From ee3aa4acee5d05e1c05958f43b97fc1f4d59ef77 Mon Sep 17 00:00:00 2001
From: Kaustav Banerjee <kaustav@opencraft.com>
Date: Mon, 8 Aug 2022 21:08:36 +0530
Subject: [PATCH 01/24] feat: allow switching anonymous user ID hashing
 algorithm from shake to md5

The hashing algorithm has been changed in cd60646. However, there are Open edX
operators who maintain backward compatibility of anonymous user IDs after past
rotations of their Django secret key. For them, altering the hashing algorithm
was a breaking change that made their analytics inconsistent.

(cherry picked from commit 746e4fed1bfeb731b2f6288fe3ba4ea056397fdb)
(cherry picked from commit ff6d92fd892dff5e66bbf77eadf9b91ed2189a24)
(cherry picked from commit 7245bdc7f73d9693f15acc885bee4e0d00be8245)
(cherry picked from commit 6da7f588ddf0c851f49ab2f3829417fb7aec1718)
---
 cms/envs/common.py                       | 11 +++++++++++
 common/djangoapps/student/models/user.py | 13 +++++++++++--
 common/djangoapps/student/tests/tests.py | 11 +++++++++++
 lms/envs/common.py                       | 11 +++++++++++
 4 files changed, 44 insertions(+), 2 deletions(-)

diff --git a/cms/envs/common.py b/cms/envs/common.py
index d8e5105e6720..26d219a368df 100644
--- a/cms/envs/common.py
+++ b/cms/envs/common.py
@@ -591,6 +591,17 @@
     # .. toggle_use_cases: open_edx
     # .. toggle_creation_date: 2024-04-10
     'BADGES_ENABLED': False,
+
+    # .. toggle_name: FEATURES['ENABLE_LEGACY_MD5_HASH_FOR_ANONYMOUS_USER_ID']
+    # .. toggle_implementation: DjangoSetting
+    # .. toggle_default: False
+    # .. toggle_description: Whether to enable the legacy MD5 hashing algorithm to generate anonymous user id
+    #   instead of the newer SHAKE128 hashing algorithm
+    # .. toggle_use_cases: open_edx
+    # .. toggle_creation_date: 2022-08-08
+    # .. toggle_target_removal_date: None
+    # .. toggle_tickets: 'https://github.com/openedx/edx-platform/pull/30832'
+    'ENABLE_LEGACY_MD5_HASH_FOR_ANONYMOUS_USER_ID': False,
 }
 
 # .. toggle_name: ENABLE_COPPA_COMPLIANCE
diff --git a/common/djangoapps/student/models/user.py b/common/djangoapps/student/models/user.py
index 2a4a9deb3664..cb806fed4467 100644
--- a/common/djangoapps/student/models/user.py
+++ b/common/djangoapps/student/models/user.py
@@ -154,12 +154,21 @@ def anonymous_id_for_user(user, course_id):
         # function: Rotate at will, since the hashes are stored and
         # will not change.
         # include the secret key as a salt, and to make the ids unique across different LMS installs.
-        hasher = hashlib.shake_128()
+        legacy_hash_enabled = settings.FEATURES.get('ENABLE_LEGACY_MD5_HASH_FOR_ANONYMOUS_USER_ID', False)
+        if legacy_hash_enabled:
+            # Use legacy MD5 algorithm if flag enabled
+            hasher = hashlib.md5()
+        else:
+            hasher = hashlib.shake_128()
         hasher.update(settings.SECRET_KEY.encode('utf8'))
         hasher.update(str(user.id).encode('utf8'))
         if course_id:
             hasher.update(str(course_id).encode('utf-8'))
-        anonymous_user_id = hasher.hexdigest(16)
+
+        if legacy_hash_enabled:
+            anonymous_user_id = hasher.hexdigest()
+        else:
+            anonymous_user_id = hasher.hexdigest(16)  # pylint: disable=too-many-function-args
 
         try:
             AnonymousUserId.objects.create(
diff --git a/common/djangoapps/student/tests/tests.py b/common/djangoapps/student/tests/tests.py
index 9e61095260b6..5d393149c406 100644
--- a/common/djangoapps/student/tests/tests.py
+++ b/common/djangoapps/student/tests/tests.py
@@ -1064,6 +1064,17 @@ def test_anonymous_id_secret_key_changes_result_in_diff_values_for_same_new_user
             assert anonymous_id != new_anonymous_id
             assert self.user == user_by_anonymous_id(new_anonymous_id)
 
+    def test_enable_legacy_hash_flag(self):
+        """Test that different anonymous id returned if ENABLE_LEGACY_MD5_HASH_FOR_ANONYMOUS_USER_ID enabled."""
+        CourseEnrollment.enroll(self.user, self.course.id)
+        anonymous_id = anonymous_id_for_user(self.user, self.course.id)
+        with patch.dict(settings.FEATURES, ENABLE_LEGACY_MD5_HASH_FOR_ANONYMOUS_USER_ID=True):
+            # Recreate user object to clear cached anonymous id.
+            self.user = User.objects.get(pk=self.user.id)
+            AnonymousUserId.objects.filter(user=self.user).filter(course_id=self.course.id).delete()
+            new_anonymous_id = anonymous_id_for_user(self.user, self.course.id)
+            assert anonymous_id != new_anonymous_id
+
 
 @skip_unless_lms
 @patch('openedx.core.djangoapps.programs.utils.get_programs')
diff --git a/lms/envs/common.py b/lms/envs/common.py
index 5f8714ca9cf7..629021d67ff2 100644
--- a/lms/envs/common.py
+++ b/lms/envs/common.py
@@ -1085,6 +1085,17 @@
     # .. toggle_creation_date: 2024-04-02
     # .. toggle_target_removal_date: None
     'BADGES_ENABLED': False,
+
+    # .. toggle_name: FEATURES['ENABLE_LEGACY_MD5_HASH_FOR_ANONYMOUS_USER_ID']
+    # .. toggle_implementation: DjangoSetting
+    # .. toggle_default: False
+    # .. toggle_description: Whether to enable the legacy MD5 hashing algorithm to generate anonymous user id
+    #   instead of the newer SHAKE128 hashing algorithm
+    # .. toggle_use_cases: open_edx
+    # .. toggle_creation_date: 2022-08-08
+    # .. toggle_target_removal_date: None
+    # .. toggle_tickets: 'https://github.com/openedx/edx-platform/pull/30832'
+    'ENABLE_LEGACY_MD5_HASH_FOR_ANONYMOUS_USER_ID': False,
 }
 
 # Specifies extra XBlock fields that should available when requested via the Course Blocks API

From 64f5deab99011aea3a03567bb9f4816ecde77230 Mon Sep 17 00:00:00 2001
From: Kshitij Sobti <kshitij@sobti.in>
Date: Wed, 24 May 2023 13:58:55 +0530
Subject: [PATCH 02/24] temp: Add configuration option to redirect to external
 site when TAP account is unlinked

