ),
+    ]
diff --git a/taccsite_cms/contrib/taccsite_data_list/models.py b/taccsite_cms/contrib/taccsite_data_list/models.py
index 750698739..431e874e8 100644
--- a/taccsite_cms/contrib/taccsite_data_list/models.py
+++ b/taccsite_cms/contrib/taccsite_data_list/models.py
@@ -1,7 +1,7 @@
 from cms.models.pluginmodel import CMSPlugin
 
 from django.db import models
-from django.utils.translation import gettext_lazy as _
+from django.utils.translation import gettext as _
 
 from djangocms_attributes_field import fields
 
diff --git a/taccsite_cms/contrib/taccsite_sample/cms_plugins.py b/taccsite_cms/contrib/taccsite_sample/cms_plugins.py
index f56b1d5a9..86b4d1e08 100644
--- a/taccsite_cms/contrib/taccsite_sample/cms_plugins.py
+++ b/taccsite_cms/contrib/taccsite_sample/cms_plugins.py
@@ -1,7 +1,7 @@
 from cms.plugin_base import CMSPluginBase
 from cms.plugin_pool import plugin_pool
 from cms.models.pluginmodel import CMSPlugin
-from django.utils.translation import gettext_lazy as _
+from django.utils.translation import gettext as _
 from django.utils.encoding import force_text
 
 from .models import TaccsiteSample
diff --git a/taccsite_cms/contrib/taccsite_system_monitor/cms_plugins.py b/taccsite_cms/contrib/taccsite_system_monitor/cms_plugins.py
index 2202609fa..d85811068 100644
--- a/taccsite_cms/contrib/taccsite_system_monitor/cms_plugins.py
+++ b/taccsite_cms/contrib/taccsite_system_monitor/cms_plugins.py
@@ -1,6 +1,6 @@
 from cms.plugin_base import CMSPluginBase
 from cms.plugin_pool import plugin_pool
-from django.utils.translation import gettext_lazy as _
+from django.utils.translation import gettext as _
 
 from taccsite_cms.contrib.helpers import concat_classnames
 
diff --git a/taccsite_cms/contrib/taccsite_system_monitor/models.py b/taccsite_cms/contrib/taccsite_system_monitor/models.py
index 91dbae3d6..6820012d6 100644
--- a/taccsite_cms/contrib/taccsite_system_monitor/models.py
+++ b/taccsite_cms/contrib/taccsite_system_monitor/models.py
@@ -1,5 +1,5 @@
 from cms.models.pluginmodel import CMSPlugin
-from django.utils.translation import gettext_lazy as _
+from django.utils.translation import gettext as _
 
