Now that we always return an existing value from the DB rather than trusting that ID generation is deterministic and constant over time, we're free to change the generation algorithm.
Our long term goal is to switch to random IDs, but we need to first investigate the uses of save=False. In the meantime, this is a good opportunity to move away from MD5, which has a number of cryptographic weaknesses. None of the known vulnerabilities are considered exploitable in this location, given the limited ability to control the input to the hash, but we should generally be moving away from it everywhere for consistency.
This change should not be breaking even for save=False callers, since those calls are extremely rare (1 in 100,000) and should only occur after a save=True call, at which point they'll use the stored value. Even if this were not true, for a save=False/True pair of calls to result in a mismatch in output, the first of the calls would have to occur around the time of the deploy of this code.
Co-authored-by: Tim McCormack <tmccormack@edx.org>
Co-authored-by: Tim McCormack <tmccormack@edx.org>
These changes were initially made to make it easier to do SECRET_KEY rotations. Along the way, we found it made sense to refractor the code as well.
Changes made:
- changed get_to_create to create because now the code should only get to this block when a write is necessary
- added a lookup for anonymous_user_id. This is to return an existing anonymous_user_id rather than calculating. This will mitigate the results of SECRET_KEY rotation.
- Added monitoring to help us make better decisions: should we not sue SECRET_KEY, performance considerations...
- put old function behind toggle in case something goes wrong in production with new code
- refractoring function structure for better understanding
This PR lays the groundwork for a an LTI tab that can embed any LTI1.1-based
tool as an course tab. It also adds another tab based on this LTI Tab that
offers special support for embedding LTI-based discussion tools in a course
tab. If enabled this will replace the existing discussion tab.
There is certain gating logic around pre-reqs, timed exams, etc.
that happen at the SequenceModule level, and should be respected
when rendering descendant XBlocks (like individual problems) that
are in that Sequence. Rather than do a risky refactoring, I'm
keeping that logic where it is and having the render_xblock view
climb up through the ancestor list to call the SequenceModule for
that gating information.
We do _not_ check all descendants (so cousin leaf nodes in the
sequence) for cotent-type-based restrictions because sequences can
become very large (esp. when content libraries are used), and there
is a performance overhead.
If the enclosing sequence is gated in some way, we redirect to the
render_xblock view for that sequence, where hopefully some useful
messaging will be available. This is a stopgap. That redirect
should never happen because we should never be calling the leaf
XBlock for a sequence that is restricted in the MFE. But if somehow
we get there anyway, either by bug or by intrepid user fiddling,
it's better to redirect somewhere that an error _might_ be surfaced
rather than just failing.
This will actually be a little overzealous and lock things down
that should be made visible later. If there's a timed exam and the
exam is completed, it should be the case that content is visible
(just read-only). This commit will block the content before the exam
starts (this is right), open the content while the exam is live
(this is right), but make the content unavailable after the exam
period has finished (this is wrong).
But I am going to go forward with this even knowing it's wrong
because:
1. The render_xblock endpoint should never currently be used in
timed exams in an intentional way. Neither the mobile experience
nor the courseware MFE support it.
2. This fix will address security concerns for creative access
patterns, even if it goes too far.
3. We're going to need to do a lot of work to address both pluggable
access permissions handling and special exams in the courseware
MFE, and a better implementation can be done then.
4. I've had multiple failed attempts to get this to work without
breaking things on and off over the course of weeks, and this
is a relatively low risk way of doing it that doesn't involve
a major refactoring (though the bill for that will come due
when we bring timed exams to the MFE).
The honor enrollment mode is widely used in OpenEdx installations,
and recently it was not allowed for proctoring exam, but very anticipated.
Current PR makes it possible to start the proctoring exam in the honor enrollment
mode in case the provider is configured in that way.
Specifically, send data versions of course_expired_message and
offer_html.
The rendered HTML is still being sent for now, until the learning
MFE is updated to consume the data objects.