(cherry picked from commit e83a8c8f82849644cf95534cde3fe149e4f11916)
(cherry picked from commit 0c831dc390f63ea9259668ec400df9c4bccd95c8)
(cherry picked from commit c596bf3b100bcc629602f0c371663da2c0b862ac)
---
 lms/static/js/student_account/views/LoginView.js  |  3 +++
 openedx/core/djangoapps/user_authn/views/login.py | 10 ++++++++--
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/lms/static/js/student_account/views/LoginView.js b/lms/static/js/student_account/views/LoginView.js
index 5832f2c088be..9b7ce2e19908 100644
--- a/lms/static/js/student_account/views/LoginView.js
+++ b/lms/static/js/student_account/views/LoginView.js
@@ -216,6 +216,7 @@
             saveError: function(error) {
                 var errorCode;
                 var msg;
+                var redirectURL;
                 if (error.status === 0) {
                     msg = gettext('An error has occurred. Check your Internet connection and try again.');
                 } else if (error.status === 500) {
@@ -245,6 +246,7 @@
                 } else if (error.responseJSON !== undefined) {
                     msg = error.responseJSON.value;
                     errorCode = error.responseJSON.error_code;
+                    redirectURL = error.responseJSON.redirect_url;
                 } else {
                     msg = gettext('An unexpected error has occurred.');
                 }
@@ -266,6 +268,7 @@
                         this.clearFormErrors();
                         this.renderThirdPartyAuthWarning();
                     }
+                    window.location.href = redirectURL;
                 } else {
                     this.renderErrors(this.defaultFormErrorsTitle, this.errors);
                 }
diff --git a/openedx/core/djangoapps/user_authn/views/login.py b/openedx/core/djangoapps/user_authn/views/login.py
index 7d049871266e..85ed25e42895 100644
--- a/openedx/core/djangoapps/user_authn/views/login.py
+++ b/openedx/core/djangoapps/user_authn/views/login.py
@@ -76,7 +76,7 @@ def _do_third_party_auth(request):
 
     try:
         return pipeline.get_authenticated_user(requested_provider, username, third_party_uid)
-    except USER_MODEL.DoesNotExist:
+    except USER_MODEL.DoesNotExist as err:
         AUDIT_LOG.info(
             "Login failed - user with username {username} has no social auth "
             "with backend_name {backend_name}".format(
@@ -98,7 +98,13 @@ def _do_third_party_auth(request):
             )
         )
 
-        raise AuthFailedError(message, error_code='third-party-auth-with-no-linked-account')  # lint-amnesty, pylint: disable=raise-missing-from
+        redirect_url = configuration_helpers.get_value('OC_REDIRECT_ON_TPA_UNLINKED_ACCOUNT', None)
+
+        raise AuthFailedError(
+            message,
+            error_code='third-party-auth-with-no-linked-account',
+            redirect_url=redirect_url
+        ) from err
 
 
 def _get_user_by_email(email):

From a0d88065b11f8d182d3c00deb5935880bf0611e1 Mon Sep 17 00:00:00 2001
From: 0x29a <demid@opencraft.com>
Date: Mon, 26 Jun 2023 11:08:26 +0200
Subject: [PATCH 03/24] feat: all eSHE role features squashed in one commit

fix: give superusers all studio permissions

(cherry picked from commit 8ef55754f4a529cc6b784298320fcdb8b415bd83)
(cherry picked from commit 8e281a9535b8317e24f8d2b3b5d840a3eb852865)
(cherry picked from commit f55297379276ddcdfd140b43bdc54d19128744d9)
(cherry picked from commit 6de7b64ae477bf882c1ae3a97ef2e8940e773a57)

feat: eSHE Instructor role

Adds the eSHE Instructor role, which inherits Course Staff permissions,
but isn't able to enroll / un-enroll students and can't assing course
team roles unless in combination with Course Staff / Instructor /
Discussion admin roles.

(cherry picked from commit 5d160c2ecd91e58276dccfd84ca32fb689f46e5e)
(cherry picked from commit a21b4f0da1d6eb5240d15aa8b50fd77454b47167)

feat: Teaching Assistant role

(cherry picked from commit 176de06291aafe4a8f8c9a3a9afdec24cedb332e)
(cherry picked from commit 7ef00c0dd265c09a52c71feab9d58a34f7f2c54c)
---
 common/djangoapps/student/roles.py            | 21 +++-
 common/djangoapps/student/tests/test_roles.py |  4 +
 lms/djangoapps/instructor/access.py           |  4 +
 lms/djangoapps/instructor/permissions.py      | 21 +++-
 .../tests/views/test_instructor_dashboard.py  | 99 +++++++++++++++++++
 .../instructor/views/instructor_dashboard.py  | 24 ++++-
 lms/envs/common.py                            | 20 ++++
 .../instructor_dashboard/membership.html      |  2 +
 .../instructor_dashboard_2/membership.html    | 37 +++++++
 .../instructor_dashboard_2/student_admin.html | 16 ++-
 10 files changed, 237 insertions(+), 11 deletions(-)

diff --git a/common/djangoapps/student/roles.py b/common/djangoapps/student/roles.py
index 971433c9c523..cd7ced4e9fdd 100644
--- a/common/djangoapps/student/roles.py
+++ b/common/djangoapps/student/roles.py
@@ -211,7 +211,7 @@ class GlobalStaff(AccessRole):
     The global staff role
     """
     def has_user(self, user):
-        return bool(user and user.is_staff)
+        return bool(user and (user.is_superuser or user.is_staff))
 
     def add_users(self, *users):
         for user in users:
@@ -361,6 +361,25 @@ class CourseLimitedStaffRole(CourseStaffRole):
     BASE_ROLE = CourseStaffRole.ROLE
 
