Skip to content

Fox/backport default pdf verawood#38869

Closed
Kelketek wants to merge 42 commits into
openedx:masterfrom
open-craft:fox/backport-default-pdf-verawood
Closed

Fox/backport default pdf verawood#38869
Kelketek wants to merge 42 commits into
openedx:masterfrom
open-craft:fox/backport-default-pdf-verawood

Conversation

@Kelketek

@Kelketek Kelketek commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Description

This is a backport of #38868 , added because PDF default support was slated for Verawood but was found to be missing during testing.

Supporting information

PDF block product proposal: https://openedx.atlassian.net/wiki/spaces/OEPM/pages/5335908397/Proposal+Add+PDF+Block+to+Base+Installation?focusedCommentId=6556647439

Testing instructions

  1. Create a new course.
  2. Don't modify the advanced modules for the course.
  3. Create a unit and check the advanced dropdown. Add a PDF block for the course and verify it works as expected.

Deadline

ASAP, so it's included for more people.

farhaanbukhsh and others added 30 commits April 30, 2026 20:52
Signed-off-by: Farhaan Bukhsh <farhaan@opencraft.com>
Signed-off-by: Farhaan Bukhsh <farhaan@opencraft.com>
This update includes the new editor design.  This is a backport of this
new editor to the verawood release branch.
…dx#38477) (openedx#38495)

Backport of openedx#38477 / cherry picked from commit 8bcdd46

Co-authored-by: Copilot <copilot@github.com>
- Integrate extended profile model into account settings flow
- Improve validation and error handling
- Refactor form handling and API separation
- Ensure atomic updates for profile changes
- Support PROFILE_EXTENSION_FORM setting
- Add and update comprehensive unit tests
- Improve documentation and code clarity
feat: add support for course permission in authz rest apis

Commit generated by workflow `openedx/openedx-platform/.github/workflows/upgrade-one-python-dependency.yml@refs/heads/master`

Co-authored-by: MaferMazu <35668326+MaferMazu@users.noreply.github.com>
Signed-off-by: Farhaan Bukhsh <farhaan@opencraft.com>
This addresses a bug that was breaking course export when edx-val based
transcripts were missing from the file store. With this fix, the course
export skips the missing transcript without erroring out entirely.
Maps the legacy STUDIO_BASE_URL key to the optional frontend-base
cmsBaseUrl field so it surfaces at the top level of FrontendSiteConfigView
instead of falling through to commonAppConfig.

Co-Authored-By: Claude <noreply@anthropic.com>
Adds a structural translator from the legacy PARAGON_THEME_URLS shape
(frontend-platform's env.config.jsx) into the frontend-base SiteConfig
`theme` setting served by FrontendSiteConfigView.

frontend-base loads Paragon's base CSS via its shell stylesheet, so the
runtime `theme` is exclusively a brand-override mechanism.  The
translator deliberately narrows to `urls.brandOverride` only; bare `url`
and `urls.default` would point at Paragon defaults and clobber the
bundled CSS, so they are dropped.  `defaults` passes through unchanged
when at least one URL survives, and is dropped (along with the whole
`theme` key) when no URL survives, since `defaults` alone is meaningless
without a stylesheet to point at.

PARAGON_THEME_URLS is also added to the site-level keys stripped from
per-app MFE_CONFIG_OVERRIDES, since `theme` is site-level only in
frontend-base.

Co-Authored-By: Claude <noreply@anthropic.com>
Purposefully not adding the older releases here but for any new releases
we should test on the branch once PRs are merged to make sure there are
no regressions that were missed by weird merge timing.
…oints (openedx#38458)

- Support ?ordering= query param on special exam allowances and
  attempts list endpoints via in-memory sort (edx-proctoring returns
  plain lists, not querysets; see openedx/edx-proctoring#1320)
- Add derived exam_type field (timed/proctored/practice) to special
  exam and attempt serializer responses
- Return authenticated user's username in course metadata response
- Make reason field optional and blank-safe on due date extension
  endpoint (BlockDueDateSerializerV2)
* feat: add generate exception certificates modal

* feat: add tests

* fix: tests

* fix: linting
The set_course_mode_price view had no authorization check beyond
@login_required, meaning any authenticated user could POST to it and
rewrite the honor-mode price for any course — a privilege escalation
vulnerability.

Ideally this endpoint would be removed: it has no known callers in the
UI (no templates or JS reference it), no tests, and targets the legacy
'honor' mode. However, it is publicly routed and external consumers may
depend on it, so removal requires going through the DEPR process before
we can act. In the meantime, this commit closes the security hole
regardless of how active the endpoint is.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…x#38578) (openedx#38675)

FieldError at /admin/content_libraries/contentlibrary/:id/change/
Unknown field(s) (authorized_lti_configs)

Co-authored-by: Braden MacDonald <braden@opencraft.com>
validate_timestamp_and_nonce previously returned True unconditionally,
allowing any captured LTI launch request to be replayed indefinitely.