The toggle was previously an ExperimentWaffleFlag,
which allows stable A/B testing but increases the toggle's
complexity. Since we do not plan an doing any more A/B
tests as part of the MFE rollout, we can 'downgrade' this
toggle to a CourseWaffleFlag, which still allows us to do
phased rollout and course-run-specific overrides.
This is required because edx-platform uses the waffle API from
completion, which itself depends on edx-toggles. So if we change
edx-toggles import paths, we also need to upgrade our usage of
completion here.
By explicitly importing the legacy namespace classes, we make it clear
that we are using soon-to-be-deprecated classes. We will then be able to
start removing the legacy classes, one module at a time.
* MST-542 remove the IDV redirect to Account MFE waffle flag to permanently redirect learners to new IDV workflow. This completes the rollout process on edx-platform
* Generate common/djangoapps import shims for LMS
* Generate common/djangoapps import shims for Studio
* Stop appending project root to sys.path
* Stop appending common/djangoapps to sys.path
* Import from common.djangoapps.course_action_state instead of course_action_state
* Import from common.djangoapps.course_modes instead of course_modes
* Import from common.djangoapps.database_fixups instead of database_fixups
* Import from common.djangoapps.edxmako instead of edxmako
* Import from common.djangoapps.entitlements instead of entitlements
* Import from common.djangoapps.pipline_mako instead of pipeline_mako
* Import from common.djangoapps.static_replace instead of static_replace
* Import from common.djangoapps.student instead of student
* Import from common.djangoapps.terrain instead of terrain
* Import from common.djangoapps.third_party_auth instead of third_party_auth
* Import from common.djangoapps.track instead of track
* Import from common.djangoapps.util instead of util
* Import from common.djangoapps.xblock_django instead of xblock_django
* Add empty common/djangoapps/__init__.py to fix pytest collection
* Fix pylint formatting violations
* Exclude import_shims/ directory tree from linting
* Use full LMS imports paths in LMS settings and urls modules
* Use full LMS import paths in Studio settings and urls modules
* Import from lms.djangoapps.badges instead of badges
* Import from lms.djangoapps.branding instead of branding
* Import from lms.djangoapps.bulk_email instead of bulk_email
* Import from lms.djangoapps.bulk_enroll instead of bulk_enroll
* Import from lms.djangoapps.ccx instead of ccx
* Import from lms.djangoapps.course_api instead of course_api
* Import from lms.djangoapps.course_blocks instead of course_blocks
* Import from lms.djangoapps.course_wiki instead of course_wiki
* Import from lms.djangoapps.courseware instead of courseware
* Import from lms.djangoapps.dashboard instead of dashboard
* Import from lms.djangoapps.discussion import discussion
* Import from lms.djangoapps.email_marketing instead of email_marketing
* Import from lms.djangoapps.experiments instead of experiments
* Import from lms.djangoapps.gating instead of gating
* Import from lms.djangoapps.grades instead of grades
* Import from lms.djangoapps.instructor_analytics instead of instructor_analytics
* Import form lms.djangoapps.lms_xblock instead of lms_xblock
* Import from lms.djangoapps.lti_provider instead of lti_provider
* Import from lms.djangoapps.mobile_api instead of mobile_api
* Import from lms.djangoapps.rss_proxy instead of rss_proxy
* Import from lms.djangoapps.static_template_view instead of static_template_view
* Import from lms.djangoapps.survey instead of survey
* Import from lms.djangoapps.verify_student instead of verify_student
* Stop suppressing EdxPlatformDeprecatedImportWarnings
This is part of a removal of the many override methods of toggle
flag/namespace classes. This allows us to remove imports of test modules
from production code.
This uses the new names introduced in edx-django-utils
3.8.0 (edx/edx-django-utils#59), which we're already using, as
well as updating a few other locations where we incorrectly refer
to New Relic custom metrics instead of custom attributes.
Includes a couple of unrelated lint fixes in a file I modified.
This also starts taking priority into account for all tabs, and
not just dynamic tabs via the CourseTabPluginManager (see comments
in the code for more detail)
This also has an initial use case for Personalized Learner Schedules
to add CTAs to capa and vertical blocks to allow users to shift their
course deadlines.
