Skip to content

Kshitij/cherrypick/bb 7051/redirect to courseware#31757

Closed
xitij2000 wants to merge 72 commits intoopenedx:masterfrom
open-craft:kshitij/cherrypick/bb-7051/redirect-to-courseware
Closed

Kshitij/cherrypick/bb 7051/redirect to courseware#31757
xitij2000 wants to merge 72 commits intoopenedx:masterfrom
open-craft:kshitij/cherrypick/bb-7051/redirect-to-courseware

Conversation

@xitij2000
Copy link
Contributor

Cherry-pick of #31715

nedbat and others added 30 commits April 12, 2022 14:02
Previously, our rate-limiting code trusted the entire `X-Forwarded-For`
header, allowing a malicious client to spoof that header and evade
rate-limiting. This commit introduces a new module and setting
allowing us to make a more conservative choice of IPs.

- Create new `openedx.core.djangoapps.util.ip` module for producing
  the IP "external chain" for requests based on the XFF header and the
  REMOTE_ADDR.
- Include a function that gives the safest choice of IPs.
- Add new setting `CLOSEST_CLIENT_IP_FROM_HEADERS` for configuring how
  the external chain is derived (i.e. setting the trust
  boundary). Currently has a default, but we may want to make it
  mandatory in the future.
- Change `django-ratelimit` code to use the proximate IP in the external
  chain -- the one just outside the trust boundary.

Also:

- Change `XForwardedForMiddleware` to use more conservative choice for
  its `REMOTE_ADDR` override
- Other adjustments to `XForwardedForMiddleware` as needed in order to
  initialize new module and support code that needs the real
  `REMOTE_ADDR` value
- Metrics for observability into the change (and XFF composition)
- Feature switch to restore legacy mode if needed

This also gives us a path forward to removing use of the django-ipware
package, which is no longer maintained and has a handful of bugs that make it
difficult to use safely.

Internal ticket: ARCHBOM-2056

Backported from a251d18
…t) (openedx#30273) (openedx#30296)

Coursegraph was moved from openedx to cms in commit 92552e5/PR openedx#29156;
module init file was reintroduced in commit 80f9f1d/PR openedx#30197, I think
by accident.

Cherry-picked from 8bcec1a
The logic here seems to work, but Django 4.0 won't install over our
other pinned requirements, so tests fail for Django 4.0.

(cherry picked from commit e7caec5)
[BD-14] Install the blockstore app into edx-platform, behind a waffle switch

(cherry picked from commit d2e82b7)
This should be automatically added by blockstore, but wasn't.
The target URL on logout page is marked as safe while rendering and
making the page volunerable to Cross-site scripting vulnerability.

Rendered the target variable outside safe HTML so that it should be
treated as text.

VAN-972
…til_version

fix: python-dateutil version issue
Backport filters that didn't make it to nutmeg release:

* Add filter before certificate creation starts

- Add filters interactions with code that used generate_certificate_task
- Add unit-testing for filters
- Upgrade to latest library update

(cherry picked from commit e8fa890)

* Add cohort change filter before moving users from cohorts

(cherry picked from commit 465e5c0)

* Add filter before certificate rendering process starts

(cherry picked from commit 7f974d1)

* Add filter before course dashboard rendering process starts

- Add dashboard filter to dashboard student's view
- Add tests/docs for filter's integration

(cherry picked from commit 895a649)

* Add filter before course about rendering process starts

(cherry picked from commit ccfa0b4)

* Integrate cohort assignment filter definition to cohort model

(cherry picked from commit ec69659)
The Transifex config file syntax was modified due to a recent change of the
Transifex API. As a consequence, the .tx/config file is invalid in the nutmeg
branch and translations cannot be pushed to transifex.
…on newer versions

<!--

🌰🌰
🌰🌰🌰🌰         🌰 Note: the Nutmeg master branch has been created.  Please consider whether your change
    🌰🌰🌰🌰     should also be applied to Nutmeg. If so, make another pull request against the
🌰🌰🌰🌰         open-release/nutmeg.master branch, or ping @nedbat for help or questions.
🌰🌰

Please give your pull request a short but descriptive title.
Use conventional commits to separate and summarize commits logically:
https://open-edx-proposals.readthedocs.io/en/latest/oep-0051-bp-conventional-commits.html

Use this template as a guide. Omit sections that don't apply. You may link to information rather than copy it.
More details about the template are at openedx/openedx-proposals#180
(link will be updated when that document merges)
-->

## Description

This PR updates the problem with hint template so it works with Python3+. It simply adds parenthesis to a print statement that was causing an error while rendering this kind of problem.