Now rejects requests whose oauth_timestamp falls outside a ±5-minute
window, then atomically records the nonce in the Django cache via
cache.add() (OEP-0022 key generation via get_cache_key). A replay
returns False immediately because cache.add() only writes when the key
is absent.

TieredCache is intentionally not used here: it has no atomic add
primitive, so a separate get-then-set would leave a race window that
defeats the protection. See the updated docstring for details.

Documents the requirement for a shared cache backend (Redis or
Memcached) in multi-node deployments in both the app and repo READMEs.

Fixes GHSA-6gm5-c49g-p3h9

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add missing class docstring to TimestampAndNonceValidatorTest (C0115)
- Move time.time patch from class decorator into setUp/addCleanup to
  eliminate unused mock parameters in every test method (PT019)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
)

* fix: ValidationError when trying to add components to a collection (openedx#38579)

* fix: don't sleep for a half second every time we update meilisearch (openedx#38576)

* fix: various issues with modulestore migrator and content library events (openedx#38508)

* fix: update modulestore migrator to not publish in draft context
* fix: use correct date/user info for modulestore migrator
* fix: allow our event handling tasks to call subtasks
* fix: better handling of deletion/un-deletion using openedx-core fixes
* fix: exception raised when mass-deleting all items in a content library
  (ContentLibraryBlockNotFound was being raised and not caught, propagating up to celery task error)
* fix: don't update the 'collections' field of deleted entities when modifying a collection
* fix: keep collection "# of entities" count updated when entities deleted
* refactor: use LIBRARY_COLLECTION_UPDATED event to update collections on entity (un)delete
* fix: unable to delete "ghost" component in library if it exists but has no draft

* fix: error when deleting lib component used in a container (openedx#38607)

* fix: bump openedx-core to v1.0.2

---------

Co-authored-by: Claude <noreply@anthropic.com>
navinkarkera and others added 12 commits June 10, 2026 19:25
Commit generated by workflow `openedx/openedx-platform/.github/workflows/upgrade-one-python-dependency.yml@refs/heads/release/verawood`
The PUT /api/contentstore/v1/videos/{course_id}/download endpoint fetched
every client-supplied files[].url server-side with
requests.get(url, allow_redirects=True) and returned the bytes inside the
ZIP response. Because the URLs were never validated, an authenticated user
with studio read access could point them at internal services or cloud
metadata endpoints and exfiltrate the responses (GHSA-fpf9-9rpr-jvrx).

By design these URLs are always a subset of the course's own VAL
encoded_videos[].url values (the same data the video listing hands the
frontend). Restrict fetches to that allowlist: build the set of legitimate
URLs for the course and reject any request containing a URL outside it
before any HTTP request is made. This eliminates the SSRF rather than
merely narrowing it.

Adds VideoDownloadViewTest (the endpoint previously had no test coverage)
covering the allowed-URL success path, rejection of disallowed URLs without
any outbound request, mixed allowed/disallowed batches, and the non-staff
permission gate.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
openedx#38790) (openedx#38794)

(backport)

Now, when pasting a container into a library:
* Only a single draft change log is created, regardless of how many "things" are in the container, and
* The change is properly attributed to the current user who pressed "paste"
…edx#38788)

* feat: add platform glob scope support (openedx#38660)

* feat: add platform-wide authz scope support

* feat: enhance course listing authorization with global toggle support

* chore: upgrade openedx-authz to 1.19.0

* docs: add docstring for mock authorization toggle in course listing tests

* fix: add missing org scope support in instructor dashboard (openedx#38721)

* feat: enhance role assignment handling for users with org-wide scopes

* refactor: update role assertion methods

* refactor: replace external_key initialization with build_external_key method

* refactor: streamline role assignment by directly using build_external_key method

* refactor: update role assignment scope initialization to use ScopeData

* refactor: introduce helper function to extract org and course ID from AuthZ scope

* refactor: replace has_access with administrative_accesses_to_course_for_user

* docs: clarify legacy-only CourseAccessRole query in studio course list

* refactor: simplify user role assignment retrieval by using scoped api method

* fix: preserve catalog and staff checks for authZ about-page access (openedx#38736)

* fix: preserve catalog and staff checks for authZ about-page access

* refactor: remove about page catalog visibility error function and return CatalogVisibilityError directly
* feat: added ora reminder notification
…t-ora-reminder-verawood

[Backport] feat: add ora reminder notification
…openedx#38852)

Replace course_version in the sidebar cache key with a
block_structure_version derived from BlockStructureModel.data_version.
course_version changes eagerly on publish, causing a cache miss before
the block structure is rebuilt — poisoning the cache with stale data for
1 hour. block_structure_version only changes after the async rebuild
completes, so cache misses only occur when fresh data is available.