 
+@register_access_role
+class eSHEInstructorRole(CourseStaffRole):
+    """A Staff member of a course without access to the membership tab and enrollment-related operations."""
+
+    ROLE = 'eshe_instructor'
+    BASE_ROLE = CourseStaffRole.ROLE
+
+
+@register_access_role
+class TeachingAssistantRole(CourseStaffRole):
+    """
+    A Staff member of a course without access to the membership tab, enrollment-related operations and
+    grade-related operations.
+    """
+
+    ROLE = 'teaching_assistant'
+    BASE_ROLE = CourseStaffRole.ROLE
+
+
 @register_access_role
 class CourseInstructorRole(CourseRole):
     """A course Instructor"""
diff --git a/common/djangoapps/student/tests/test_roles.py b/common/djangoapps/student/tests/test_roles.py
index da1aad19a803..816e20fa198b 100644
--- a/common/djangoapps/student/tests/test_roles.py
+++ b/common/djangoapps/student/tests/test_roles.py
@@ -17,6 +17,8 @@
     CourseStaffRole,
     CourseFinanceAdminRole,
     CourseSalesAdminRole,
+    eSHEInstructorRole,
+    TeachingAssistantRole,
     LibraryUserRole,
     CourseDataResearcherRole,
     GlobalStaff,
@@ -199,6 +201,8 @@ class RoleCacheTestCase(TestCase):  # lint-amnesty, pylint: disable=missing-clas
     ROLES = (
         (CourseStaffRole(IN_KEY), ('staff', IN_KEY, 'edX')),
         (CourseLimitedStaffRole(IN_KEY), ('limited_staff', IN_KEY, 'edX')),
+        (eSHEInstructorRole(IN_KEY), ('eshe_instructor', IN_KEY, 'edX')),
+        (TeachingAssistantRole(IN_KEY), ('teaching_assistant', IN_KEY, 'edX')),
         (CourseInstructorRole(IN_KEY), ('instructor', IN_KEY, 'edX')),
         (OrgStaffRole(IN_KEY.org), ('staff', None, 'edX')),
         (CourseFinanceAdminRole(IN_KEY), ('finance_admin', IN_KEY, 'edX')),
diff --git a/lms/djangoapps/instructor/access.py b/lms/djangoapps/instructor/access.py
index 9255d113f038..c5bc5fb83370 100644
--- a/lms/djangoapps/instructor/access.py
+++ b/lms/djangoapps/instructor/access.py
@@ -19,6 +19,8 @@
     CourseInstructorRole,
     CourseLimitedStaffRole,
     CourseStaffRole,
+    eSHEInstructorRole,
+    TeachingAssistantRole,
 )
 from lms.djangoapps.instructor.enrollment import enroll_email, get_email_params
 from openedx.core.djangoapps.django_comment_common.models import Role
@@ -30,6 +32,8 @@
     'instructor': CourseInstructorRole,
     'staff': CourseStaffRole,
     'limited_staff': CourseLimitedStaffRole,
+    'eshe_instructor': eSHEInstructorRole,
+    'teaching_assistant': TeachingAssistantRole,
     'ccx_coach': CourseCcxCoachRole,
     'data_researcher': CourseDataResearcherRole,
 }
diff --git a/lms/djangoapps/instructor/permissions.py b/lms/djangoapps/instructor/permissions.py
index e1a1cbf466f6..a06905a0a35d 100644
--- a/lms/djangoapps/instructor/permissions.py
+++ b/lms/djangoapps/instructor/permissions.py
@@ -36,6 +36,21 @@
 VIEW_ENROLLMENTS = 'instructor.view_enrollments'
 VIEW_FORUM_MEMBERS = 'instructor.view_forum_members'
 
+# Due to how the roles iheritance is implemented currently, eshe_instructor and teaching_assistant have implicit
+# staff access, but unlike staff, they shouldn't be able to enroll and do grade-related operations as per client's
+# requirements. At the same time, all other staff-derived roles, like Limited Staff, should be able to enroll students.
+# This solution is far from perfect, but it's probably the best we can do untill the roles system is reworked.
+_is_teaching_assistant = HasRolesRule('teaching_assistant')
+_is_eshe_instructor = HasRolesRule('eshe_instructor')
+_is_eshe_instructor_or_teaching_assistant = _is_teaching_assistant | _is_eshe_instructor
+is_staff_but_not_teaching_assistant = (
+    (_is_teaching_assistant & HasAccessRule('staff', strict=True)) |
+    (~_is_teaching_assistant & HasAccessRule('staff'))
+)
+is_staff_but_not_eshe_instructor_or_teaching_assistant = (
+    (_is_eshe_instructor_or_teaching_assistant & HasAccessRule('staff', strict=True)) |
+    (~_is_eshe_instructor_or_teaching_assistant & HasAccessRule('staff'))
+)
 
 perms[ALLOW_STUDENT_TO_BYPASS_ENTRANCE_EXAM] = HasAccessRule('staff')
 perms[ASSIGN_TO_COHORTS] = HasAccessRule('staff')
@@ -49,17 +64,17 @@
 perms[START_CERTIFICATE_REGENERATION] = is_staff | HasAccessRule('instructor')
 perms[CERTIFICATE_EXCEPTION_VIEW] = is_staff | HasAccessRule('instructor')
 perms[CERTIFICATE_INVALIDATION_VIEW] = is_staff | HasAccessRule('instructor')
-perms[GIVE_STUDENT_EXTENSION] = HasAccessRule('staff')
+perms[GIVE_STUDENT_EXTENSION] = is_staff_but_not_teaching_assistant
 perms[VIEW_ISSUED_CERTIFICATES] = HasAccessRule('staff') | HasRolesRule('data_researcher')
 # only global staff or those with the data_researcher role can access the data download tab
 # HasAccessRule('staff') also includes course staff
 perms[CAN_RESEARCH] = is_staff | HasRolesRule('data_researcher')
-perms[CAN_ENROLL] = HasAccessRule('staff')
+perms[CAN_ENROLL] = is_staff_but_not_eshe_instructor_or_teaching_assistant
 perms[CAN_BETATEST] = HasAccessRule('instructor')
 perms[ENROLLMENT_REPORT] = HasAccessRule('staff') | HasRolesRule('data_researcher')
 perms[VIEW_COUPONS] = HasAccessRule('staff') | HasRolesRule('data_researcher')
 perms[EXAM_RESULTS] = HasAccessRule('staff')
-perms[OVERRIDE_GRADES] = HasAccessRule('staff')
+perms[OVERRIDE_GRADES] = is_staff_but_not_teaching_assistant
 perms[SHOW_TASKS] = HasAccessRule('staff') | HasRolesRule('data_researcher')
 perms[EMAIL] = HasAccessRule('staff')
 perms[RESCORE_EXAMS] = HasAccessRule('instructor')
diff --git a/lms/djangoapps/instructor/tests/views/test_instructor_dashboard.py b/lms/djangoapps/instructor/tests/views/test_instructor_dashboard.py
index 400e9b556283..67bffae5991c 100644
--- a/lms/djangoapps/instructor/tests/views/test_instructor_dashboard.py
+++ b/lms/djangoapps/instructor/tests/views/test_instructor_dashboard.py
@@ -30,6 +30,7 @@
 from lms.djangoapps.courseware.tabs import get_course_tab_list
 from lms.djangoapps.courseware.tests.factories import StudentModuleFactory
 from lms.djangoapps.courseware.tests.helpers import LoginEnrollmentTestCase
+from lms.djangoapps.discussion.django_comment_client.tests.factories import RoleFactory
 from lms.djangoapps.grades.config.waffle import WRITABLE_GRADEBOOK
 from lms.djangoapps.instructor.toggles import DATA_DOWNLOAD_V2
 from lms.djangoapps.instructor.views.gradebook_api import calculate_page_info
@@ -38,6 +39,7 @@
     ENABLE_PAGES_AND_RESOURCES_MICROFRONTEND,
     OVERRIDE_DISCUSSION_LEGACY_SETTINGS_FLAG
 )
+from openedx.core.djangoapps.django_comment_common.models import FORUM_ROLE_ADMINISTRATOR
 from openedx.core.djangoapps.site_configuration.models import SiteConfiguration
 
 
@@ -314,6 +316,103 @@ def test_membership_reason_field_visibility(self, enbale_reason_field):
         else:
             self.assertNotContains(response, reason_field)
 
