fix: Prevent SafeSessions false alarm in course outline alt-masquerading

The course outline view has a way for a staff user to make a request as if
they are another user, not just by using the masquerade mechanism but also
by setting a request parameter. This can result in false positives in the
safe-sessions middleware, and if `ENFORCE_SAFE_SESSIONS` is enabled the
responses will be 401 errors.

The fix here is to do the same thing that masquerading does in setting a
`real_user` property on the new user object, which the safe-sessions
middleware then undoes (restoring the request.user) before determing
whether there's a mismatch.

(Without this fix, enabling `ENFORCE_SAFE_SESSIONS` also causes some tests
in `test_views.py` to fail.)

openedx/core/djangoapps/content/learning_sequences/views.py

@@ -213,7 +213,12 @@ class CourseOutlineView(APIView):
 
         target_username = request.GET.get("user")
         if target_username is not None:
-            return self._get_target_user(request, course_key, has_staff_access, target_username)
+            target_user = self._get_target_user(request, course_key, has_staff_access, target_username)
+            # Just like in masquerading, set real_user so that the
+            # SafeSessions middleware can see that the user didn't
+            # change unexpectedly.
+            target_user.real_user = request.user
+            return target_user
 
         _course_masquerade, user = setup_masquerade(request, course_key, has_staff_access)
         return user