This is a backport of openedx#38785.
The previous vendored pdf.js was 1.0.907 (May 2013), four major versions
behind upstream and within the range covered by Mozilla's
GHSA-wgrm-67xf-hhpq (arbitrary JavaScript execution upon opening a
malicious PDF). 5.7.284 is well past the >= 4.2.67 fix line.

The replacement comes from Mozilla's prebuilt
`pdfjs-5.7.284-legacy-dist.zip` GitHub Release artifact rather than the
`pdfjs-dist` npm package because the npm package is library-only -- it
ships `pdf.mjs` plus a bare `PDFViewer` component class, but no
`viewer.html` / `viewer.mjs` / `viewer.css` / locale files. A full npm
integration would mean rewriting the viewer page against the bare
component, which is appropriate as a non-security follow-up but not as
the fix here.

The viewer page (`lms/templates/pdf_viewer.html`) is rewritten as a Mako
adaptation of upstream `web/viewer.html`. A `<base href>` makes the
viewer's relative asset URLs resolve against the vendored copy.

The analytics shim (`lms/static/js/pdf-analytics.js`) is rewritten in
vanilla JS against `PDFViewerApplication.eventBus`. Four analytics
events (`textbook.pdf.thumbnails.toggled`,
`textbook.pdf.thumbnail.navigated`, `textbook.pdf.outline.toggled`,
`textbook.pdf.page.scrolled`) no longer fire because the corresponding
UI elements were refactored away in pdf.js 4.x's Views Manager
redesign.

A new `scripts/refresh-pdfjs-vendor.sh` is the tool for future bumps:
update PDFJS_VERSION + PDFJS_LEGACY_ZIP_SHA256, re-run, commit.

Closes GHSA-mj74-gfq3-2v9f.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…ready exist (openedx#38840) (openedx#38858)

* fix: Cannot rerun courses - authz role assignment expects rerun to already exist

* squash!: Increase test coverage

* squash!: Improve tests

* squash!: Add TODO comments and improve assert handling
chore: upgrade to the latest openedx-authz version

Commit generated by workflow `openedx/openedx-platform/.github/workflows/upgrade-one-python-dependency.yml@refs/heads/master`

Co-authored-by: Maria Grimaldi (Majo) <maria.grimaldi@edunext.co>
@Kelketek Kelketek requested review from a team as code owners July 9, 2026 23:16
@openedx-webhooks openedx-webhooks added open-source-contribution PR author is not from Axim or 2U core contributor PR author is a Core Contributor (who may or may not have write access to this repo). labels Jul 9, 2026
@openedx-webhooks

Copy link
Copy Markdown

Thanks for the pull request, @Kelketek!

This repository is currently maintained by @openedx/wg-maintenance-openedx-platform.

Once you've gone through the following steps feel free to tag them in a comment and let them know that your changes are ready for engineering review.

🔘 Get product approval

If you haven't already, check this list to see if your contribution needs to go through the product review process.

  • If it does, you'll need to submit a product proposal for your contribution, and have it reviewed by the Product Working Group.
    • This process (including the steps you'll need to take) is documented here.
  • If it doesn't, simply proceed with the next step.
🔘 Provide context

To help your reviewers and other members of the community understand the purpose and larger context of your changes, feel free to add as much of the following information to the PR description as you can:

  • Dependencies

    This PR must be merged before / after / at the same time as ...

  • Blockers

    This PR is waiting for OEP-1234 to be accepted.

  • Timeline information

    This PR must be merged by XX date because ...

  • Partner information

    This is for a course on edx.org.

  • Supporting documentation
  • Relevant Open edX discussion forum threads
🔘 Get a green build

If one or more checks are failing, continue working on your changes until this is no longer the case and your build turns green.

Details
Where can I find more information?

If you'd like to get more details on all aspects of the review process for open source pull requests (OSPRs), check out the following resources:

When can I expect my changes to be merged?

Our goal is to get community contributions seen and reviewed as efficiently as possible.

However, the amount of time that it takes to review and merge a PR can vary significantly based on factors such as:

  • The size and impact of the changes that it introduces
  • The need for product review
  • Maintenance status of the parent repository

💡 As a result it may take up to several weeks or months to complete a review and merge your PR.

@github-project-automation github-project-automation Bot moved this to Needs Triage in Contributions Jul 9, 2026
@Kelketek Kelketek closed this Jul 9, 2026
@github-project-automation github-project-automation Bot moved this from Needs Triage to Done in Contributions Jul 9, 2026
@Kelketek

Kelketek commented Jul 9, 2026

Copy link
Copy Markdown
Contributor Author

Wrong branch

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

core contributor PR author is a Core Contributor (who may or may not have write access to this repo). open-source-contribution PR author is not from Axim or 2U

Projects

Status: Done

Development

Successfully merging this pull request may close these issues.