* feat!: Django 4.0 and above, CSRF_TRUSTED_ORIGINS must include scheme.
* feat!: Django 4.0 and above, CSRF_TRUSTED_ORIGINS must include scheme.
* fix: fix quality failure
* feat!: Django 4.0 and above, CSRF_TRUSTED_ORIGINS must include scheme.
Call into the exam service instead of the edx-proctoring plugin on course publish if the course_apps.exams_ida course waffle flag is enabled. This is an early step in moving away from edx-proctoring
Formerly, the settings were:
* `MFE_CONFIG` for common config.
* `MFE_CONFIG_<APP_ID>` for app-specific overrides,
with each app getting its own Django setting.
This commit changes it to:
* `MFE_CONFIG` for common config (unchanged)
* `MFE_CONFIG_OVERRIDES` for app-specific overrides,
where each app gets a top-level key in the dictionary.
Why the change?
* We want common.py to have a complete list of overridable settings, as
it helps operators reason about configuration and allows us to generate
config documentation using toggle annotations. Dynamically generating
setting names based on arbitrary APP_IDs makes this impossible.
* getattr(...) generally makes code more complicated bug prone. Tools
like pylint and mypy cannot effectively analyze any code that uses
dynamic attribute access.
This PR adds MFE API. This is part of the work that is being done to obtain the MFE Runtime Configurations and that has been discussed in the BTR WG.
Discussion: https://discuss.openedx.org/t/how-to-use-microfrontend-in-a-multitenant-instance/6936/14?u=mafermazu
MFE Runtime configuration - eduNEXT: https://docs.google.com/document/d/1-FHIQmyeQZu3311x8eYUNMru4JX7Yb3UlqjmJxvM8do/edit?usp=sharing
feat: add lms setting to set mfe config cache (#262)
Co-authored-by: María Fernanda Magallanes Z <maria.magallanes@edunext.co>
feat: make mfe config api disabled by default (#263)
* feat: make mfe config api disabled by default
* fix: simple is better than complex
test: add mfe config tests (#264)
* test: add mfe config tests
* test: fix it and simplify it
* test: correct pylint issues
fix: correct pep 8 violations
fix: add mfe api unit test in github workflow
fix: correct unit tests
refactor: move mfe api to lms
fix: try mfe api urls without regex
fix: add app_namespace in lms urls
fix: try url without conditional
Revert "fix: try url without conditional"
This reverts commit 694aab546134b4bd9ad2642e24927b42cac24459.
fix: set enable_mfe_config_api feature to true in the tests
test: try to add failed test case
Revert "test: try to add failed test case"
This reverts commit cee6bf656ab1b96492b0b6199ddff32a6d6a65bd.
docs: improve explanation and documentation
fix: ensure the response is a json object
refactor: be consistent with the variable names
fix: allow overriding mfe api config cache timeout in production
fix: handle 404 response in view
refactor: use a guard instead if-else
feat: add the possibility to show mfe specific config
* feat: added new live provider and fixed tests
* feat: added free_tier compatiblity
* fix: resolved linter issues and other refactors
* fix: ran makemigration to generate migrations
* fix: Implemeted key retrival for tabs
Co-authored-by: AhtishamShahid <ahtishamshahid@A006-00850.local>
Tests which @requires_blockstore (i.e. the Blockstore service) have
been made to run as a unit test using the installed Blockstore app, and
will be run by the platform CI.
The Blockstore service tests can still be run manually by setting
EDXAPP_RUN_BLOCKSTORE_TESTS=1
Related fixes:
* adds blockstore bundle storage settings
* let the studio devstack and test servers serve static files from
the /media URL This allows the blockstore/content libraries API to
serve blockstore assets in dev.
* Wrap ContentLibrary creation in an atomic transaction, so that if it
fails, the related bundle can be deleted directly from the database
during the exception handler. (Previously, we called a REST API which
deleted it as part of a separate service.)
Previously, our rate-limiting code trusted the entire `X-Forwarded-For`
header, allowing a malicious client to spoof that header and evade
rate-limiting. This commit introduces a new module and setting
allowing us to make a more conservative choice of IPs.
- Create new `openedx.core.djangoapps.util.ip` module for producing
the IP "external chain" for requests based on the XFF header and the
REMOTE_ADDR.
- Include a function that gives the safest choice of IPs.