+    @ddt.data('eshe_instructor', 'teaching_assistant')
+    def test_membership_tab_content(self, role):
+        """
+        Verify that eSHE Instructors and Teaching Assistants don't have access to membership tab and
+        work correctly with other roles.
+        """
+
+        membership_section = (
+            '<li class="nav-item">'
+            '<button type="button" class="btn-link membership" data-section="membership">'
+            'Membership'
+            '</button>'
+            '</li>'
+        )
+        batch_enrollment = (
+            '<fieldset class="batch-enrollment membership-section">'
+        )
+
+        user = UserFactory.create()
+        self.client.login(username=user.username, password=self.TEST_PASSWORD)
+
+        # eSHE Instructors / Teaching Assistants shouldn't have access to membership tab
+        CourseAccessRoleFactory(
+            course_id=self.course.id,
+            user=user,
+            role=role,
+            org=self.course.id.org
+        )
+        response = self.client.get(self.url)
+        self.assertNotContains(response, membership_section)
+
+        # However if combined with forum_admin, they should have access to this
+        # tab, but not to batch enrollment
+        forum_admin_role = RoleFactory(name=FORUM_ROLE_ADMINISTRATOR, course_id=self.course.id)
+        forum_admin_role.users.add(user)
+        response = self.client.get(self.url)
+        self.assertContains(response, membership_section)
+        self.assertNotContains(response, batch_enrollment)
+
+        # Combined with course staff, should have union of all three roles
+        # permissions sets
+        CourseAccessRoleFactory(
+            course_id=self.course.id,
+            user=user,
+            role='staff',
+            org=self.course.id.org
+        )
+        response = self.client.get(self.url)
+        self.assertContains(response, membership_section)
+        self.assertContains(response, batch_enrollment)
+
+    def test_student_admin_tab_content(self):
+        """
+        Verify that Teaching Assistants don't have access to the gradebook-related sections
+        of the student admin tab.
+        """
+
+        # Should be visible to Teaching Assistants
+        view_enrollment_status = '<div class="student-enrollment-status-container action-type-container">'
+        view_progress = '<div class="student-progress-container action-type-container">'
+
+        # Should not be visible to Teaching Assistants
+        view_gradebook = '<div class="action-type-container ">'
+        adjust_learner_grade = '<div class="student-grade-container action-type-container ">'
+        adjust_all_learners_grades = '<div class="course-specific-container action-type-container ">'
+
+        user = UserFactory.create()
+        self.client.login(username=user.username, password=self.TEST_PASSWORD)
+
+        # Teaching Assistants shouldn't have access to the gradebook-related sections
+        CourseAccessRoleFactory(
+            course_id=self.course.id,
+            user=user,
+            role='teaching_assistant',
+            org=self.course.id.org
+        )
+        response = self.client.get(self.url)
+        self.assertContains(response, view_enrollment_status)
+        self.assertContains(response, view_progress)
+        self.assertNotContains(response, view_gradebook)
+        self.assertNotContains(response, adjust_learner_grade)
+        self.assertNotContains(response, adjust_all_learners_grades)
+
+        # However if combined with instructor, they should have access to all sections
+        CourseAccessRoleFactory(
+            course_id=self.course.id,
+            user=user,
+            role='instructor',
+            org=self.course.id.org
+        )
+        response = self.client.get(self.url)
+        self.assertContains(response, view_enrollment_status)
+        self.assertContains(response, view_progress)
+        self.assertContains(response, view_gradebook)
+        self.assertContains(response, adjust_learner_grade)
+        self.assertContains(response, adjust_all_learners_grades)
+
     def test_student_admin_staff_instructor(self):
         """
         Verify that staff users are not able to see course-wide options, while still
diff --git a/lms/djangoapps/instructor/views/instructor_dashboard.py b/lms/djangoapps/instructor/views/instructor_dashboard.py
index a068ffdf1c9d..4e976b18932d 100644
--- a/lms/djangoapps/instructor/views/instructor_dashboard.py
+++ b/lms/djangoapps/instructor/views/instructor_dashboard.py
@@ -31,7 +31,10 @@
     CourseFinanceAdminRole,
     CourseInstructorRole,
     CourseSalesAdminRole,
-    CourseStaffRole
+    CourseStaffRole,
+    eSHEInstructorRole,
+    TeachingAssistantRole,
+    strict_role_checking,
 )
 from common.djangoapps.util.json_request import JsonResponse
 from lms.djangoapps.bulk_email.api import is_bulk_email_feature_enabled
@@ -122,6 +125,8 @@ def instructor_dashboard_2(request, course_id):  # lint-amnesty, pylint: disable
     access = {
         'admin': request.user.is_staff,
         'instructor': bool(has_access(request.user, 'instructor', course)),
+        'eshe_instructor': eSHEInstructorRole(course_key).has_user(request.user),
+        'teaching_assistant': TeachingAssistantRole(course_key).has_user(request.user),
         'finance_admin': CourseFinanceAdminRole(course_key).has_user(request.user),
         'sales_admin': CourseSalesAdminRole(course_key).has_user(request.user),
         'staff': bool(has_access(request.user, 'staff', course)),
@@ -129,6 +134,9 @@ def instructor_dashboard_2(request, course_id):  # lint-amnesty, pylint: disable
         'data_researcher': request.user.has_perm(permissions.CAN_RESEARCH, course_key),
     }
 
+    with strict_role_checking():
+        access['explicit_staff'] = bool(has_access(request.user, 'staff', course))
+
     if not request.user.has_perm(permissions.VIEW_DASHBOARD, course_key):
         raise Http404()
 
@@ -514,7 +522,19 @@ def _section_membership(course, access):
             'update_forum_role_membership',
             kwargs={'course_id': str(course_key)}
         ),
-        'is_reason_field_enabled': configuration_helpers.get_value('ENABLE_MANUAL_ENROLLMENT_REASON_FIELD', False)
+        'is_reason_field_enabled': configuration_helpers.get_value('ENABLE_MANUAL_ENROLLMENT_REASON_FIELD', False),
+
+        # Membership section should be hidden for eSHE instructors.
+        # Since they get Course Staff role implicitly, we need to hide this
+        # section if the user doesn't have the Course Staff role set explicitly
+        # or have the Discussion Admin role.
+        'is_hidden': (
+            not access['forum_admin']
+            and (
+                (access['eshe_instructor'] or access['teaching_assistant'])
+                and not access['explicit_staff']
+            )
+        ),
     }
     return section_data
 
diff --git a/lms/envs/common.py b/lms/envs/common.py
index 629021d67ff2..f226330aa541 100644
--- a/lms/envs/common.py
+++ b/lms/envs/common.py
@@ -1096,6 +1096,26 @@
     # .. toggle_target_removal_date: None
     # .. toggle_tickets: 'https://github.com/openedx/edx-platform/pull/30832'
     'ENABLE_LEGACY_MD5_HASH_FOR_ANONYMOUS_USER_ID': False,
+
+    # .. toggle_name: FEATURES['ENABLE_ESHE_INSTRUCTOR_ROLE']
+    # .. toggle_implementation: DjangoSetting
+    # .. toggle_default: False
+    # .. toggle_description: Whether to enable the ESHE Instructor role
+    # .. toggle_use_cases: open_edx
+    # .. toggle_creation_date: 2023-07-31
+    # .. toggle_target_removal_date: None
+    # .. toggle_tickets: 'https://github.com/open-craft/edx-platform/pull/561/files'
+    'ENABLE_ESHE_INSTRUCTOR_ROLE': False,
+
+    # .. toggle_name: FEATURES['ENABLE_TEACHING_ASSISTANT_ROLE']
+    # .. toggle_implementation: DjangoSetting
+    # .. toggle_default: False
+    # .. toggle_description: Whether to enable the Teaching Assistant role
+    # .. toggle_use_cases: open_edx
+    # .. toggle_creation_date: 2024-02-12
+    # .. toggle_target_removal_date: None
+    # .. toggle_tickets: 'https://github.com/open-craft/edx-platform/pull/632/files'
+    'ENABLE_TEACHING_ASSISTANT_ROLE': False,
 }
 