 from django.db import models
 
diff --git a/taccsite_cms/default_secrets.py b/taccsite_cms/default_secrets.py
deleted file mode 100644
index 2d1ee3a16..000000000
--- a/taccsite_cms/default_secrets.py
+++ /dev/null
@@ -1,316 +0,0 @@
-# TACC CMS SITE TEMPLATE SETTINGS.
-# DEFAULT VALUES.
-# CHANGE BEFOR DEV/PREPROD/PRODUCTION DEPLOYMENT.
-
-########################
-# DJANGO SETTINGS
-########################
-
-_SECRET_KEY = 'replacethiswithareallysecureandcomplexsecretkeystring'
-_DEBUG = True       # False for Prod.
-_CONSOLE_LOG_ENABLED = False    # Boolean check to turn on/off console logging statements.
-
-# Specify allowed hosts or use an asterisk to allow any host and simplify the config.
-# _ALLOWED_HOSTS = ['hostname.tacc.utexas.edu', 'host.ip.v4.address', '0.0.0.0', 'localhost', '127.0.0.1']   # In production.
-_ALLOWED_HOSTS = ['0.0.0.0', '127.0.0.1', 'localhost', '*']   # In development.
-
-# Boolean check to see if ldap is being used by the site.
-# Requires django-auth-ldap ≥ 2.0.0
-_LDAP_ENABLED = False
-
-# Boolean check to determine the appropriate database settings when using containers.
-_USING_CONTAINERS = True
-
-########################
-# DATABASE SETTINGS
-########################
-
-if _USING_CONTAINERS:
-    # used in container deployments.
-    _DATABASES = {
-        'default': {
-            'ENGINE': 'django.db.backends.postgresql_psycopg2',
-            'PORT': '5432',
-            'NAME': 'taccsite',
-            'USER': 'postgresadmin',
-            'PASSWORD': 'taccforever', # Change before live deployment.
-            'HOST': 'core_cms_postgres'
-        }
-    }
-else:
-    # used in local dev, venv or manual deployments.
-    _DATABASES = {
-        'default': {
-            'ENGINE': 'django.db.backends.postgresql_psycopg2',
-            'PORT': '5432',
-            'NAME': 'taccsite',
-            'USER': 'postgresadmin',
-            'PASSWORD': 'taccforever', # Change before live deployment.
-            'HOST': 'localhost'
-        }
-    }
-
-########################
-# DJANGO CMS SETTINGS
-########################
-
-# CMS Site (allows for multiple sites on a single CMS)
-_SITE_ID = 1
-_CMS_TEMPLATES = (
-    # Customize this list in per-project `secrets.py`
-    # FAQ: First template is default template
-    # REF: http://docs.django-cms.org/en/latest/how_to/install.html#templates
-
-    # For standard pages (has Container and Breadcrumbs)
-    ('standard.html', 'Standard'),
-    # For content that spans full window width (no Container nor Breadcrumbs)
-    ('fullwidth.html', 'Fullwidth'),
-
-    # Any project that needs per-project styles must have a custom template
-    # FAQ: This is a tedious solution until a cleaner solution is devised
-    # TODO: Automate per-project asset load and update exisitng sites as needed
-    # ('name-of-project/templates/fullwidth.html', 'Fullwidth (Custom)'),
-    # NOTE: If project later uses custom template, then for that project:
-    #       1. Rename standard default template to "DEPRECATED […]".
-    #       2. Update all pages to use the custom default template.
-    #       3. Disable standard default template (remove from `_CMS_TEMPLATES`).
-    # ('fullwidth.html', 'DEPRECATED Fullwidth'),
-
-    # Any portal whose homepage has NO design must enable and use this template
-    # ('home_portal.html', 'Standard Portal Homepage'),
-
-    # All portals should enable all of these templates
-    # FAQ: If this becomes mandatory, then in `settings.py`:
-    #      `if _PORTAL: [ manually add these entries ]`
-    # ('guide.html', 'Guide'),
-    # ('guides/getting_started.html', 'Guide: Getting Started'),
-    # ('guides/data_transfer.html', 'Guide: Data Transfer'),
-    # ('guides/data_transfer.globus.html', 'Guide: Globus Data Transfer'),
-    # ('guides/portal_technology.html', 'Guide: Portal Technology Stack'),
-
-    # For now, only Core portal should enable this template
-    # FAQ: We know not yet how to auto-replicate pages and plugins across sites
-    # ('style_guide.html', 'Style Guide'),
-)
-
-########################
-# GOOGLE ANALYTICS
-########################
-
-# To use during dev, Tracking Protection in browser needs to be turned OFF.
-_GOOGLE_ANALYTICS_PROPERTY_ID = "UA-123ABC@%$&-#"
-_GOOGLE_ANALYTICS_PRELOAD = True
-
-########################
-# CMS FORMS
-########################
-
-# Create CMS Forms
-# SEE: https://pypi.org/project/djangocms-forms/
-# SEE: https://www.google.com/recaptcha/admin/create
-_DJANGOCMS_FORMS_RECAPTCHA_PUBLIC_KEY = ""
-_DJANGOCMS_FORMS_RECAPTCHA_SECRET_KEY = ""
-
-########################
-# ELASTICSEARCH
-########################
-
-_ES_AUTH = 'username:password'
-_ES_HOSTS = 'http://elasticsearch:9200'
-_ES_INDEX_PREFIX = 'cms-dev-{}'
-_ES_DOMAIN = 'http://localhost:8000'
-
-########################
-# FEATURES
-########################
-
-"""
-Features for the CMS that can be turned either ON or OFF
-
-Usage:
-
-- For baked-in features, like BRANDING or PORTAL, see relevant section instead.
-- For optional features, look below, and enable feature(s) via _FEATURES list.
-
-Baked-In Feature Setting Example.
-
-# Desctipion of feature X
-# SEE: [link to user/div guide about feature]
-_FEATURE_A = "someValue"
-
-Optional Feature Toggle Example.
-
-_FEATURES = {
-    # Desctipion of feature X
-    # SEE: [link to user/dev guide about feature]
-    "X": True,
-
-    # Desctipion of feature Y
-    # SEE: [link to user/dev guide about feature]
-    "Y": False,
-
-    # Desctipion of feature Z
-    # SEE: [link to user/dev guide about feature]
-    "Z": True,
-}
-
-"""
-
-_FEATURES = {
-    # Blog/News & Social Media Metadata
-    # GL-42: Split this into two features
-    # SEE: https://confluence.tacc.utexas.edu/x/EwDeCg
-    # SEE: https://confluence.tacc.utexas.edu/x/FAA9Cw
-    "blog": False,
-}
-
-########################
-# BRANDING & LOGOS & FAVICON
-########################
-# TODO: GH-59: Use Dict Not Array for Branding Settings
-
-# Visual theme for the CMS
-
-"""
-Optional theming of CMS (certain themes may only affect some elements)
-Usage:
-- None (standard theme)
-- 'has-dark-logo'
-"""
-
-_THEME = None
-
-# Branding settings for portal and navigation.
-
-"""
-Additional Branding and Portal Logos for Partner & Affiliate Organizations
-
-Usage:
-
-- For each beand used in the templating, add corresponding new settings values to this file  (see example below).
-- New branding settings must be added to the _BRANDING list to render in the template.
-- The order of the _BRANDING list determines the rendering order of the elements in the template.
-- The portal logo setting must be assigned to the _LOGO variable to render in the template.
-- The following VALUES for new elements set in the configuration object must exist in the portal css as well:
-    - Any new selectors or css styles (add to /taccsite_cms/static/site_cms/css/src/_imports/branding_logos.css)
-    - Image files being references (add to /taccsite_cms/static/site_cms/img/org_logos)
-
-Values to populate (for an array):
-
-_SETTING_NAME = [                # The name of the branding or logo config setting object.
-    "org_name",                    # The name of the organization the branding belongs too.
-    "img_file_src",                # Path and filename relative to the static files folder.
-    "img_element_classes",         # The list of selectors to apply to the rendered element, these need to exist in the css/scss.
-    "a_target_url",                # The href link to follow when clicked, use "/" for portal logos.
-    "a_target_type",               # The target to open the new link in, use _blank for external links, _self for internal links.
-    "alt_text",                    # The text to read or render for web assistance standards.
-    "cors_setting",                # The CORS setting for the image, set to anonymous by default.
-    "visibility"                   # Toggles wether or not to display the element in the template, use True to render, False to hide.
-]
-
-Values to populate (for a dict):
-
-_SETTING_NAME = {                  # The name of the favicon config setting object.
-    "img_file_src": "…",             # Path and filename relative to the static files folder.
-}
-
-Branding Configuration Example.
-
-_ANORG_BRANDING = [
-   "anorg",
-   "site_cms/img/org_logos/anorg-logo.png"
-   "branding-anorg",
-   "https://www.anorg.com/"
-   "_blank",
-   "ANORG Logo",
-   "anonymous",
-   "True"
-]
-
-Logo Configuration Example.
-
-_ANORG_LOGO = [
-   "anorg",
-   "site_cms/img/org_logos/anorg-logo.png"
-   "branding-anorg",
-   "/"
-   "_self",
-   "ANORG Logo",
-   "anonymous",
-   "True"
-]
-
-Favicon Configuration Example.
-
-_ANORG_FAVICON = {
-    "img_file_src": "site_cms/img/favicons/favicon.ico"
-}
-"""
-
-########################
-# BRANDING
-
-_TACC_BRANDING = [
-    "tacc",
-    "site_cms/img/org_logos/tacc-white.png",
-    "branding-tacc",
-    "https://www.tacc.utexas.edu/",
-    "_blank",
-    "TACC Logo",
-    "anonymous",
-    "True"
-]
-
-_UTEXAS_BRANDING = [
-    "utexas",
-    "site_cms/img/org_logos/utaustin-white.png",
-    "branding-utaustin",
-    "https://www.utexas.edu/",
-    "_blank",
-    "University of Texas at Austin Logo",
-    "anonymous",
-    "True"
-]
-
-_NSF_BRANDING = [
-    "nsf",
-    "site_cms/img/org_logos/nsf-white.png",
-    "branding-nsf",
-    "https://www.nsf.gov/",
-    "_blank",
-    "NSF Logo",
-    "anonymous",
-    "True"
-]
-
-_BRANDING = [ _TACC_BRANDING, _UTEXAS_BRANDING ]        # Default TACC Portal.
-# _BRANDING = [ _NSF_BRANDING, _TACC_BRANDING, _UTEXAS_BRANDING ]       # NSF Funded TACC Portal.
-
-########################
-# LOGOS
-
-_PORTAL_LOGO = [
-    "portal",
-    "site_cms/img/org_logos/portal.png",
-    "",
-    "/",
-    "_self",
-    "Portal Logo",
-    "anonymous",
-    "True"
-]
-
-_LOGO = _PORTAL_LOGO                # Default Portal Logo.
-
-########################
-# FAVICON
-
-_FAVICON = {
-    "img_file_src": "site_cms/img/favicons/favicon.ico"
-}
-
-########################
-# PORTAL
-########################
-
-_PORTAL = False     # True for any CMS that is part of a Portal.
diff --git a/taccsite_cms/remote_cms_auth.py b/taccsite_cms/remote_cms_auth.py
new file mode 100644
index 000000000..4e767d795
--- /dev/null
+++ b/taccsite_cms/remote_cms_auth.py
@@ -0,0 +1,96 @@
+import inspect
+from django.http import HttpResponse, HttpResponseRedirect
+from django.contrib.auth.backends import ModelBackend
+from django.contrib.auth import get_user_model
+from django.contrib import auth as auth
+import requests
+import logging
+from django.conf import settings
+
+UserModel = get_user_model()
+
+logger = logging.getLogger(__name__)
+
+
+def verify_and_auth(request):
+    user = auth.authenticate(request)
+    if user:
+        # User is valid.  Set request.user and persist user in the session by logging the user in.
+        request.user = user
+        auth.login(request, user)
+        response = HttpResponseRedirect(request.GET.get('next', \
+                                                        getattr(settings, 'LOGIN_REDIRECT_URL', '/workbench/dashboard/')))
+    else:
+        response = HttpResponseRedirect('/')
+    return response
+
+
+class CorePortalAuthBackend(ModelBackend):
+    """
+        Validates core portal session
+        Extends Django ModelBackend, parts of this were taken from Django's source:
+        https://github.com/django/django/blob/stable/2.2.x/django/contrib/auth/backends.py#L128
+    """
+    create_unknown_user = True
+
+    def authenticate(self, request):
+        response = requests.get('{0}/api/users/auth/'.format( \
+            getattr(settings, 'CEP_AUTH_VERIFICATION_ENDPOINT', 'http://django:6000')),
+            cookies={'coresessionid': request.COOKIES.get('coresessionid')})
+        user_data = response.json()
+        if user_data is None or user_data['username'] is None:
+            return None
+        username = user_data['username']
+        email = user_data['email']
+        first_name = user_data['first_name']
+        last_name = user_data['last_name']
+
+        if request.user.is_authenticated:
+            self._remove_invalid_user(request)
+
+        if self.create_unknown_user:
+            user, created = UserModel._default_manager.get_or_create(**{
+                UserModel.USERNAME_FIELD: username
+            })
+            user.email = email
+            user.first_name = first_name
+            user.last_name = last_name
+            user.save()
+            if created:
+                args = (request, user)
+                try:
+                    inspect.getcallargs(self.configure_user, request, user)
+                except TypeError:
+                    args = (user,)
+                    warnings.warn(
+                        'Update %s.configure_user() to accept `request` as '
+                        'the first argument.'
+                        % self.__class__.__name__, RemovedInDjango31Warning
+                    )
+                user = self.configure_user(*args)
+        else:
+            try:
+                user = UserModel._default_manager.get_by_natural_key(username)
+            except UserModel.DoesNotExist:
+                pass
+        return user if self.user_can_authenticate(user) else None
+
+    def _remove_invalid_user(self, request):
+        """
+        Remove the current authenticated user
+        """
+        try:
+            stored_backend = load_backend(request.session.get(auth.BACKEND_SESSION_KEY, ''))
+        except ImportError:
+            # backend failed to load
+            auth.logout(request)
+        else:
+            if isinstance(stored_backend, RemoteUserBackend):
+                auth.logout(request)
+
+    def configure_user(self, request, user):
+        """
+        Configure a user after creation and return the updated user.
+        By default, return the user unmodified.
+        """
+        return user
diff --git a/taccsite_cms/settings.py b/taccsite_cms/settings.py
index 0e0916a6d..a168c98fc 100644
--- a/taccsite_cms/settings.py
+++ b/taccsite_cms/settings.py
@@ -1,13 +1,9 @@
-# taccsite_cms/settings.py
 