- Add new setting `CLOSEST_CLIENT_IP_FROM_HEADERS` for configuring how
the external chain is derived (i.e. setting the trust
boundary). Currently has a default, but we may want to make it
mandatory in the future.
- Change `django-ratelimit` code to use the proximate IP in the external
chain -- the one just outside the trust boundary.
Also:
- Change `XForwardedForMiddleware` to use more conservative choice for
its `REMOTE_ADDR` override
- Other adjustments to `XForwardedForMiddleware` as needed in order to
initialize new module and support code that needs the real
`REMOTE_ADDR` value
- Metrics for observability into the change (and XFF composition)
- Feature switch to restore legacy mode if needed
This also gives us a path forward to removing use of the django-ipware
package, which is no longer maintained and has a handful of bugs that make it
difficult to use safely.
Internal ticket: ARCHBOM-2056
edx-platform supports COMPREHENSIVE_THEME_LOCALE_PATHS setting, which
appends paths to the end of LOCALE_PATHS, but there's currently no
way to add additional paths to the start of the list.
https://tasks.opencraft.com/browse/SE-5299
* refactor: deprecates ModuleSystem.render_template
in favor of the added MakoSystem render_template method.
Related changes:
* Adds the MakoService to the StudioEditModuleRuntime,
PreviewModuleSystem, LmsModuleSystem, and XBlockRuntime
* MakoService constructor takes a `namespace_prefix` string, so that the
CMS PreviewModuleSystem can render to LMS templates, without needing
the special render_from_lms helper method.
* ModuleSystem.render_template becomes a read-only property, so the
constructor calls and test module systems are updated accordingly.
* Adds tests for the MakoService and module system shims.
(cherry picked from commit 457f959356)
* refactor: use MakoService.render_template to remove deprecation warnings
from block code.
(cherry picked from commit 8d62d337f5)
* refactor: use MakoService.render_template to remove deprecation warnings
from test code.
(cherry picked from commit 26b43465a4)
* test: Adds a test to verify the bug introduced by the previous changes
The AuthoringMixin is automatically added to all XBlocks (see
settings.XBLOCK_MIXINS), and AuthoringMixin.visibility_view expects the
"mako" service.
This test verifies the bug by testing the PureXBlock, which does not
require the "mako" service, and so fails when the visibility_view is
rendered.
* fix: AuthoringMixin needs mako service
which fixes the visibility_view for XBlocks which don't explicitly
require the mako service.
Also removes the unneeded class property _services_requested from
AuthoringMixin and StudioEditableBlock. This property is better provided
by the XBlockMixin class.
in favor of the added MakoSystem render_template method.
Related changes:
* Adds the MakoService to the StudioEditModuleRuntime,
PreviewModuleSystem, LmsModuleSystem, and XBlockRuntime
* MakoService constructor takes a `namespace_prefix` string, so that the
CMS PreviewModuleSystem can render to LMS templates, without needing
the special render_from_lms helper method.
* ModuleSystem.render_template becomes a read-only property, so the
constructor calls and test module systems are updated accordingly.
* Adds tests for the MakoService and module system shims.
With the PR it will load the old `CORS_ORIGIN_WHITELIST` since there is no change in `djang-cor-headers` version. In next PR this version will get upgraded.
Currently, login and registration forms and view to log the user in
are sharing same ratelimit settings which is causing too much noise
while rendering forms.This PR will introduce a separate
setting for logistration forms.
VAN-436
This adds a new django app to allow the GDPR user retirement via
Open edX's REST API. Prior to this the only way to trigger the user
retirement was either by the user themself clicking "Delete my account"
in the account setting page or via creating a User Retirement request
by admin. With these changes, the user retirement process can be
triggered using REST API.
We use django-ratelimit to limit per IP login attempts, and then we use
django-ratelimit-backend to limit per username login attempts. This
change replaces the usage of django-ratelimit-backend with another
instance of django-ratelimit so that both limits can be managed by one
library.
This is the first step in being able to fully excise
django-ratelimit-backend from edx-platform. Note that we're still using
the `RateLimitMixin` in openedx/core/djangoapps/oauth_dispatch/dot_overrides/backends.py
because studio and the admin UI still relies on that for rate limiting.
Those login paths will have to be updated before we can remove the mixin
from our auth backend.
MST-637: edx-proctoring 3.0.0 now requires a new key for use in ID
generation, starting from same value as SECRET_KEY (pre-rotation, but
rotation never happened for devstack.)
Remote config changes already made for relevant environments.