 # Specifies extra XBlock fields that should available when requested via the Course Blocks API
diff --git a/lms/static/js/fixtures/instructor_dashboard/membership.html b/lms/static/js/fixtures/instructor_dashboard/membership.html
index 85ab52c9665e..383552f7d83f 100644
--- a/lms/static/js/fixtures/instructor_dashboard/membership.html
+++ b/lms/static/js/fixtures/instructor_dashboard/membership.html
@@ -11,6 +11,8 @@ <h3 class="hd hd-3">Course Team Management</h3>
         <select id="member-lists-selector" class="member-lists-selector">
           <option value="staff">Staff</option>
           <option value="limited_staff">Limited Staff</option>
+          <option value="eshe_instructor">eSHE Instructor</option>
+          <option value="teaching_assistant">Teaching Assistant</option>
           <option value="instructor">Admin</option>
           <option value="beta">Beta Testers</option>
           <option value="Administrator">Discussion Admins</option>
diff --git a/lms/templates/instructor/instructor_dashboard_2/membership.html b/lms/templates/instructor/instructor_dashboard_2/membership.html
index 9b1f64dfb9d1..e6d6cf48eea7 100644
--- a/lms/templates/instructor/instructor_dashboard_2/membership.html
+++ b/lms/templates/instructor/instructor_dashboard_2/membership.html
@@ -5,6 +5,13 @@
 from django.utils.translation import pgettext
 from openedx.core.djangolib.markup import HTML, Text
 %>
+
+<%
+  eshe_instructor_or_teaching_assistant_access = section_data['access']['eshe_instructor'] or section_data['access']['teaching_assistant']
+  membership_section_visible = not eshe_instructor_or_teaching_assistant_access or section_data['access']['explicit_staff']
+%>
+
+% if membership_section_visible:
 <fieldset class="batch-enrollment membership-section">
     <legend id="heading-batch-enrollment" class="hd hd-3">${_("Batch Enrollment")}</legend>
     <label>
@@ -92,6 +99,8 @@ <h3 class="hd hd-3">${_("Register/Enroll Students")}</h3>
 </div>
 %endif
 
+%endif
+
 <hr class="divider" />
 
 %if section_data['access']['instructor']:
@@ -193,6 +202,34 @@ <h3 class="hd hd-3">${_("Course Team Management")}</h3>
       data-add-button-label="${_("Add Limited Staff")}"
     ></div>
 
+    %if settings.FEATURES.get('ENABLE_ESHE_INSTRUCTOR_ROLE', None):
+    <div class="auth-list-container"
+      data-rolename="eshe_instructor"
+      data-display-name="${_("eSHE Instructor")}"
+      data-info-text="
+        ${_("Course team members with the eSHE Instructor role help you manage your course. "
+        "eSHE Instructor permissions are similar to Staff, but they can't assign course team roles and "
+        "can't enroll and unenroll learners")}"
+      data-list-endpoint="${ section_data['list_course_role_members_url'] }"
+      data-modify-endpoint="${ section_data['modify_access_url'] }"
+      data-add-button-label="${_("Add eSHE Instructor")}"
+    ></div>
+    %endif
+
+    %if settings.FEATURES.get('ENABLE_TEACHING_ASSISTANT_ROLE', None):
+    <div class="auth-list-container"
+      data-rolename="teaching_assistant"
+      data-display-name="${_("Teaching Assistant")}"
+      data-info-text="
+        ${_("Course team members with the Teaching Assistant role help you manage your course. "
+        "Teaching Assistant permissions are similar to Staff, but they can't assign course team roles, "
+        "enroll and unenroll learners and view or override grades")}"
+      data-list-endpoint="${ section_data['list_course_role_members_url'] }"
+      data-modify-endpoint="${ section_data['modify_access_url'] }"
+      data-add-button-label="${_("Add Teaching Assistant")}"
+    ></div>
+    %endif%
+
     ## Note that "Admin" is identified as "Instructor" in the Django admin panel.
     <div class="auth-list-container"
       data-rolename="instructor"
diff --git a/lms/templates/instructor/instructor_dashboard_2/student_admin.html b/lms/templates/instructor/instructor_dashboard_2/student_admin.html
index 668488bbf768..a699c13967c9 100644
--- a/lms/templates/instructor/instructor_dashboard_2/student_admin.html
+++ b/lms/templates/instructor/instructor_dashboard_2/student_admin.html
@@ -1,7 +1,13 @@
 <%page args="section_data" expression_filter="h"/>
 <%! from django.utils.translation import gettext as _ %>
+
+<%
+  teaching_assistant_access = section_data['access']['teaching_assistant']
+  gradebook_related_sections_hidden = teaching_assistant_access and not section_data['access']['explicit_staff']
+%>
+
 %if section_data['access']['staff'] or section_data['access']['instructor']:
-<div class="action-type-container">
+<div class="action-type-container ${'hidden' if gradebook_related_sections_hidden else ''}">
     %if section_data.get('writable_gradebook_url') or section_data.get('is_small_course'):
         <br><br>
         <h4 class="hd hd-4">${_("View gradebook for enrolled learners")}</h4>
@@ -59,7 +65,7 @@ <h4 class="hd hd-4">${_("View a specific learner's grades and progress")}</h4>
   <hr>
 </div>
 
-<div class="student-grade-container action-type-container">
+<div class="student-grade-container action-type-container ${'hidden' if gradebook_related_sections_hidden else ''}">
     <h4 class="hd hd-4">${_("Adjust a learner's grade for a specific problem")}</h4>
     <div class="request-response-error"></div>
     <label for="student-select-grade">
@@ -132,7 +138,7 @@ <h5 class="hd hd-5">${_("Task Status")}</h5>
 </div>
 
 % if course.entrance_exam_enabled:
-<div class="entrance-exam-grade-container action-type-container">
+<div class="entrance-exam-grade-container action-type-container ${'hidden' if gradebook_related_sections_hidden else ''}">
     <h4 class="hd hd-4">${_("Adjust a learner's entrance exam results")}</h4>
     <div class="request-response-error"></div>
 
@@ -194,7 +200,7 @@ <h5 class="hd hd-5">${_("Task Status")}</h5>
 
 %if section_data['access']['instructor']:
 %if settings.FEATURES.get('ENABLE_INSTRUCTOR_BACKGROUND_TASKS'):
-<div class="course-specific-container action-type-container">
+<div class="course-specific-container action-type-container ${'hidden' if gradebook_related_sections_hidden else ''}">
     <h4 class="hd hd-4">${_("Adjust all enrolled learners' grades for a specific problem")}</h4>
     <div class="request-response-error"></div>
 
