We follow the instructions from:
https://openedx.atlassian.net/wiki/spaces/COMM/pages/19662426/Process+to+Create+an+Open+edX+Release#Make-release-specific-changes-on-the-release-branch

Previously, our rate-limiting code trusted the entire `X-Forwarded-For`
header, allowing a malicious client to spoof that header and evade
rate-limiting. This commit introduces a new module and setting
allowing us to make a more conservative choice of IPs.

- Create new `openedx.core.djangoapps.util.ip` module for producing
  the IP "external chain" for requests based on the XFF header and the
  REMOTE_ADDR.
- Include a function that gives the safest choice of IPs.
- Add new setting `CLOSEST_CLIENT_IP_FROM_HEADERS` for configuring how
  the external chain is derived (i.e. setting the trust
  boundary). Currently has a default, but we may want to make it
  mandatory in the future.
- Change `django-ratelimit` code to use the proximate IP in the external
  chain -- the one just outside the trust boundary.

Also:

- Change `XForwardedForMiddleware` to use more conservative choice for
  its `REMOTE_ADDR` override
- Other adjustments to `XForwardedForMiddleware` as needed in order to
  initialize new module and support code that needs the real
  `REMOTE_ADDR` value
- Metrics for observability into the change (and XFF composition)
- Feature switch to restore legacy mode if needed

This also gives us a path forward to removing use of the django-ipware
package, which is no longer maintained and has a handful of bugs that make it
difficult to use safely.

Internal ticket: ARCHBOM-2056

Backported from a251d18

…t) (openedx#30273) (openedx#30296)

Coursegraph was moved from openedx to cms in commit 92552e5/PR openedx#29156;
module init file was reintroduced in commit 80f9f1d/PR openedx#30197, I think
by accident.

Cherry-picked from 8bcec1a

…sappear

(cherry picked from commit 3333f78)

…p better

(cherry picked from commit cff3650)

The logic here seems to work, but Django 4.0 won't install over our
other pinned requirements, so tests fail for Django 4.0.

(cherry picked from commit e7caec5)

[BD-14] Install the blockstore app into edx-platform, behind a waffle switch

(cherry picked from commit d2e82b7)

This should be automatically added by blockstore, but wasn't.

…penedx#30478)

This reverts commit 489ed46.

…enedx#30479)

This reverts commit 4a3c6df.

This reverts commit 2943b5a.

The target URL on logout page is marked as safe while rendering and
making the page volunerable to Cross-site scripting vulnerability.

Rendered the target variable outside safe HTML so that it should be
treated as text.

VAN-972

fix: share urls in course about page (openedx#30389)

…til_version

fix: python-dateutil version issue

Backport filters that didn't make it to nutmeg release:

* Add filter before certificate creation starts

- Add filters interactions with code that used generate_certificate_task
- Add unit-testing for filters
- Upgrade to latest library update

(cherry picked from commit e8fa890)

* Add cohort change filter before moving users from cohorts

(cherry picked from commit 465e5c0)

* Add filter before certificate rendering process starts

(cherry picked from commit 7f974d1)

* Add filter before course dashboard rendering process starts

- Add dashboard filter to dashboard student's view
- Add tests/docs for filter's integration

(cherry picked from commit 895a649)

* Add filter before course about rendering process starts

(cherry picked from commit ccfa0b4)

* Integrate cohort assignment filter definition to cohort model

(cherry picked from commit ec69659)

The Transifex config file syntax was modified due to a recent change of the
Transifex API. As a consequence, the .tx/config file is invalid in the nutmeg
branch and translations cannot be pushed to transifex.

…on newer versions

<!--

🌰🌰
🌰🌰🌰🌰         🌰 Note: the Nutmeg master branch has been created.  Please consider whether your change
    🌰🌰🌰🌰     should also be applied to Nutmeg. If so, make another pull request against the
🌰🌰🌰🌰         open-release/nutmeg.master branch, or ping @nedbat for help or questions.
🌰🌰

Please give your pull request a short but descriptive title.
Use conventional commits to separate and summarize commits logically:
https://open-edx-proposals.readthedocs.io/en/latest/oep-0051-bp-conventional-commits.html

Use this template as a guide. Omit sections that don't apply. You may link to information rather than copy it.
More details about the template are at openedx/openedx-proposals#180
(link will be updated when that document merges)
-->

## Description

This PR updates the problem with hint template so it works with Python3+. It simply adds parenthesis to a print statement that was causing an error while rendering this kind of problem.