## Supporting information

- This bug was reported on [this](openedx/wg-build-test-release#159 (comment)) BTR issue.
- [Master PR](openedx#30585)

## Testing instructions

(tested on tutor Nutmeg version)
1. Install the codejail plugin following [these](https://github.com/eduNEXT/tutor-contrib-codejail) instructions
2. Create a problem with hint unit, it shouldn't throw any errors (like the one reported)

## Deadline

None
* build: modify unit tests to run on gh hosted for nutmeg
…nedx#30681)

The username was allowed in the login endpoint alongside the email address
but rate-limiting logic was not updated to rate limit on the new POST
param `email_or_username`.

VAN-1003
Agrendalath and others added 23 commits October 5, 2022 18:39
This fixes the issue of django messages being read before
redirecting to dashboard page, due to enterprise api being
called even if the feature is disabled.

(cherry picked from commit df489bd)
…to md5

The hashing algorithm has been changed in cd60646. However, there are Open edX
operators who maintain backward compatibility of anonymous user IDs after past
rotations of their Django secret key. For them, altering the hashing algorithm
was a breaking change that made their analytics inconsistent.

(cherry picked from commit 746e4fe)
This setting allows loading of Resource Templates from outside the
edx-platform codebase.

Operators will be able to add their own custom resource templates
without needing to fork the codebase.

(cherry picked from commit ed81774)
…drift-to-nutmeg

[BB-6692] Prepare `opencraft-release/nutmeg.2` branch for edx-platform
Co-authored-by: Arunmozhi <arunmozhi@opencraft.com>

(cherry picked from commit 51b5e62)
Legacy UI: Previous button should use prev_url if it in first
position. In studio UI, it should always use prev_url. To make this
possible we checking length of contents which is always zero for studio
and more than 0 for legacy UI.

(cherry picked from commit cd5544d)
Note - This commit is only required for nutmeg upgrade.
Dates tab is set to be completely removed in Olive so
this can be dropped then.
(cherry picked from commit 24fc9d4)
(cherry picked from commit eea5779)
(cherry picked from commit d0373ca)
During the upgrade to TinyMCE v5 we changed the content format to `text`.
However, it ignores changes in HTML tags. This reverts the format to `raw`.

(cherry picked from commit 5266a03)
The TinyMCE configuration can be overridden by adding a
`TINYMCE_CONFIG_OVERRIDES` dict to the `JS_ENV_EXTRA_CONFIG`.

(cherry picked from commit 54507c1)
BREAKING CHANGE: disallowed HTML tags (e.g. <script>) will no longer be
rendered in LMS and Studio.
fix: Fix retiring user auth models on disable event (Nutmeg backport)
This feature was implemented in b01544d to replace the session's language
in the request. 44ddbdf moved the process from the request to the response,
which made this feature unusable (because the request was already processed).
44ddbdf also made this feature set the language cookie. However, it is
overwritten by user preferences.
To fix this, we could overwrite the cookie of the response after it's set from
user preferences. However, it is not an ideal solution because when users
switch between Sites with different languages, the first response will use the
language of the previous page. Therefore, this ignores user preferences and
alters the cookie of a request instead.
This test stopped throwing the `TransactionManagementError` once we added the
`site_configuration.get_value()` call to the language preferences middleware.
…language_nutmeg

fix: use language specified in SiteConfiguration [BB-6930]
…517)

This commit adds a openedx-filters hook to the VerticalBlock XBlock
before rendering of it's children. This allows Open edX plugins to
customize the presentation of specific blocks based on the context.

Co-authored-by: Arunmozhi <arunmozhi@opencraft.com>
This change adds a new waffle switch to redirect a student to coursware after
enrolment instead of the dashboard.
@xitij2000 xitij2000 requested a review from a team as a code owner February 14, 2023 08:43
@openedx-webhooks openedx-webhooks added the open-source-contribution PR author is not from Axim or 2U label Feb 14, 2023
@openedx-webhooks
Copy link

Thanks for the pull request, @xitij2000! Please note that it may take us up to several weeks or months to complete a review and merge your PR.

Feel free to add as much of the following information to the ticket as you can:

  • supporting documentation
  • Open edX discussion forum threads
  • timeline information ("this must be merged by XX date", and why that is)
  • partner information ("this is a course on edx.org")
  • any other information that can help Product understand the context for the PR

All technical communication about the code itself will be done via the GitHub pull request interface. As a reminder, our process documentation is here.

Please let us know once your PR is ready for our review and all tests are green.

@xitij2000 xitij2000 closed this Feb 14, 2023
@openedx-webhooks
Copy link

@xitij2000 Even though your pull request wasn’t merged, please take a moment to answer a two question survey so we can improve your experience in the future.

@xitij2000 xitij2000 deleted the kshitij/cherrypick/bb-7051/redirect-to-courseware branch February 14, 2023 08:43
@xitij2000 xitij2000 restored the kshitij/cherrypick/bb-7051/redirect-to-courseware branch February 14, 2023 08:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

open-source-contribution PR author is not from Axim or 2U

Projects

Archived in project

Development

Successfully merging this pull request may close these issues.