 """
-Django settings for taccsite_cms project.
-
+Django settings
 Generated by 'django-admin startproject' using Django 1.11.22.
-
 For more information on this file, see
 https://docs.djangoproject.com/en/2.2/topics/settings/
-
 For the full list of settings and their values, see
 https://docs.djangoproject.com/en/2.2/ref/settings/
 """
@@ -15,91 +11,175 @@
 import logging
 import os
 from glob import glob
+import ldap
+from django_auth_ldap.config import LDAPSearch, GroupOfNamesType
 
-
+SECRET_KEY = 'CHANGE_ME'
 def gettext(s): return s
 
+DATA_DIR = os.path.dirname(os.path.dirname(__file__))
+
+BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
 
-# Import secret values dynamically without breaking portal.
-def getsecrets():
-    new_secrets = {};                                                                           # Var to hold secret values once imported succesfully.
-    # Check for production secrets.
-    try:
-        print('Checking for secret production values')
-        import taccsite_cms.secrets as secrets                                       # Prod/Staging/Local Dev values (used instead of the default values if present)
-        new_secrets = secrets
-        print('Production secrets found, using values')
-    except ModuleNotFoundError as err:
-        # Error handling
-        print(err)
-        print('No production secrets found')
-        pass
-        # Check for the default secret values.
-        try:
-            print('Checking for default secret values')
-            import taccsite_cms.default_secrets as default_secrets            # Default demo values (works for basic local dev out of the box)
-            new_secrets = default_secrets
-            print('Default secrets found, using default values')
-        except ModuleNotFoundError as err:
-            # Error handling
-            print(err)
-            print('No default secrets found')
-            print('Check that you have a secrets.py or default_secrets.py')
-    finally:
-        # Return the secret values if they are found.
-        return new_secrets
-
-# Assign secret settings values.
-current_secrets = getsecrets()
-
-# Boolean check to turn on/off console logging statements.
-CONSOLE_LOG_ENABLED = current_secrets._CONSOLE_LOG_ENABLED
-
-# Verifying console logging is on.
-if CONSOLE_LOG_ENABLED:
-    print("--> Variable CONSOLE_LOG_ENABLED: ", CONSOLE_LOG_ENABLED)
-
-LDAP_ENABLED = current_secrets._LDAP_ENABLED
-
-if CONSOLE_LOG_ENABLED:
-    print("--> Variable LDAP_ENABLED: ", LDAP_ENABLED)
-
-if LDAP_ENABLED:
-    import ldap
-    from django_auth_ldap.config \
-        import LDAPSearch, GroupOfNamesType
+DEBUG = True       # False for Prod.
 
-DATA_DIR = os.path.dirname(os.path.dirname(__file__))
+# Specify allowed hosts or use an asterisk to allow any host and simplify the config.
+# ALLOWED_HOSTS = ['hostname.tacc.utexas.edu', 'host.ip.v4.address', '0.0.0.0', 'localhost', '127.0.0.1']   # In production.
+ALLOWED_HOSTS = ['0.0.0.0', '127.0.0.1', 'localhost', '*']   # In development.
 
-if CONSOLE_LOG_ENABLED:
-    print("--> Variable DATA_DIR: ", DATA_DIR)
+# Requires django-auth-ldap ≥ 2.0.0
+LDAP_ENABLED = True
 
-# Build paths inside the project like this: os.path.join(BASE_DIR, ...)
-BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
+########################
+# DATABASE SETTINGS
+########################
+
+DATABASES = {
+    'default': {
+        'ENGINE': 'django.db.backends.postgresql_psycopg2',
+        'PORT': '5432',
+        'NAME': 'taccsite',
+        'USER': 'postgresadmin',
+        'PASSWORD': 'taccforever',  # Change before live deployment.
+        'HOST': 'core_cms_postgres'
+    }
+}
+
+AUTHENTICATION_BACKENDS = [
+    "django.contrib.auth.backends.ModelBackend",
+    "taccsite_cms.remote_cms_auth.CorePortalAuthBackend",
+    "django_auth_ldap.backend.LDAPBackend"
+]
+
+''' LDAP Auth Settings '''
+AUTH_LDAP_SERVER_URI = "ldap://ldap.tacc.utexas.edu"
+AUTH_LDAP_CONNECTION_OPTIONS = {ldap.OPT_REFERRALS: 0}
+AUTH_LDAP_START_TLS = True
+AUTH_LDAP_BIND_AS_AUTHENTICATING_USER = True
+AUTH_LDAP_BIND_DN = ""
+AUTH_LDAP_BIND_PASSWORD = ""
+AUTH_LDAP_AUTHORIZE_ALL_USERS = True
+
+AUTH_LDAP_USER_SEARCH = LDAPSearch(
+    "ou=People,dc=tacc,dc=utexas,dc=edu", ldap.SCOPE_SUBTREE, "(uid=%(user)s)"
+)
+
+AUTH_LDAP_USER_ATTR_MAP = {
+    "first_name": "givenName",
+    "last_name": "sn",
+    "email": "mail",
+}
+
+SITE_ID = 1
+
+CMS_TEMPLATES = (
+    ('standard.html', 'Standard'),
+    ('fullwidth.html', 'Full Width'),
+)
+
+CMS_PERMISSION = True
+
+########################
+# GOOGLE ANALYTICS
+########################
+
+# To use during dev, Tracking Protection in browser needs to be turned OFF.
+GOOGLE_ANALYTICS_PROPERTY_ID = "UA-123ABC@%$&-#"
+GOOGLE_ANALYTICS_PRELOAD = True
+
+########################
+# CMS FORMS
+########################
+
+# Create CMS Forms
+# SEE: https://pypi.org/project/djangocms-forms/
+# SEE: https://www.google.com/recaptcha/admin/create
+DJANGOCMS_FORMS_RECAPTCHA_PUBLIC_KEY = ""
+DJANGOCMS_FORMS_RECAPTCHA_SECRET_KEY = ""
 
-# Quick-start development settings - unsuitable for production
-# See https://docs.djangoproject.com/en/2.2/howto/deployment/checklist/
+########################
+# ELASTICSEARCH
+########################
 
-# SECURITY WARNING: keep the secret key used in production secret!
-SECRET_KEY = current_secrets._SECRET_KEY
+ES_AUTH = 'username:password'
+ES_HOSTS = 'http://elasticsearch:9200'
+ES_INDEX_PREFIX = 'cms-dev-{}'
+ES_DOMAIN = 'http://localhost:8000'
 
