Suppress them both in tests (via setup.py and pytest.ini)
and in management command & application runs
(via logsettings.py).
Developers aren't looking at these warnings; they'll be dealt with in a
formal process for upgrading Django. Suppress them for now so that
important information isn't lost in the noise.
This will avoid leaking whether a course exists or not to anonymous
users and also avoid some false-positive error rates when web
crawlers hit bad URLs.
A new feature toggle, default off, causes the session to be deleted when
the user identity on the response does not match the session or request.
There are a small number of requests that cause the user present on the
session at the time of the request to be a different user by the time of
the response. As far as I can tell, these are all cases where a user's
browser somehow ends up with a mix of cookies from multiple legitimate
login sessions on different accounts on the same device.
Because there no longer seems to be any case where this mismatch occurs
and where the response should be allowed through, this commit introduces
a feature toggle `ENFORCE_SAFE_SESSIONS` which will destroy the active
session and overwrite the response.
The plan is to make this behavior available in the next named release and
permanent in the one after.
Also:
- Use less fragile method of checking mocked set_attribute calls in tests
This fixes a couple places (LastSeenCoursewareTimezone and
UserCourseTag) where we were saving an entry for a user, but not
making sure we ignored anonymous users.
It is possible to set custom logos in microfrontends, for instance with the
LOGO_URL setting. Ideally, we would like that MFEs share the same logos as the
LMS. But this is made difficult when comprehensive theming is enabled, and the
logo is overridden by a custom theme. In that scenario, the logo url becomes
/static/mytheme/images/logo.png. But the MFEs do no know that the "mytheme"
theme is enabled. To resolve this issue, we introduce here a view, at the
"/theming/asset/<path>" url, that redirects to the corresponding asset in the
theme that is currently enabled. Thus, MFEs only have to set
`LOGO_URL=http://lmshost/theming/asset/images/logo.png` to point to the themed
logo.
Related issue: https://github.com/overhangio/tutor-mfe/issues/25
The removed attributes were needed in order to inform the move of the
`_verify_user` function call up out of the try/except block. That work has
concluded (https://github.com/edx/edx-platform/pull/29324) so the
monitoring can be removed.
Also:
- Bring a comment on some other monitoring up to date
- Make long-needed corrections to an existing docstring
- Remove malformed-cookie logging, since we haven't been using it
We didn't see any errors after enabling this feature toggle, so remove it
in favor of the "True" setting.
Compare to PR #29306, which created the toggle.
ref: ARCHBOM-1952