@@ -232,7 +238,7 @@ <h5 class="hd hd-5">${_("Task Status")}</h5>
 %endif
 
 %if settings.FEATURES.get('ENABLE_INSTRUCTOR_BACKGROUND_TASKS'):
-<div class="running-tasks-container action-type-container">
+<div class="running-tasks-container action-type-container ${'hidden' if gradebook_related_sections_hidden else ''}">
     <h4 class="hd hd-4">${_("Pending Tasks")}</h4>
     <div class="running-tasks-section">
         <label>${_("The status for any active tasks appears in a table below.")}</label>

From 49367fd9dcce276414a10e2d43715842400f6bf2 Mon Sep 17 00:00:00 2001
From: Navin Karkera <navin@opencraft.com>
Date: Tue, 9 Apr 2024 13:16:38 +0530
Subject: [PATCH 04/24] feat: use profile name in navbar if available

Makes use of name field from user profile field if it is not empty

(cherry picked from commit ff326d95c177cdbd9707adf6e3cfe7e9a89f60c2)
---
 lms/templates/header/user_dropdown.html | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/lms/templates/header/user_dropdown.html b/lms/templates/header/user_dropdown.html
index 2e7e168a6937..b4aeafb80c07 100644
--- a/lms/templates/header/user_dropdown.html
+++ b/lms/templates/header/user_dropdown.html
@@ -19,7 +19,9 @@
 self.real_user = getattr(user, 'real_user', user)
 profile_image_url = get_profile_image_urls_for_user(self.real_user)['medium']
 username = self.real_user.username
-displayname = get_enterprise_learner_generic_name(request) or username
+profile = getattr(self.real_user, 'profile', None)
+name = getattr(profile, 'name', username)
+displayname = get_enterprise_learner_generic_name(request) or name
 enterprise_customer_portal = get_enterprise_learner_portal(request)
 ## Enterprises with the learner portal enabled should not show order history, as it does
 ## not apply to the learner's method of purchasing content.

From bb9c2bcc0e2452a9a11fe81ae812c81e8c22cdc2 Mon Sep 17 00:00:00 2001
From: Paulo Viadanna <paulo@opencraft.com>
Date: Tue, 9 Apr 2024 16:27:48 -0300
Subject: [PATCH 05/24] feat: DEFAULT_COURSE_INVITATION_ONLY allow for
 invitation_only new courses by default

(cherry picked from commit ffe3ff4ba098c748c8fb5f56042cd4873d6b024b)
---
 cms/djangoapps/contentstore/tests/test_contentstore.py | 10 ++++++++++
 cms/djangoapps/contentstore/views/course.py            |  3 ++-
 cms/envs/common.py                                     |  4 ++++
 3 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/cms/djangoapps/contentstore/tests/test_contentstore.py b/cms/djangoapps/contentstore/tests/test_contentstore.py
index 39e826b3e4f3..697645fd825e 100644
--- a/cms/djangoapps/contentstore/tests/test_contentstore.py
+++ b/cms/djangoapps/contentstore/tests/test_contentstore.py
@@ -1372,6 +1372,16 @@ def test_create_course_with_unicode_in_id_disabled(self):
             self.course_data['run'] = '����������'
             self.assert_create_course_failed(error_message)
 
+    @override_settings(DEFAULT_COURSE_INVITATION_ONLY=True)
+    def test_create_course_invitation_only(self):
+        """
+        Test new course creation with setting: DEFAULT_COURSE_INVITATION_ONLY=True.
+        """
+        test_course_data = self.assert_created_course()
+        course_id = _get_course_id(self.store, test_course_data)
+        course = self.store.get_course(course_id)
+        self.assertEqual(course.invitation_only, True)
+
     def assert_course_permission_denied(self):
         """
         Checks that the course did not get created due to a PermissionError.
diff --git a/cms/djangoapps/contentstore/views/course.py b/cms/djangoapps/contentstore/views/course.py
index dce82809dfad..0cda97012c94 100644
--- a/cms/djangoapps/contentstore/views/course.py
+++ b/cms/djangoapps/contentstore/views/course.py
@@ -990,8 +990,9 @@ def create_new_course_in_store(store, user, org, number, run, fields):
 
     # Set default language from settings and enable web certs
     fields.update({
-        'language': getattr(settings, 'DEFAULT_COURSE_LANGUAGE', 'en'),
         'cert_html_view_enabled': True,
+        'invitation_only': getattr(settings, 'DEFAULT_COURSE_INVITATION_ONLY', False),
+        'language': getattr(settings, 'DEFAULT_COURSE_LANGUAGE', 'en'),
     })
 
     with modulestore().default_store(store):
diff --git a/cms/envs/common.py b/cms/envs/common.py
index 26d219a368df..1eb21cd502c5 100644
--- a/cms/envs/common.py
+++ b/cms/envs/common.py
@@ -3014,3 +3014,7 @@ def _should_send_learning_badge_events(settings):
 # See https://www.meilisearch.com/docs/learn/security/tenant_tokens
 MEILISEARCH_INDEX_PREFIX = ""
 MEILISEARCH_API_KEY = "devkey"
+
+############## Default value for invitation_only when creating courses ##############
+
+DEFAULT_COURSE_INVITATION_ONLY = False

From ec0919b576d868436baa48aec106bd68f79ad4cb Mon Sep 17 00:00:00 2001
From: Daniel Valenzuela <daniel.valenzuela@opencraft.com>
Date: Wed, 13 Mar 2024 21:33:03 -0300
Subject: [PATCH 06/24] feat: warn when relative dates are past due and can't
 be shifted

(cherry picked from commit b98cbd4c2cddec4e5daf9defa74d96c2d4accc99)
---
 lms/templates/problem.html                       | 16 +++++++++-------
 lms/templates/vert_module.html                   |  2 +-
 openedx/features/course_experience/utils.py      | 10 ++++++++--
 .../call_to_action.py                            | 16 ++++++++++++----
 4 files changed, 30 insertions(+), 14 deletions(-)

