If the sequence metadata view is asked to give metadata for a block
that is not a sequence (or section), give a proper http code back,
rather than throwing an attribute exception.
This avoids a monitoring error being flagged, and lets the frontend
catch this case specially (which the MFE does do, to notice that it
actually has a unit, not a sequence).
* feat: add api mapping to get comments by course+user
fix: merge the new user comments API by overloading the thread comments API
fix: handle endorsements and fix broken tests
fix: improve the view documentation
fix: unused imports
fix: restrict flagged filter to privileged users
fix: validate course_id properly
* fix: add docstring to the retrieve_all method
Previously, it had some basic manual masquerading by calling the
endpoint with ?user=mytestuser. But this adds standard session
masquerading support to the endpoint as well.
This support is limited by LS's own partition group support. It
only looks at the enrollment track partition currently. Further
FBE and cohort partition support will come later.
But this commit opens up normal session masquerading for:
- Generic student
- Specific student
- Enrollment track
AA-1151
The _does_name_change_require_verification(user_profile, old_name, new_name) method of the accounts user_api determines whether a learner can change their name from old_name to new_name. Originally, it delegated solely to the NameChangeValidator class of the edx-name-affirmation API, which ran a set of checks against the name change. One of said checks was asserting that learners with one or more certificates could not change their name without completing IDV.
This pull request changes this behavior.
Learners may have certificates that are not in a passable status (e.g. "unverified"). We only want to require IDV for name changes for learners that have passing statuses. The existing code prevented learners from changing their name if they had any certificates at all, irrespective of the certificate status. This change only considers certificates in a passable status.
Additionally, learners may have certificates and also not be enrolled in any "verified" seats. For example, despite edX no longer offering "honor" seats, learners may have enrollments in "honor" modes, which grant certificates but are not considered "verified" enrollment modes. IDV requires that a learner be enrolled in a "verified" seat in order to complete IDV. Prior to this change, learners that were navigated to IDV to validate a name change were unable to complete IDV. This change introduce a check that a learner is in a "verified" mode in addition to using the NameChangeValidator. This prevents the account MFE from navigating an IDV-ineligible learner to IDV.
MST-1254: https://openedx.atlassian.net/browse/MST-1254
The language cookie "samesite" attribute was always set to "None", even in
non-secure environments, such as the devstack. This was causing client-side
warnings in non-https environments, and the language cookie was not properly
set.
Suppress them both in tests (via setup.py and pytest.ini)
and in management command & application runs
(via logsettings.py).
Developers aren't looking at these warnings; they'll be dealt with in a
formal process for upgrading Django. Suppress them for now so that
important information isn't lost in the noise.
This will avoid leaking whether a course exists or not to anonymous
users and also avoid some false-positive error rates when web
crawlers hit bad URLs.
A new feature toggle, default off, causes the session to be deleted when
the user identity on the response does not match the session or request.
There are a small number of requests that cause the user present on the
session at the time of the request to be a different user by the time of
the response. As far as I can tell, these are all cases where a user's
browser somehow ends up with a mix of cookies from multiple legitimate
login sessions on different accounts on the same device.
Because there no longer seems to be any case where this mismatch occurs
and where the response should be allowed through, this commit introduces
a feature toggle `ENFORCE_SAFE_SESSIONS` which will destroy the active
session and overwrite the response.
The plan is to make this behavior available in the next named release and
permanent in the one after.
Also:
- Use less fragile method of checking mocked set_attribute calls in tests
This fixes a couple places (LastSeenCoursewareTimezone and
UserCourseTag) where we were saving an entry for a user, but not
making sure we ignored anonymous users.
It is possible to set custom logos in microfrontends, for instance with the
LOGO_URL setting. Ideally, we would like that MFEs share the same logos as the
LMS. But this is made difficult when comprehensive theming is enabled, and the
logo is overridden by a custom theme. In that scenario, the logo url becomes
/static/mytheme/images/logo.png. But the MFEs do no know that the "mytheme"
theme is enabled. To resolve this issue, we introduce here a view, at the
"/theming/asset/<path>" url, that redirects to the corresponding asset in the
theme that is currently enabled. Thus, MFEs only have to set
`LOGO_URL=http://lmshost/theming/asset/images/logo.png` to point to the themed
logo.
Related issue: https://github.com/overhangio/tutor-mfe/issues/25