-# SECURITY WARNING: don't run with debug turned on in production!
-DEBUG = current_secrets._DEBUG
+"""
+Optional theming of CMS (certain themes may only affect some elements)
+Usage:
+- None (standard theme)
+- 'has-dark-logo'
+"""
+THEME = None
+
+TACC_BRANDING = [
+    "tacc",
+    "site_cms/img/org_logos/tacc-white.png",
+    "branding-tacc",
+    "https://www.tacc.utexas.edu/",
+    "_blank",
+    "TACC Logo",
+    "anonymous",
+    "True"
+]
+
+UTEXAS_BRANDING = [
+    "utexas",
+    "site_cms/img/org_logos/utaustin-white.png",
+    "branding-utaustin",
+    "https://www.utexas.edu/",
+    "_blank",
+    "University of Texas at Austin Logo",
+    "anonymous",
+    "True"
+]
 
-# Host Access.
-ALLOWED_HOSTS = current_secrets._ALLOWED_HOSTS
+NSF_BRANDING = [
+    "nsf",
+    "site_cms/img/org_logos/nsf-white.png",
+    "branding-nsf",
+    "https://www.nsf.gov/",
+    "_blank",
+    "NSF Logo",
+    "anonymous",
+    "True"
+]
+
+BRANDING = [ TACC_BRANDING, UTEXAS_BRANDING ]
+
+LOGO = [
+    "portal",
+    "site_cms/img/org_logos/portal.png",
+    "",
+    "/",
+    "_self",
+    "Portal Logo",
+    "anonymous",
+    "True"
+]
+
+FAVICON = {
+    "img_file_src": "site_cms/img/favicons/favicon.ico"
+}
 
-# Custom Branding.
-THEME = current_secrets._THEME if hasattr(current_secrets, '_THEME') else None
-BRANDING = current_secrets._BRANDING
-LOGO = current_secrets._LOGO
-FAVICON = current_secrets._FAVICON
+########################
+# PORTAL ACCESS
+########################
 
-# Configure Portal.
-PORTAL = current_secrets._PORTAL
+INCLUDES_CORE_PORTAL = True
 
-# Optional features.
-FEATURES = current_secrets._FEATURES
+LOGOUT_REDIRECT_URL='/'
+
+## using container name to avoid cep.dev dns issues locally
+## this will need to be updated for dev/pprd/prod systems
+## for example, CEP_AUTH_VERIFICATION_ENDPOINT=https://dev.cep.tacc.utexas.edu
+CEP_AUTH_VERIFICATION_ENDPOINT='http://django:6000'
+
+########################
+# CLIENT BUILD SETTINGS
+########################
 
 # Application definition
 ROOT_URLCONF = 'taccsite_cms.urls'
@@ -109,9 +189,6 @@ def getsecrets():
 STATIC_URL = '/static/'
 STATIC_ROOT = os.path.join(DATA_DIR, 'static')
 
-if CONSOLE_LOG_ENABLED:
-    print("--> Variable STATIC_ROOT: ", STATIC_ROOT)
-
 STATICFILES_DIRS = (
     os.path.join(BASE_DIR, 'taccsite_cms', 'static'),
     # os.path.join(BASE_DIR, 'taccsite_cms', 'en', 'static'),
@@ -119,16 +196,10 @@ def getsecrets():
     os.path.join(BASE_DIR, 'taccsite_custom', '*', 'static')
 ))
 
-if CONSOLE_LOG_ENABLED:
-    print("--> Variable STATICFILES_DIRS: ", STATICFILES_DIRS)
-
 # User Uploaded Files Location.
 MEDIA_URL = '/media/'
 MEDIA_ROOT = os.path.join(DATA_DIR, 'media')
 
-if CONSOLE_LOG_ENABLED:
-    print("--> Variable MEDIA_ROOT: ", MEDIA_ROOT)
-
 TEMPLATES = [
     {
         'BACKEND': 'django.template.backends.django.DjangoTemplates',
@@ -139,7 +210,6 @@ def getsecrets():
         ) + [
             os.path.join(BASE_DIR, 'taccsite_cms', 'templates')
         ],
-        # 'APP_DIRS': True,
         'OPTIONS': {
             'context_processors': [
                 'django.contrib.auth.context_processors.auth',
@@ -169,9 +239,6 @@ def getsecrets():
     },
 ]
 
-if CONSOLE_LOG_ENABLED:
-    print("--> Variable TEMPLATES: ", TEMPLATES)
-
 MIDDLEWARE = [
     'cms.middleware.utils.ApphookReloadMiddleware',
     'django.contrib.sessions.middleware.SessionMiddleware',
@@ -207,10 +274,8 @@ def getsecrets():
     'djangocms_text_ckeditor',
     'filer',
     'easy_thumbnails',
-    # 'djangocms_audio',
     'djangocms_column',
     'djangocms_file',
-    # 'djangocms_forms', # FP-416: Pending full support
     'djangocms_link',
     'djangocms_picture',
     'djangocms_style',
@@ -235,15 +300,13 @@ def getsecrets():
     'djangocms_bootstrap4.contrib.bootstrap4_utilities',
     'haystack',
     'aldryn_apphooks_config',
-    # For faster testing, disable migrations during database creation
-    # SEE: https://stackoverflow.com/a/37150997
     'test_without_migrations',
     'taccsite_cms',
-    # TODO: Extract TACC CMS UI components into pip-installable plugins
-    # FAQ: The djangocms_bootstrap4 library can serve as an example
+    'taccsite_cms.contrib.bootstrap4_djangocms_link',
+    'taccsite_cms.contrib.bootstrap4_djangocms_picture',
     'taccsite_cms.contrib.taccsite_sample',
     'taccsite_cms.contrib.taccsite_system_monitor',
-    'taccsite_cms.contrib.taccsite_data_list',
+    'taccsite_cms.contrib.taccsite_data_list'
 ]
 
 # Convert list of paths to list of dotted module names
@@ -264,80 +327,17 @@ def get_subdirs_as_module_names(path):
 # Append CMS project paths as module names to INSTALLED_APPS
 # FAQ: This automatically looks into `/taccsite_custom` and creates an "App" for each directory within
 CUSTOM_CMS_DIR = os.path.join(BASE_DIR, 'taccsite_custom')
+
 INSTALLED_APPS_APPEND = get_subdirs_as_module_names(CUSTOM_CMS_DIR)
 INSTALLED_APPS = INSTALLED_APPS + INSTALLED_APPS_APPEND
 