diff --git a/lms/templates/problem.html b/lms/templates/problem.html
index b785e4aa685d..e239c32cd2e3 100644
--- a/lms/templates/problem.html
+++ b/lms/templates/problem.html
@@ -68,7 +68,8 @@ <h3 class="hd hd-3 problem-header" id="${ short_id }-problem-title" aria-describ
           </span>
           <span class="sr">(${submit_disabled_cta['description']})</span>
         % else:
-            <form class="submit-cta" method="post" action="${submit_disabled_cta['link']}">
+          <form class="submit-cta" method="post" action="${submit_disabled_cta.get('link')}">
+            % if submit_disabled_cta.get('link'):
               <input type="hidden" id="csrf_token" name="csrfmiddlewaretoken" value="${csrf_token}">
               % for form_name, form_value in submit_disabled_cta['form_values'].items():
                   <input type="hidden" name="${form_name}" value="${form_value}">
@@ -76,13 +77,14 @@ <h3 class="hd hd-3 problem-header" id="${ short_id }-problem-title" aria-describ
               <button class="submit-cta-link-button btn-link btn-small">
                 ${submit_disabled_cta['link_name']}
               </button>
-              <span class="submit-cta-description" tabindex="0" role="note" aria-label="description">
-                <span data-tooltip="${submit_disabled_cta['description']}" data-tooltip-show-on-click="true"
-                  class="fa fa-info-circle fa-lg" aria-hidden="true">
-                </span>
+            % endif
+            <span class="submit-cta-description" tabindex="0" role="note" aria-label="description">
+              <span data-tooltip="${submit_disabled_cta['description']}" data-tooltip-show-on-click="true"
+                class="fa fa-info-circle fa-lg" aria-hidden="true">
               </span>
-              <span class="sr">(${submit_disabled_cta['description']})</span>
-            </form>
+            </span>
+            <span class="sr">(${submit_disabled_cta['description']})</span>
+          </form>
         % endif
       % endif
       <div class="submission-feedback ${'cta-enabled' if submit_disabled_cta else ''}" id="submission_feedback_${short_id}">
diff --git a/lms/templates/vert_module.html b/lms/templates/vert_module.html
index 0e52e3c7f426..7df5b8b5b46e 100644
--- a/lms/templates/vert_module.html
+++ b/lms/templates/vert_module.html
@@ -44,7 +44,7 @@ <h2 class="hd hd-2 unit-title">${unit_title}</h2>
         <div class="banner-cta-button">
             <button class="btn btn-outline-primary" onclick="emit_event(${vertical_banner_cta['event_data']})">${vertical_banner_cta['link_name']}</button>
         </div>
-      % else:
+      % elif vertical_banner_cta.get('link'):
         <div class="banner-cta-button">
           <form method="post" action="${vertical_banner_cta['link']}">
             <input type="hidden" id="csrf_token" name="csrfmiddlewaretoken" value="${csrf_token}">
diff --git a/openedx/features/course_experience/utils.py b/openedx/features/course_experience/utils.py
index 4675d0a974e0..769bb8bad082 100644
--- a/openedx/features/course_experience/utils.py
+++ b/openedx/features/course_experience/utils.py
@@ -141,13 +141,19 @@ def get_start_block(block):
     return get_start_block(first_child)
 
 
-def dates_banner_should_display(course_key, user):
+def dates_banner_should_display(course_key, user, allow_warning=False):
     """
     Return whether or not the reset banner should display,
     determined by whether or not a course has any past-due,
     incomplete sequentials and which enrollment mode is being
     dealt with for the current user and course.
 
+    Args:
+        course_key (CourseKey)
+        user (User)
+        allow_warning (bool): whether to ignore relative_dates_disable_reset_flag, in order to render
+            warnings for past-due incomplete units.
+
     Returns:
         (missed_deadlines, missed_gated_content):
             missed_deadlines is True if the user has missed any graded content deadlines
@@ -156,7 +162,7 @@ def dates_banner_should_display(course_key, user):
     if not RELATIVE_DATES_FLAG.is_enabled(course_key):
         return False, False
 
-    if RELATIVE_DATES_DISABLE_RESET_FLAG.is_enabled(course_key):
+    if RELATIVE_DATES_DISABLE_RESET_FLAG.is_enabled(course_key) and not allow_warning:
         # The `missed_deadlines` value is ignored by `reset_course_deadlines` views. Instead, they check the value of
         # `missed_gated_content` to determine if learners can reset the deadlines by themselves.
         # We could have added this logic directly to `reset_self_paced_schedule`, but this function is used in other
diff --git a/openedx/features/personalized_learner_schedules/call_to_action.py b/openedx/features/personalized_learner_schedules/call_to_action.py
index 530b4838c0f7..634c425b38bd 100644
--- a/openedx/features/personalized_learner_schedules/call_to_action.py
+++ b/openedx/features/personalized_learner_schedules/call_to_action.py
@@ -13,6 +13,7 @@
 from xmodule.util.misc import is_xblock_an_assignment
 from openedx.core.djangolib.markup import HTML, Text
 from openedx.core.lib.mobile_utils import is_request_from_mobile_app
+from openedx.features.course_experience import RELATIVE_DATES_DISABLE_RESET_FLAG
 from openedx.features.course_experience.url_helpers import is_request_from_learning_mfe
 from openedx.features.course_experience.utils import dates_banner_should_display
 
@@ -37,7 +38,10 @@ def get_ctas(self, xblock, category, completed):
         request = get_current_request()
 
         course_key = xblock.scope_ids.usage_id.context_key
-        missed_deadlines, missed_gated_content = dates_banner_should_display(course_key, request.user)
+        missed_deadlines, missed_gated_content = dates_banner_should_display(
+            course_key, request.user, allow_warning=True
+        )
+
         # Not showing in the missed_gated_content case because those learners are not eligible
         # to shift due dates.
         if missed_gated_content:
@@ -52,13 +56,13 @@ def get_ctas(self, xblock, category, completed):
             # xblock is a capa problem, and the submit button is disabled. Check if it's because of a personalized
             # schedule due date being missed, and if so, we can offer to shift it.
             if self._is_block_shiftable(xblock, category):
-                ctas.append(self._make_reset_deadlines_cta(xblock, category, is_learning_mfe))
+                ctas.append(self._make_deadlines_cta(course_key, xblock, category, is_learning_mfe))
 
         elif category == self.VERTICAL_BANNER and not completed and missed_deadlines:
             # xblock is a vertical, so we'll check all the problems inside it. If there are any that will show a
             # a "shift dates" CTA under CAPA_SUBMIT_DISABLED, then we'll also show the same CTA as a vertical banner.
             if any(self._is_block_shiftable(item, category) for item in xblock.get_children()):
-                ctas.append(self._make_reset_deadlines_cta(xblock, category, is_learning_mfe))
+                ctas.append(self._make_deadlines_cta(course_key, xblock, category, is_learning_mfe))
 
         return ctas
 
@@ -107,11 +111,15 @@ def _log_past_due_warning(name):
         PersonalizedLearnerScheduleCallToAction.past_due_class_warnings.add(name)
 
     @classmethod
-    def _make_reset_deadlines_cta(cls, xblock, category, is_learning_mfe=False):
+    def _make_deadlines_cta(cls, course_key, xblock, category, is_learning_mfe=False):
         """
         Constructs a call to action object containing the necessary information for the view
         """
         from lms.urls import RESET_COURSE_DEADLINES_NAME
+
+        if RELATIVE_DATES_DISABLE_RESET_FLAG.is_enabled(course_key):
+            return {"description": _("The deadline to complete this assignment has passed.")}
+
         course_key = xblock.scope_ids.usage_id.context_key
 
         cta_data = {

From b159adfa386bb70943fda0abb5b2125b34008dc4 Mon Sep 17 00:00:00 2001
From: Maxim Beder <maxim@opencraft.com>
Date: Mon, 15 Apr 2024 21:56:07 +0200
Subject: [PATCH 07/24] feat: add a feature flag to disable dates tab for all
 courses