## Supporting information

- This bug was reported on [this](openedx/wg-build-test-release#159 (comment)) BTR issue.
- [Master PR](openedx#30585)

## Testing instructions

(tested on tutor Nutmeg version)
1. Install the codejail plugin following [these](https://github.com/eduNEXT/tutor-contrib-codejail) instructions
2. Create a problem with hint unit, it shouldn't throw any errors (like the one reported)

## Deadline

None

* build: modify unit tests to run on gh hosted for nutmeg

…nedx#30681)

The username was allowed in the login endpoint alongside the email address
but rate-limiting logic was not updated to rate limit on the new POST
param `email_or_username`.

VAN-1003

This fixes the issue of django messages being read before
redirecting to dashboard page, due to enterprise api being
called even if the feature is disabled.

(cherry picked from commit df489bd)

…to md5

The hashing algorithm has been changed in cd60646. However, there are Open edX
operators who maintain backward compatibility of anonymous user IDs after past
rotations of their Django secret key. For them, altering the hashing algorithm
was a breaking change that made their analytics inconsistent.

(cherry picked from commit 746e4fe)

This setting allows loading of Resource Templates from outside the
edx-platform codebase.

Operators will be able to add their own custom resource templates
without needing to fork the codebase.

(cherry picked from commit ed81774)

…drift-to-nutmeg

[BB-6692] Prepare `opencraft-release/nutmeg.2` branch for edx-platform

Co-authored-by: Arunmozhi <arunmozhi@opencraft.com>

(cherry picked from commit 51b5e62)

Legacy UI: Previous button should use prev_url if it in first
position. In studio UI, it should always use prev_url. To make this
possible we checking length of contents which is always zero for studio
and more than 0 for legacy UI.

(cherry picked from commit cd5544d)

Note - This commit is only required for nutmeg upgrade.
Dates tab is set to be completely removed in Olive so
this can be dropped then.

(cherry picked from commit 24fc9d4)

(cherry picked from commit eea5779)
(cherry picked from commit d0373ca)

During the upgrade to TinyMCE v5 we changed the content format to `text`.
However, it ignores changes in HTML tags. This reverts the format to `raw`.

(cherry picked from commit 5266a03)

The TinyMCE configuration can be overridden by adding a
`TINYMCE_CONFIG_OVERRIDES` dict to the `JS_ENV_EXTRA_CONFIG`.

(cherry picked from commit 54507c1)

BREAKING CHANGE: disallowed HTML tags (e.g. <script>) will no longer be
rendered in LMS and Studio.

fix: Fix retiring user auth models on disable event (Nutmeg backport)

This feature was implemented in b01544d to replace the session's language
in the request. 44ddbdf moved the process from the request to the response,
which made this feature unusable (because the request was already processed).
44ddbdf also made this feature set the language cookie. However, it is
overwritten by user preferences.
To fix this, we could overwrite the cookie of the response after it's set from
user preferences. However, it is not an ideal solution because when users
switch between Sites with different languages, the first response will use the
language of the previous page. Therefore, this ignores user preferences and
alters the cookie of a request instead.

This test stopped throwing the `TransactionManagementError` once we added the
`site_configuration.get_value()` call to the language preferences middleware.

…language_nutmeg

fix: use language specified in SiteConfiguration [BB-6930]

…517)

This commit adds a openedx-filters hook to the VerticalBlock XBlock
before rendering of it's children. This allows Open edX plugins to
customize the presentation of specific blocks based on the context.

Co-authored-by: Arunmozhi <arunmozhi@opencraft.com>

This change adds a new waffle switch to redirect a student to coursware after
enrolment instead of the dashboard.