-
-if CONSOLE_LOG_ENABLED:
-    print("--> Variable INSTALLED_APPS: ", INSTALLED_APPS)
-
-AUTHENTICATION_BACKENDS = [
-    "django.contrib.auth.backends.ModelBackend",
-]
-
-if LDAP_ENABLED:
-    AUTHENTICATION_BACKENDS.insert(0,
-        "django_auth_ldap.backend.LDAPBackend"
-    )
-
-    ''' LDAP Auth Settings '''
-    AUTH_LDAP_SERVER_URI = "ldap://ldap.tacc.utexas.edu"
-    AUTH_LDAP_CONNECTION_OPTIONS = {ldap.OPT_REFERRALS: 0}
-    AUTH_LDAP_START_TLS = True
-    AUTH_LDAP_BIND_AS_AUTHENTICATING_USER = True
-
-    AUTH_LDAP_BIND_DN = ""
-    AUTH_LDAP_BIND_PASSWORD = ""
-    AUTH_LDAP_USER_SEARCH = LDAPSearch(
-        "ou=People,dc=tacc,dc=utexas,dc=edu", ldap.SCOPE_SUBTREE, "(uid=%(user)s)"
-    )
-
-    AUTH_LDAP_AUTHORIZE_ALL_USERS = True
-
-    AUTH_LDAP_USER_ATTR_MAP = {
-        "first_name": "givenName",
-        "last_name": "sn",
-        "email": "mail",
-    }
-
-    '''
-     # More customizations
-
-     AUTH_LDAP_REQUIRE_GROUP = "cn=TACC-ACI-WMA,ou=Groups,dc=tacc,dc=utexas,dc=edu"
-     AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
-         "ou=Groups,dc=tacc,dc=utexas,dc=edu",
-         ldap.SCOPE_SUBTREE,
-         "(objectClass=groupOfUniqueNames)",
-     )
-     AUTH_LDAP_GROUP_TYPE = GroupOfNamesType(name_attr="cn")
-    '''
-    ''' End LDAP Auth Settings '''
-
-if getattr(current_secrets, '_CACHES', None):
-    CACHES = secrets._CACHES                        # Are we actually using this setting?
-
-DATABASES = current_secrets._DATABASES
-
 MIGRATION_MODULES = { }
-
-# SSL Setup.
-# SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
-# SECURE_SSL_REDIRECT = True
-# SESSION_COOKIE_SECURE = True
-# CSRF_COOKIE_SECURE = True
-
-# Internationalization
-# https://docs.djangoproject.com/en/2.2/topics/i18n/
-
 LANGUAGE_CODE = 'en'
 TIME_ZONE = 'America/Chicago'
 USE_I18N = True
 USE_L10N = True
 USE_TZ = True
 
-# DjangoCMS Setup.
-SITE_ID = current_secrets._SITE_ID
-
 LANGUAGES = (
     # Customize this
     ('en', gettext('en')),
@@ -361,7 +361,6 @@ def get_subdirs_as_module_names(path):
     },
 }
 
-CMS_TEMPLATES = current_secrets._CMS_TEMPLATES
 CMS_PERMISSION = True
 CMS_PLACEHOLDER_CONF = {}
 
@@ -373,52 +372,6 @@ def get_subdirs_as_module_names(path):
     'easy_thumbnails.processors.filters'
 )
 
-
-# FEATURES.
-if CONSOLE_LOG_ENABLED:
-    print("--> Variable FEATURES: ")
-    for feature in FEATURES:
-        print(feature + ": ", FEATURES[feature])
-
-if current_secrets._FEATURES['blog']:
-    # Install required apps
-    INSTALLED_APPS += [
-        # Blog/News
-        # 'filer',              # Already added
-        # 'easy_thumbnails',    # Already added
-        'parler',
-        'taggit',
-        'taggit_autosuggest',
-        'meta',                 # also supports `djangocms_page_meta`
-        'sortedm2m',
-        'djangocms_blog',
-
-        # Metadata
-        'djangocms_page_meta',
-    ]
-
-    # Metadata: Configure
-    META_SITE_PROTOCOL = 'http'
-    META_USE_SITES = True
-    META_USE_OG_PROPERTIES = True
-    META_USE_TWITTER_PROPERTIES = True
-    META_USE_GOOGLEPLUS_PROPERTIES = True # django-meta 1.x+
-    # META_USE_SCHEMAORG_PROPERTIES=True  # django-meta 2.x+
-
-    # Blog/News: Set custom paths for templates
-    BLOG_PLUGIN_TEMPLATE_FOLDERS = (
-        ('plugins/default', 'Default template'),    # i.e. `templates/djangocms_blog/plugins/default/`
-        ('plugins/default-clone', 'Clone of default template'),  # i.e. `templates/djangocms_blog/plugins/default-clone/`
-    )
-
-    # Blog/News: Change default values for the auto-setup of one `BlogConfig`
-    # SEE: https://github.com/nephila/djangocms-blog/issues/629
-    BLOG_AUTO_SETUP = True
-    BLOG_AUTO_HOME_TITLE ='Home'
-    BLOG_AUTO_BLOG_TITLE = 'News'
-    BLOG_AUTO_APP_TITLE = 'News'
-
-
 DJANGOCMS_PICTURE_NESTING = True
 DJANGOCMS_PICTURE_RESPONSIVE_IMAGES = True
 DJANGOCMS_PICTURE_RESPONSIVE_IMAGES_VIEWPORT_BREAKPOINTS = [
@@ -434,39 +387,19 @@ def get_subdirs_as_module_names(path):
 FILE_UPLOAD_PERMISSIONS = 0o644
 FILE_UPLOAD_MAX_MEMORY_SIZE = 20000000 # 20MB
 
-# Custom picture templates - if required.
-# DJANGOCMS_PICTURE_TEMPLATES = [
-#     ('background', _('Background image')), # Need to design these first!
-# ]
-
 DJANGOCMS_AUDIO_ALLOWED_EXTENSIONS = ['mp3', 'ogg', 'wav']
-# Custom audio templates - if required.
-# DJANGOCMS_AUDIO_TEMPLATES = [
-#     ('feature', _('Featured Version')),
-# ]
 
 # Djangocms Forms Settings.
 # SEE: https://github.com/mishbahr/djangocms-forms#configuration
 DJANGOCMS_FORMS_PLUGIN_MODULE = ('Generic')
 DJANGOCMS_FORMS_PLUGIN_NAME = ('Form')
-# DJANGOCMS_FORMS_DEFAULT_TEMPLATE = 'djangocms_forms/form_template/default.html'
+
 DJANGOCMS_FORMS_TEMPLATES = (
     ('djangocms_forms/form_template/default.html', ('Default')),
 )
 DJANGOCMS_FORMS_USE_HTML5_REQUIRED = False
-# DJANGOCMS_FORMS_WIDGET_CSS_CLASSES = {'__all__': ('form-control', ) }
-DJANGOCMS_FORMS_REDIRECT_DELAY = 10000  # 10 seconds
 
-DJANGOCMS_FORMS_RECAPTCHA_PUBLIC_KEY = current_secrets._DJANGOCMS_FORMS_RECAPTCHA_PUBLIC_KEY
-DJANGOCMS_FORMS_RECAPTCHA_SECRET_KEY = current_secrets._DJANGOCMS_FORMS_RECAPTCHA_SECRET_KEY
-
-# Google Analytics.
-GOOGLE_ANALYTICS_PROPERTY_ID  = current_secrets._GOOGLE_ANALYTICS_PROPERTY_ID
-GOOGLE_ANALYTICS_PRELOAD = current_secrets._GOOGLE_ANALYTICS_PRELOAD
-
-# SETTINGS VARIABLE EXPORTS.
-# Use a custom namespace (using default settings.VARIABLE configuration)
-SETTINGS_EXPORT_VARIABLE_NAME = 'settings'
+DJANGOCMS_FORMS_REDIRECT_DELAY = 1
 
 # Elasticsearch Indexing
 HAYSTACK_ROUTERS = ['aldryn_search.router.LanguageRouter',]
@@ -476,28 +409,42 @@ def get_subdirs_as_module_names(path):
 HAYSTACK_CONNECTIONS = {
     'default': {
         'ENGINE': 'haystack.backends.elasticsearch_backend.ElasticsearchSearchEngine',
-        'URL': current_secrets._ES_HOSTS,
-        'INDEX_NAME': current_secrets._ES_INDEX_PREFIX.format('cms'),
-        'KWARGS': {'http_auth': current_secrets._ES_AUTH }
+        'URL': ES_HOSTS,
+        'INDEX_NAME': 'cms',
+        'KWARGS': {'http_auth': ES_AUTH }
     }
 }
 
-ES_DOMAIN = current_secrets._ES_DOMAIN
+SETTINGS_EXPORT_VARIABLE_NAME = 'settings'
+
+FEATURES = ''
+
+try:
+    from taccsite_cms.settings_custom import *
+except:
+    None
+    # do nothing
+
+try:
+    from taccsite_cms.secrets import *
+except:
+    None
+    # do nothing
+
+try:
+    from taccsite_cms.settings_local import *
+except:
+    None
+    # do nothing
 
