When including `JwtAuthentication`, the auth_header becomes `JWT
realm="api"`. Without it, it is `None`. This changes the behavior of the
code in DRF and returns a slightly different auth response.
Relevant Code: 56946fac8f/rest_framework/views.py (L456C3-L456C3)
By default DRF sets 'DEFAULT_AUTHENTICATION_CLASSES' to:
```
[
'rest_framework.authentication.SessionAuthentication',
'rest_framework.authentication.BasicAuthentication'
]
```
We also want to allow for JWT Authentication as a valid default auth
choice. This will allow users to send JWT tokens in the authorization
header to any existing API endpoints and access them. If any APIs have
set custom authentication classes, this will not override that.
I believe this is a fairly safe change to make since it only adds one
authentication class and does not impact authorization of any of the
endpoints that might be affected.
Note: This change changes the default for both the LMS and CMS because
`cms/envs/common.py` imports this value from the LMS.
BREAKING CHANGE: For any affected endpoint that also required the user
to be authenticated, the endpoint will now return a 401 in place of a
403 when the user is not authenticated.
- See [these DRF docs](https://github.com/encode/django-rest-framework/blob/master/docs/api-guide/authentication.md#unauthorized-and-forbidden-responses) for a deeper explanation about why this changes.
- Here is [an example endpoint](b8ecfed67d/openedx/core/djangoapps/embargo/views.py (L20-L21)) that does not override defaults and checks for IsAuthenticated.
Generally speaking, this is should not be a problem. An issue would
appear only if the caller of the endpoint is specifically handling 403s
in a way that would be missed for 401s.
Learners want to have the usual course navigation when viewing a wiki,
so that they can go back to the course related to the wiki and browse
other tabs/sections of the course.
Wiki reads the course from the `request.course`. If it's not present,
i.e. None or not set on the request, it will not show the course
navigation UI.
It seems like `WikiAccessMiddleware` already has the code that parses
course id from the request (when the request is for a wiki view) and
sets the course for the request. However, it doesn't work in most
scenarios, because the course id is not in the it's normal format in
most requests that go to wiki.
For example, when a leaner clicks on a wiki tab from the course
overview, they are redirected to `/wiki/<wiki_slug>/` path. The wiki
slug is taken from course's `wiki_slug` field. This slug can be used to
figure out what course this wiki belongs to in most (not all) cases.
This commit adds code to the `WikiAccessMiddleware` that attempts to
find a course based on wiki slug, and in case of success, sets the
course to the `request.course`, so that wiki can display course
navigation UI.
* feat!: `sha1` has been deprecated in django32 and removed in django42.
* test: fix quality failure
* fixup! update custom attribute tests (#33436)
I was wondering about all the cases, so I
updated the test to reflect this. I also
made some other minor adjustments.
---------
Co-authored-by: Muhammad Soban Javed <iamsobanjaved@gmai.com>
Co-authored-by: Robert Raposa <rraposa@edx.org>
Co-authored-by: Muhammad Soban Javed <58461728+iamsobanjaved@users.noreply.github.com>
* feat: receiver for invalidate certificate
- consumes event of exam attempt rejected
- initial commit, need to make tests
* temp: moving consumer from signals to handlers.py
- Still need to make this work
- Need to make tests work too
* feat: refactored underlying code to api.py
- tests still need to be tweaked
* fix: commit history
* fix: improve api func name + add source param
This commit adds an event bus event handler to the grades application. This event handler handles the EXAM_ATTEMPT_REJECTED Open edX event,
which is emitted when a learner's exam attempt is rejected. The event handler creates a subsection grade override, overriding the grade to
0.0.
Removes expected part of EXPECTED_ERRORS with a variety of changes.
- In many placed in the code, "expected" was used to mean
"ignored and expected", and all such instances are renamed to "ignored".
- The setting ``EXPECTED_ERRORS`` is renamed to ``IGNORED_ERRORS``,
which better matches how it was being used in the first place.
- The setting ``EXPECTED_ERRORS[REASON_EXPECTED]`` is renamed to ``IGNORED_ERRORS[REASON_IGNORED]``.
- The setting toggle ``EXPECTED_ERRORS[IS_IGNORED]`` is removed,
because it will now always be True.
- The how-to will is renamed to how_tos/logging-and-monitoring-ignored-errors.rst.
See 0002-logging-and-monitoring-expected-errors-removed.rst for more details.
Implements DEPR: https://github.com/openedx/edx-platform/issues/32405
**BREAKING CHANGE:** The rename of the setting ``EXPECTED_ERRORS`` to
``IGNORED_ERRORS``, and ``REASON_EXPECTED`` to ``REASON_IGNORED``,
was implemented without backward compatibility. Simply copy the old settings
with the new name as an expand phase before deleting the old names in the
contract phase.
