* feat!: Django 4.0 and above, CSRF_TRUSTED_ORIGINS must include scheme.
* feat!: Django 4.0 and above, CSRF_TRUSTED_ORIGINS must include scheme.
* fix: fix quality failure
* feat!: Django 4.0 and above, CSRF_TRUSTED_ORIGINS must include scheme.
This adds two new urls: `<studio-base>/cms-api/ui` and `<studio-base>/cms-api/schema` with swagger ui and swaggerfile only for the new CMS API using drf-spectacular
It's needed by `make common_constraints.txt`. We're starting to see
failures running this command in lms-shell in devstack. This has probably
been going on the entire time, but the error suppression was only removed
recently in <https://github.com/openedx/edx-platform/pull/33271>.
The new RUN instruction for installing wget is added to the development
layer only, partly to limit image sizes and partly to make life harder for
any attacker who manages to gain code execution in production.
I've moved `USER app` from the end of the `base` layer to the start of the
`production` layer, since the only other layer (in this file) that builds
on `base` is `development`, which more or less immediately switches back
to root. (The intervening COPY instruction is not affected by the current
user.)
Ticket: https://github.com/openedx/edx-platform/issues/33287
This does two major things:
* Removes subsections from a student's course outline if the
subsection's units are all restricted to a cohort that the student
is not a part of (see CohortPartitionGroupsOutlineProcessor).
* Removes sections from the course outline if the user is not allowed
to see any of its child subsections.
This should probably be turned into an ADR at some point, but for
now I've just recreated the page on the public wiki. (The space it
was in had been deleted during the 2U/Axim split.)
Adds a GH workflow that will run `make compile-requirements` and create
a PR for it and overhauls the requirements README with info on how to
use the new workflows.
README changes:
- Group the workflow/makefile info under a new heading
- Switch to imperative for headings
- Move "Upgrade all dependencies" to end of list (uncommon for people to
actually need this command, I suspect)
- Add "Add a dependency"
- Preamble about .in and .txt files and Mac vs. Linux, as well as about forks
Also, some style fixes to upgrade-one-python-dependency GH workflow:
- Fix indentation in inputs block
- Remove "-workflow" from job name (probably copied from another workflow)
- Wrap a long line
Sometimes this make target doubles or even triples the comment. I think
this is due to a temporary failure in the wget call, which is then ignored
and an additional comment is added onto the top. If this happens multiple
times in a row, you get multiple additions.
Removing the `|| touch` should fix this, and surface any errors that are
happening.
The text plugin for requirejs is used to load text assets such as .underscore files.
To avoid CORS issues when loading such assets from a different domain, such as a when
a CDN is in use, this plugin loads such assets as .js files by adding a script tag.
What this means in practice is that if you configure the platform to serve static
assets from a CDN, it will try to load `file.underscore.js` instead of
`file.underscore`. We can override this behaviour by providing a `useXhr` function
for the text plugin configuration. The plugin will use this function to determine
whether to use XHR or the script tag approach.
In this change we are asking it to always use XHR since the concerns about CORS
raised by the plugins documentation don't apply here.
ref: 3f9d4c19b3/README.md (xhr-restrictions)
Uses the updated styles for the notification based on the new designs.
Includes a button to open view the files directly in the notification.
This also fix a bug where the notification was not appearing when paste
a whole Unit.
This fixes a bug in xblock serialization when trying to copy a
unit/component that contains an HTML xblock with the characters "]]>"
which is a special character in CDATA.
Remove use of Django's `CSRF_COOKIE_USED`, which is no longer leaked
outside of the dynamic scope of the Django csrf middleware as of Django
4.0. Specifically, https://github.com/django/django/pull/14688 replaced
that META entry and a request attribute with a single META entry
`CSRF_COOKIE_NEEDS_UPDATE`, which is then set back to False once the CSRF
cookie is set by the middleware's process_response.
We'll send the cross-domain cookie if the decorator requests it and the
value is present, regardless of whether the same-domain cookie would have
been sent. (And we'll still *set* `CSRF_COOKIE_NEEDS_UPDATE` to ensure that
a cookie gets generated.)
See https://github.com/openedx/edx-platform/issues/33207
Originally, we planned to add support for V2 libraries and for static
(hand-selected) library block reference via new block type: library_sourced.
We have since decided that it would be better to add those capabilities
in-place to the existing library_content block. This will ease V1->V2
library migration and make adoption of the new features easier for current
library users. It will also avoid duplication of logic between two block types,
we we fear would be error-prone. For details, see this ADR:
https://github.com/openedx/edx-platform/pull/33231
So, we are removing the library_sourced block.
This block has existed in edx-platform for a few years now, but was not
enabled by default and never officially supported. It was only usable via the
experimental V2 content library feature. Operators who added library_sourced
blocks to their course will now see them render as `HiddenBlock` instances, i.e.:
> ERROR: "library_sourced" is an unknown component type...
This should not impact other component types in such courses and should not
impact import/export.
* Update location in devstack-experimental to fix issue while re-indexing
* Updated the devstack.py to point to edx.devstack.elasticsearch710 host
* Enabed the ENABLE_COURSEWARE_INDEX and ENABLE_COURSEWARE_SEARCH