-# Exported settings.
 SETTINGS_EXPORT = [
     'DEBUG',
+    'FEATURES',
     'THEME',
     'BRANDING',
     'LOGO',
     'FAVICON',
-    'PORTAL',
-    'FEATURES',
+    'INCLUDES_CORE_PORTAL',
     'GOOGLE_ANALYTICS_PROPERTY_ID',
     'GOOGLE_ANALYTICS_PRELOAD'
 ]
-
-if CONSOLE_LOG_ENABLED:
-    print("--> Variable SETTINGS_EXPORT: ")
-    for setting in SETTINGS_EXPORT:
-        print(setting)
diff --git a/taccsite_cms/settings_custom.example.py b/taccsite_cms/settings_custom.example.py
new file mode 100644
index 000000000..6ea8dac74
--- /dev/null
+++ b/taccsite_cms/settings_custom.example.py
@@ -0,0 +1,43 @@
+
+'''
+
+settings_custom.py file can be used to override default values in settings.py
+
+The settings_custom.py file is loaded after default settings but before settings assignment is complete,
+giving us the opportunity to override settings in either settings_custom.py (usually set in custom sites)
+or in settings_local.py (usually used in a local dev environment).
+
+To override a setting,
+simply copy/paste the default settings and set the new/custom values
+
+If a setting override is for a custom site in an existing submodule, the change is made in
+the settings_custom.py file of that submodules site directory and (if not a secret) can be committed
+
+
+Unless modifying default behavior for the default cms and all custom sites (which probably means that
+setting should be in the settings.py file), the settings_custom.py file that should be modified is
+the one in the appropriate taccsite_custom site directory.
+
+'''
+
+# For example if we want to change LDAP auth settings for a custome site, let's say frontera-cms
+# we simply copy the setting from settings.py, and
+# assign the new value in "Core-CMS/taccsite_custom/frontera-cms/settings_custom.py"
+''' Example LDAP Auth Setting change where we just changing the ldap url '''
+AUTH_LDAP_SERVER_URI = "ldap://cluster.ldap.tacc.utexas.edu"
+
+#The same goes for other more commonly customized values like below
+# A customization to this default would be applied in settings_custom.py of the appropriate custom site
+PORTAL_LOGO = [
+    "portal",
+    "site_cms/img/org_logos/portal.png",
+    "",
+    "/",
+    "_self",
+    "Portal Logo",
+    "anonymous",
+    "True"
+]
+
+LOGO = PORTAL_LOGO
+
diff --git a/taccsite_cms/templates/assets_site_delayed.html b/taccsite_cms/templates/assets_site_delayed.html
index 398724f1d..6d9df5ff3 100644
--- a/taccsite_cms/templates/assets_site_delayed.html
+++ b/taccsite_cms/templates/assets_site_delayed.html
@@ -18,7 +18,7 @@
 
 <!-- Site Assets (Delayed): Font Icons -->
 {# FAQ: Not loaded in `assets_font.html` because these is NOT font for content which should avoid FOUT, FOIT, FOFT; but decorative, thus superfluous, icons #}
-{% if settings.PORTAL %}
+{% if settings.INCLUDES_CORE_PORTAL %}
 <!-- FP-526: Stop using Font Awesome icons; start using Cortal icons -->
 <link id="css-portal-font" rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.12.0/css/all.min.css" />
 {% endif %}
diff --git a/taccsite_cms/templates/fullwidth.html b/taccsite_cms/templates/fullwidth.html
index d5bea87ae..9d9155095 100755
--- a/taccsite_cms/templates/fullwidth.html
+++ b/taccsite_cms/templates/fullwidth.html
@@ -3,20 +3,7 @@
 
 {% block title %}{% page_attribute "page_title" %}{% endblock title %}
 
-{% block assets_custom %}
-{{ block.super }}
-
-<script>
-  console.info('Core `fullwidth.html` loads no custom assets');
-</script>
-{% endblock assets_custom %}
-
+{# To remove container and breadcrumbs #}
 {% block content %}
 {% placeholder "content" %}
 {% endblock content %}
-
-{% block assets_custom_delayed %}
-<script>
-  console.info('Core `fullwidth.html` loads no (delayed) custom assets');
-</script>
-{% endblock assets_custom_delayed %}
diff --git a/taccsite_cms/templates/header.html b/taccsite_cms/templates/header.html
index d02a41c53..62eed4674 100644
--- a/taccsite_cms/templates/header.html
+++ b/taccsite_cms/templates/header.html
@@ -6,7 +6,7 @@
 {% include "header_branding.html" %}
 
 <!-- Navigation Bar -->
-<nav id="s-header" class="s-header  navbar {% if settings.PORTAL %}navbar-expand-xl{% else %}navbar-expand-lg{% endif %} navbar-dark">
+<nav id="s-header" class="s-header  navbar {% if settings.INCLUDES_CORE_PORTAL %}navbar-expand-xl{% else %}navbar-expand-lg{% endif %} navbar-dark">
   <!-- Portal Logo -->
   {% include "header_logo.html" %}
 
@@ -18,7 +18,7 @@
   <!-- Navbar Links -->
   <div class="collapse navbar-collapse" id="navbarsExpandTarget">
     {# GL-6: Remove need for different `className` values #}
-    {% if settings.PORTAL %}
+    {% if settings.INCLUDES_CORE_PORTAL %}
       {# FAQ: If template were included with `only`, then it would NOT render `show_menu` #}
       {% include "nav_cms.html" with className="navbar-nav" %}
 
diff --git a/taccsite_cms/urls.py b/taccsite_cms/urls.py
index ea9000848..85f9a4092 100755
--- a/taccsite_cms/urls.py
+++ b/taccsite_cms/urls.py
@@ -6,13 +6,14 @@
 from django.conf.urls.static import static
 from django.conf.urls import include, url
 from django.contrib import admin
+from django.contrib.auth import views
 from django.contrib.sitemaps.views import sitemap
 from django.contrib.staticfiles.urls import staticfiles_urlpatterns
 from django.views.static import serve
+from taccsite_cms import remote_cms_auth as remote_cms_auth
 
 from django.http import request
 from django.views.generic.base import RedirectView
-
 admin.autodiscover()
 
 urlpatterns = [
@@ -20,9 +21,10 @@
         {'sitemaps': {'cmspages': CMSSitemap}}),
 
     url(r'^admin/', admin.site.urls),  # NOQA
+    url(r'^cms/logout/', views.LogoutView.as_view(), name='logout'),
 ]
 
-if settings.PORTAL:
+if getattr(settings, 'INCLUDES_CORE_PORTAL', True):
     from django.views.generic.base import TemplateView
     urlpatterns += [
         # FAQ: Allow direct access to markup for Portal and User Guide to render
@@ -30,18 +32,11 @@
         url(r'^cms/nav/pages/markup/$', TemplateView.as_view(template_name='nav_cms.raw.html'), name='menu_pages_markup'),
         url(r'^cms/header/branding/markup/$', TemplateView.as_view(template_name='header_branding.html'), name='header_branding_markup'),
         url(r'^cms/header/logo/markup/$', TemplateView.as_view(template_name='header_logo.html'), name='header_logo_markup'),
-    ]
-
-if settings.FEATURES['blog']:
-    urlpatterns += [
-        # Support `taggit_autosuggest` (from `djangocms-blog`)
-        url(r'^taggit_autosuggest/', include('taggit_autosuggest.urls')),
+        url(r'^remote/login/$', remote_cms_auth.verify_and_auth, name='verify_and_auth'),
     ]
 
 urlpatterns += [
     url(r'^', include('cms.urls')),
-    # url(r'^$', RedirectView.as_view(url=request.build_absolute_uri('/')), name='home')
-    # url(r'^', include('djangocms_forms.urls')), # FP-416: Pending full support
 ]
 
 # This is only needed when using runserver.
diff --git a/taccsite_custom b/taccsite_custom
index a99509b9d..f52e86529 160000
--- a/taccsite_custom
+++ b/taccsite_custom
@@ -1 +1 @@
-Subproject commit a99509b9d05e49ff012130d0385db50e39c5398f
+Subproject commit f52e86529e319b4207a2c34289059170fc14b517

