By default DRF sets 'DEFAULT_AUTHENTICATION_CLASSES' to:
```
[
'rest_framework.authentication.SessionAuthentication',
'rest_framework.authentication.BasicAuthentication'
]
```
We also want to allow for JWT Authentication as a valid default auth
choice. This will allow users to send JWT tokens in the authorization
header to any existing API endpoints and access them. If any APIs have
set custom authentication classes, this will not override that.
I believe this is a fairly safe change to make since it only adds one
authentication class and does not impact authorization of any of the
endpoints that might be affected.
Note: This change changes the default for both the LMS and CMS because
`cms/envs/common.py` imports this value from the LMS.
BREAKING CHANGE: For any affected endpoint that also required the user
to be authenticated, the endpoint will now return a 401 in place of a
403 when the user is not authenticated.
- See [these DRF docs](https://github.com/encode/django-rest-framework/blob/master/docs/api-guide/authentication.md#unauthorized-and-forbidden-responses) for a deeper explanation about why this changes.
- Here is [an example endpoint](b8ecfed67d/openedx/core/djangoapps/embargo/views.py (L20-L21)) that does not override defaults and checks for IsAuthenticated.
Generally speaking, this is should not be a problem. An issue would
appear only if the caller of the endpoint is specifically handling 403s
in a way that would be missed for 401s.
* feat!: `sha1` has been deprecated in django32 and removed in django42.
* test: fix quality failure
* fixup! update custom attribute tests (#33436)
I was wondering about all the cases, so I
updated the test to reflect this. I also
made some other minor adjustments.
---------
Co-authored-by: Muhammad Soban Javed <iamsobanjaved@gmai.com>
Co-authored-by: Robert Raposa <rraposa@edx.org>
Co-authored-by: Muhammad Soban Javed <58461728+iamsobanjaved@users.noreply.github.com>
Removes expected part of EXPECTED_ERRORS with a variety of changes.
- In many placed in the code, "expected" was used to mean
"ignored and expected", and all such instances are renamed to "ignored".
- The setting ``EXPECTED_ERRORS`` is renamed to ``IGNORED_ERRORS``,
which better matches how it was being used in the first place.
- The setting ``EXPECTED_ERRORS[REASON_EXPECTED]`` is renamed to ``IGNORED_ERRORS[REASON_IGNORED]``.
- The setting toggle ``EXPECTED_ERRORS[IS_IGNORED]`` is removed,
because it will now always be True.
- The how-to will is renamed to how_tos/logging-and-monitoring-ignored-errors.rst.
See 0002-logging-and-monitoring-expected-errors-removed.rst for more details.
Implements DEPR: https://github.com/openedx/edx-platform/issues/32405
**BREAKING CHANGE:** The rename of the setting ``EXPECTED_ERRORS`` to
``IGNORED_ERRORS``, and ``REASON_EXPECTED`` to ``REASON_IGNORED``,
was implemented without backward compatibility. Simply copy the old settings
with the new name as an expand phase before deleting the old names in the
contract phase.
This was causing failures in devstack, since lms/envs/devstack.py did not
have an override like some of the other envs do. But devstack.py also
doesn't specify CSRF_TRUSTED_ORIGINS; better to just update the common
env to have a default.
(This setting is only needed during the transition to Django 4 and will be
removed after that.)
* feat!: Django 4.0 and above, CSRF_TRUSTED_ORIGINS must include scheme.
* feat!: Django 4.0 and above, CSRF_TRUSTED_ORIGINS must include scheme.
* fix: fix quality failure
* feat!: Django 4.0 and above, CSRF_TRUSTED_ORIGINS must include scheme.
* Update location in devstack-experimental to fix issue while re-indexing
* Updated the devstack.py to point to edx.devstack.elasticsearch710 host
* Enabed the ENABLE_COURSEWARE_INDEX and ENABLE_COURSEWARE_SEARCH
Set an e-mail destination path if no overrides are provided. This
setting is only relevant when the file based email backend is in use
like it is in devstack.
As a part of this change, we render the DATA_DIR setting higher in the
settings file so we can reference it sooner but this should not impact
any other uses of this setting.