From cc7996b6c41b7dfe6f6a8a7e3cb982358c6af01f Mon Sep 17 00:00:00 2001
From: Wesley Bomar <wbomar@tacc.utexas.edu>
Date: Tue, 21 Sep 2021 13:42:00 -0500
Subject: [PATCH 23/31] Quick: .gitignore: support settings w/ suffixes

- move settings_... to proper location
- support settings with prefixes and/or suffixes
---
 .gitignore | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/.gitignore b/.gitignore
index f477e717f..93144a883 100644
--- a/.gitignore
+++ b/.gitignore
@@ -28,6 +28,8 @@ repo_name.var
 # Secrets and Customizations
 taccsite_cms/secrets.py
 *.custom.yml
+*settings_custom*.py
+*settings_local*.py
 
 # Makefile var
 cms_name.var
@@ -107,6 +109,3 @@ publish
 # build script local files
 web/build/buildinfo.properties
 web/build/config/buildinfo.properties
-
-*settings_custom.py
-*settings_local.py

From c71a9b0bbb050a9d8944e0ed94bebc975ebd7b47 Mon Sep 17 00:00:00 2001
From: Wesley Bomar <wbomar@tacc.utexas.edu>
Date: Tue, 21 Sep 2021 15:51:31 -0500
Subject: [PATCH 24/31] GH-191: Fix merge conflict mistake

---
 .gitignore | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/.gitignore b/.gitignore
index edfee6d18..e59994e06 100644
--- a/.gitignore
+++ b/.gitignore
@@ -110,6 +110,3 @@ publish
 # build script local files
 web/build/buildinfo.properties
 web/build/config/buildinfo.properties
-
-*settings_custom.py
-*settings_local.py

From 16f20928417234e3efa97087c701ceccdf4b70e7 Mon Sep 17 00:00:00 2001
From: Wesley Bomar <wbomar@tacc.utexas.edu>
Date: Tue, 21 Sep 2021 15:53:42 -0500
Subject: [PATCH 25/31] GH-191: Submod: ProTX: Set 'has-dark-logo' theme

---
 taccsite_custom | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/taccsite_custom b/taccsite_custom
index f52e86529..6f98582e8 160000
--- a/taccsite_custom
+++ b/taccsite_custom
@@ -1 +1 @@
-Subproject commit f52e86529e319b4207a2c34289059170fc14b517
+Subproject commit 6f98582e859739b8622579b3f444fc74b1f2d3d0

From 55d242dd77283f8a62dd2052114a0573f44db8a2 Mon Sep 17 00:00:00 2001
From: Wesley Bomar <wbomar@tacc.utexas.edu>
Date: Tue, 21 Sep 2021 15:55:19 -0500
Subject: [PATCH 26/31] GH-191: Clean up (and remove extra changes)

---
 .env.sample                                        |  9 ---------
 Dockerfile                                         |  2 +-
 README.md                                          |  2 +-
 package.json                                       |  4 ++--
 taccsite_cms/settings_to_json.py                   |  2 +-
 .../site_cms/css/src/_imports/trumps/s-header.css  |  2 +-
 .../static/site_cms/css/src/_themes/TODO.md        |  2 +-
 .../static/site_cms/css/src/site.header.css        |  6 ++----
 taccsite_cms/templates/assets_site.html            | 14 --------------
 9 files changed, 9 insertions(+), 34 deletions(-)
 delete mode 100644 .env.sample

diff --git a/.env.sample b/.env.sample
deleted file mode 100644
index a3f7a5bb4..000000000
--- a/.env.sample
+++ /dev/null
@@ -1,9 +0,0 @@
-#
-# Required
-#
-
-# From which directory to pull project-specific resources
-# Examples:
-CUSTOM_ASSET_DIR=core-cms
-CUSTOM_ASSET_DIR=frontera-cms
-CUSTOM_ASSET_DIR=protx-cms
diff --git a/Dockerfile b/Dockerfile
index 13bc3f8db..2cbe9c057 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -25,4 +25,4 @@ WORKDIR /code
 RUN pip3 install --no-cache-dir -r requirements.txt
 
 # build assets
-RUN npm ci && npm run settings && npm run build
+RUN npm ci && npm run build
diff --git a/README.md b/README.md
index 899bcc0ca..79fbbae25 100644
--- a/README.md
+++ b/README.md
@@ -14,7 +14,7 @@ The TACC CORE-CMS can be run using Docker and Docker Compose, both locally and i
     CUSTOM_ASSET_DIR=example-cms
     ```
 
-    \* Where `example-cms` is the project to be run. _See [(Optional) Custom Resources per CMS Project](#optional-custom-resources-per-cms-project). Refer to `.env.sample` for other settings._
+    \* Where `example-cms` is the project to be run. _See [(Optional) Custom Resources per CMS Project](#optional-custom-resources-per-cms-project).
 1. Initialize / Update submodules.
     1. `git submodule init`\
         _(Adds `cms-site-resources` repo as submodule at `taccsite_custom/`. Only necessary once per `CORE-cms` repo clone.)_
diff --git a/package.json b/package.json
index daea71539..d3d02dac4 100644
--- a/package.json
+++ b/package.json
@@ -4,10 +4,10 @@
     "license": "MIT",
     "description": "The core CMS codebase for all new and updated TACC CMS sites.",
     "scripts": {
+        "prebuild": "python3 taccsite_cms/settings_to_json.py",
         "build": "npm run build:css",
         "build:css": "node postcss.js",
-        "watch": "npm-watch",
-        "settings": "python3 taccsite_cms/settings_to_json.py"
+        "watch": "npm-watch"
     },
     "// scripts": {
         "prebuild": "Export Django settings to JSON (for Node to use)",
diff --git a/taccsite_cms/settings_to_json.py b/taccsite_cms/settings_to_json.py
index 19935ebd9..b99776e76 100644
--- a/taccsite_cms/settings_to_json.py
+++ b/taccsite_cms/settings_to_json.py
@@ -14,7 +14,7 @@
 # Create JSON
 setting_names = ["THEME"]
 settings_export = {}
-# FAQ: The print() statements in settings.py would corrupt the JSON
+# FAQ: Any print() statements in settings.py would corrupt the JSON
 with suppress_stdout():
     for setting_name in setting_names:
         settings_export[setting_name] = getattr(settings, setting_name)
diff --git a/taccsite_cms/static/site_cms/css/src/_imports/trumps/s-header.css b/taccsite_cms/static/site_cms/css/src/_imports/trumps/s-header.css
index df7ef6aab..704e25429 100644
--- a/taccsite_cms/static/site_cms/css/src/_imports/trumps/s-header.css
+++ b/taccsite_cms/static/site_cms/css/src/_imports/trumps/s-header.css
@@ -33,7 +33,7 @@ Styleguide Trumps.Scopes.Header
   -webkit-font-smoothing: antialiased;
   -moz-osx-font-smoothing: grayscale;
 
-  /* To have border not show, ensure value equals that of `--bkgd-color` */
+  /* To hide border, set this in theme to match `--header-bkgd-color` value */
   border-bottom: 1px solid env(--header-major-border-color);
 }
 
diff --git a/taccsite_cms/static/site_cms/css/src/_themes/TODO.md b/taccsite_cms/static/site_cms/css/src/_themes/TODO.md
index 59610f835..999cbd85f 100644
--- a/taccsite_cms/static/site_cms/css/src/_themes/TODO.md
+++ b/taccsite_cms/static/site_cms/css/src/_themes/TODO.md
@@ -1,4 +1,4 @@
 # TACC CMS - Stylesheets - Themes
 
 - Migrate `/taccsite_cms/site_shared/css/src/_imports/settings/*` to theme data.
-- Support one theme extending another theme (the default or another).
+- Support one theme extending another theme (default theme or another theme).
diff --git a/taccsite_cms/static/site_cms/css/src/site.header.css b/taccsite_cms/static/site_cms/css/src/site.header.css
index 081db9b71..83cb15fe3 100644
--- a/taccsite_cms/static/site_cms/css/src/site.header.css
+++ b/taccsite_cms/static/site_cms/css/src/site.header.css
@@ -7,10 +7,8 @@
 
 /* SETTINGS */
 
-/* CAVEAT: This is already imported in `site.css`, but necessary here to
-           override Portal (which also loads `site.header.css`), so font
-           variables are unfortunately overwritten 1x in CMS, 2x in Portal */
-/* TODO: Find a way to be modular, but not redundant; perhaps `env()` vars */
+/* NOTE: These are already imported in `site.css` */
+/* TODO: Find a way to be modular, but not redundant */
 @import url("_imports/settings/font.css");
 
 /* TRUMPS */
diff --git a/taccsite_cms/templates/assets_site.html b/taccsite_cms/templates/assets_site.html
index 820e5ee24..617310b34 100644
--- a/taccsite_cms/templates/assets_site.html
+++ b/taccsite_cms/templates/assets_site.html
@@ -24,17 +24,3 @@
 
 <!-- Site Assets: Scripts. -->
 <script src="{% static 'site_cms/js/site.js' %}"></script>
-
-
-
-{# Portal & Docs #}
-{# FAQ: Websites that load CMS header should load these assets in this order #}
-{% comment %}
-  {# To load externally-hosted font which is in the font stack of CMS styles #}
-  {# FAQ: CMS does ALSO load but does so in `assets_font.html` instead #}
-  <link id="css-site-font" rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,400,500,700&display=swap" />
-
-  {# To load CSS that styles the header #}
-  {# FAQ: CMS does ALSO load so it styles header using identical complex code #}
-  <link id="css-site-header" rel="stylesheet" href="{% 'site_cms/css/build/site.header.css' %}" />
-{% endcomment %}

From 3157107c7786cf781919bbf3227b06b2511c2136 Mon Sep 17 00:00:00 2001
From: Wesley Bomar <wbomar@tacc.utexas.edu>
Date: Tue, 21 Sep 2021 15:56:40 -0500
Subject: [PATCH 27/31] Noop: Improve comments about font load

---
 .../static/site_cms/css/src/site.header.css        |  6 ++++--
 taccsite_cms/templates/assets_site.html            | 14 ++++++++++++++
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/taccsite_cms/static/site_cms/css/src/site.header.css b/taccsite_cms/static/site_cms/css/src/site.header.css
index a04815a29..dfb3a073b 100644
--- a/taccsite_cms/static/site_cms/css/src/site.header.css
+++ b/taccsite_cms/static/site_cms/css/src/site.header.css
@@ -7,8 +7,10 @@
 
 /* SETTINGS */
 
-/* NOTE: These are already imported in `site.css` */
-/* TODO: Find a way to be modular, but not redundant */
+/* CAVEAT: This is already imported in `site.css`, but necessary here to
+           override Portal (which also loads `site.header.css`), so font
+           variables are unfortunately overwritten 1x in CMS, 2x in Portal */
+/* TODO: Find a way to be modular, but not redundant; perhaps `env()` vars */
 @import url("_imports/settings/font.css");
 /* NOTE: Portal does not need this, because it has independent copy of these,
          but the User Guides do not. This can be removed in Core-CMS PR #192 */
diff --git a/taccsite_cms/templates/assets_site.html b/taccsite_cms/templates/assets_site.html
index 617310b34..820e5ee24 100644
--- a/taccsite_cms/templates/assets_site.html
+++ b/taccsite_cms/templates/assets_site.html
@@ -24,3 +24,17 @@
 
 <!-- Site Assets: Scripts. -->
 <script src="{% static 'site_cms/js/site.js' %}"></script>
+
+
+
+{# Portal & Docs #}
+{# FAQ: Websites that load CMS header should load these assets in this order #}
+{% comment %}
+  {# To load externally-hosted font which is in the font stack of CMS styles #}
+  {# FAQ: CMS does ALSO load but does so in `assets_font.html` instead #}
+  <link id="css-site-font" rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,400,500,700&display=swap" />
+
+  {# To load CSS that styles the header #}
+  {# FAQ: CMS does ALSO load so it styles header using identical complex code #}
+  <link id="css-site-header" rel="stylesheet" href="{% 'site_cms/css/build/site.header.css' %}" />
+{% endcomment %}

From d9a4c445b6b40911877b10d233ed7fd875c9dbce Mon Sep 17 00:00:00 2001
From: Wesley Bomar <wbomar@tacc.utexas.edu>
Date: Tue, 21 Sep 2021 16:01:34 -0500
Subject: [PATCH 28/31] GH-191: Quick: Restore doc formatting typo

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 79fbbae25..114e8d606 100644
--- a/README.md
+++ b/README.md
@@ -14,7 +14,7 @@ The TACC CORE-CMS can be run using Docker and Docker Compose, both locally and i
     CUSTOM_ASSET_DIR=example-cms
     ```
 
-    \* Where `example-cms` is the project to be run. _See [(Optional) Custom Resources per CMS Project](#optional-custom-resources-per-cms-project).
+    \* Where `example-cms` is the project to be run. _See [(Optional) Custom Resources per CMS Project](#optional-custom-resources-per-cms-project)._
 1. Initialize / Update submodules.
     1. `git submodule init`\
         _(Adds `cms-site-resources` repo as submodule at `taccsite_custom/`. Only necessary once per `CORE-cms` repo clone.)_

From 70a1ca312184b95ede10b48f1f6efd40edbf0bf6 Mon Sep 17 00:00:00 2001
From: Wesley Bomar <wbomar@tacc.utexas.edu>
Date: Tue, 21 Sep 2021 17:57:50 -0500
Subject: [PATCH 29/31] GH-191: Undo an out-of-scope change

---
 conf/css/.postcssrc.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/conf/css/.postcssrc.yml b/conf/css/.postcssrc.yml
index 4d6a13ade..39b75802a 100644
--- a/conf/css/.postcssrc.yml
+++ b/conf/css/.postcssrc.yml
@@ -13,6 +13,7 @@ plugins:
   postcss-preset-env:
     # SEE: https://github.com/csstools/postcss-preset-env#features
     stage: false
+    # SEE: https://github.com/csstools/postcss-preset-env/blob/master/src/lib/plugins-by-id.js#L35
     features:
       custom-media-queries: true
       media-query-ranges: true

From 18460961f5d4e50f056936928faf3b9bf49c279e Mon Sep 17 00:00:00 2001
From: John Gentle <taoteg@gmail.com>
Date: Tue, 21 Sep 2021 19:26:58 -0500
Subject: [PATCH 30/31] Pinning CMS to main and testing protx build off all
 main branches.

---
 taccsite_custom | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/taccsite_custom b/taccsite_custom
index 6f98582e8..f52e86529 160000
--- a/taccsite_custom
+++ b/taccsite_custom
@@ -1 +1 @@
-Subproject commit 6f98582e859739b8622579b3f444fc74b1f2d3d0
+Subproject commit f52e86529e319b4207a2c34289059170fc14b517

From 6ec262d54fbae01d5fcb7bf218dd4497165c8f1f Mon Sep 17 00:00:00 2001
From: John Gentle <taoteg@gmail.com>
Date: Wed, 22 Sep 2021 16:37:06 -0500
Subject: [PATCH 31/31] Pinning taccsite_custom to include latest CMS commit
 with utrc logo.

---
 taccsite_custom | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/taccsite_custom b/taccsite_custom
index f52e86529..5a11324dd 160000
--- a/taccsite_custom
+++ b/taccsite_custom
@@ -1 +1 @@
-Subproject commit f52e86529e319b4207a2c34289059170fc14b517
+Subproject commit 5a11324dda0b068daa9ef5102d6ccc8ff821b9d9