(cherry picked from commit 88bb2a4cabd4c5d49efcb9e44097a765e1fe433d)
---
 lms/djangoapps/courseware/tabs.py            |  6 ++++++
 lms/djangoapps/courseware/tests/test_tabs.py | 13 +++++++++++++
 lms/envs/common.py                           |  9 +++++++++
 3 files changed, 28 insertions(+)

diff --git a/lms/djangoapps/courseware/tabs.py b/lms/djangoapps/courseware/tabs.py
index 2a67b6454e42..de38871832c1 100644
--- a/lms/djangoapps/courseware/tabs.py
+++ b/lms/djangoapps/courseware/tabs.py
@@ -315,6 +315,12 @@ def link_func(course, _reverse_func):
         tab_dict['link_func'] = link_func
         super().__init__(tab_dict)
 
+    @classmethod
+    def is_enabled(cls, course, user=None):
+        if settings.FEATURES.get('DISABLE_DATES_TAB'):
+            return False
+        return super().is_enabled(course, user)
+
 
 def get_course_tab_list(user, course):
     """
diff --git a/lms/djangoapps/courseware/tests/test_tabs.py b/lms/djangoapps/courseware/tests/test_tabs.py
index 6ad7ef73de01..e882efd3cbbf 100644
--- a/lms/djangoapps/courseware/tests/test_tabs.py
+++ b/lms/djangoapps/courseware/tests/test_tabs.py
@@ -885,3 +885,16 @@ def test_singular_dates_tab(self):
             if tab.type == 'dates':
                 num_dates_tabs += 1
         assert num_dates_tabs == 1
+
+    def test_dates_tab_is_enabled_by_default(self):
+        """Test dates tab is enabled by default."""
+        tab = DatesTab({'type': DatesTab.type, 'name': 'dates'})
+        user = self.create_mock_user()
+        assert self.is_tab_enabled(tab, self.course, user)
+
+    @patch.dict("django.conf.settings.FEATURES", {"DISABLE_DATES_TAB": True})
+    def test_dates_tab_disabled_by_feature_flag(self):
+        """Test dates tab is disabled by the feature flag."""
+        tab = DatesTab({'type': DatesTab.type, 'name': 'dates'})
+        user = self.create_mock_user()
+        assert not self.is_tab_enabled(tab, self.course, user)
diff --git a/lms/envs/common.py b/lms/envs/common.py
index f226330aa541..1208a9199ddf 100644
--- a/lms/envs/common.py
+++ b/lms/envs/common.py
@@ -1116,6 +1116,15 @@
     # .. toggle_target_removal_date: None
     # .. toggle_tickets: 'https://github.com/open-craft/edx-platform/pull/632/files'
     'ENABLE_TEACHING_ASSISTANT_ROLE': False,
+
+    # .. toggle_name: FEATURES['DISABLE_DATES_TAB']
+    # .. toggle_implementation: DjangoSetting
+    # .. toggle_default: False
+    # .. toggle_description: Disables dates tab for all courses.
+    # .. toggle_use_cases: open_edx
+    # .. toggle_creation_date: 2024-04-15
+    # .. toggle_tickets: https://github.com/openedx/edx-platform/pull/34511
+    'DISABLE_DATES_TAB': False,
 }
 
 # Specifies extra XBlock fields that should available when requested via the Course Blocks API

From 622d891a5b036f416c270e1a1665991f1357cc87 Mon Sep 17 00:00:00 2001
From: Moncef Abboud <moncef.abboud95@gmail.com>
Date: Tue, 16 Apr 2024 17:04:12 +0200
Subject: [PATCH 08/24] feat: tpa automatic logout with a single redirect

(cherry picked from commit e8c942c77d46a5e5c4b7afc5904c130897cdffe2)
---
 .../core/djangoapps/user_authn/views/logout.py  | 17 ++++++-----------
 .../user_authn/views/tests/test_logout.py       |  6 ++++--
 2 files changed, 10 insertions(+), 13 deletions(-)

diff --git a/openedx/core/djangoapps/user_authn/views/logout.py b/openedx/core/djangoapps/user_authn/views/logout.py
index 13301f5e3bb1..0e67857d91f1 100644
--- a/openedx/core/djangoapps/user_authn/views/logout.py
+++ b/openedx/core/djangoapps/user_authn/views/logout.py
@@ -8,7 +8,6 @@
 import bleach
 from django.conf import settings
 from django.contrib.auth import logout
-from django.shortcuts import redirect
 from django.utils.http import urlencode
 from django.views.generic import TemplateView
 from oauth2_provider.models import Application
@@ -47,7 +46,13 @@ def target(self):
         If a redirect_url is specified in the querystring for this request, and the value is a safe
         url for redirect, the view will redirect to this page after rendering the template.
         If it is not specified, we will use the default target url.
+        Redirect to tpa_logout_url if TPA_AUTOMATIC_LOGOUT_ENABLED is set to True and if
+        tpa_logout_url is configured.
         """
+
+        if getattr(settings, 'TPA_AUTOMATIC_LOGOUT_ENABLED', False) and self.tpa_logout_url:
+            return self.tpa_logout_url
+
         target_url = self.request.GET.get('redirect_url') or self.request.GET.get('next')
 
         #  Some third party apps do not build URLs correctly and send next query param without URL-encoding, resulting
@@ -85,16 +90,6 @@ def dispatch(self, request, *args, **kwargs):
 
         mark_user_change_as_expected(None)
 
-        # Redirect to tpa_logout_url if TPA_AUTOMATIC_LOGOUT_ENABLED is set to True and if
-        # tpa_logout_url is configured.
-        #
-        # NOTE: This step skips rendering logout.html, which is used to log the user out from the
-        # different IDAs. To ensure the user is logged out of all the IDAs be sure to redirect
-        # back to <LMS>/logout after logging out of the TPA.
-        if getattr(settings, 'TPA_AUTOMATIC_LOGOUT_ENABLED', False):
-            if self.tpa_logout_url:
-                return redirect(self.tpa_logout_url)
-
         return response
 
     def _build_logout_url(self, url):
diff --git a/openedx/core/djangoapps/user_authn/views/tests/test_logout.py b/openedx/core/djangoapps/user_authn/views/tests/test_logout.py
index 7d10fe1021ef..5de084d108e6 100644
--- a/openedx/core/djangoapps/user_authn/views/tests/test_logout.py
+++ b/openedx/core/djangoapps/user_authn/views/tests/test_logout.py
@@ -211,8 +211,10 @@ def test_automatic_tpa_logout_url_redirect(self):
             mock_idp_logout_url.return_value = idp_logout_url
             self._authenticate_with_oauth(client)
             response = self.client.get(reverse('logout'))
-            assert response.status_code == 302
-            assert response.url == idp_logout_url
+            expected = {
+                'target': idp_logout_url,
+            }
+            self.assertDictContainsSubset(expected, response.context_data)
 
     @mock.patch('django.conf.settings.TPA_AUTOMATIC_LOGOUT_ENABLED', True)
     def test_no_automatic_tpa_logout_without_logout_url(self):

From 7fcd1988c5e51b3449c83f9047ed6c91ea576ee4 Mon Sep 17 00:00:00 2001
From: Fox Danger Piacenti <fox@opencraft.com>
Date: Wed, 6 Sep 2023 13:14:48 -0500
Subject: [PATCH 09/24] feat: Allow trusted apps to perform cookie login.

---
 .../djangoapps/auth_exchange/tests/test_views.py | 12 ++++++++++--
 openedx/core/djangoapps/auth_exchange/views.py   | 16 +++++++++++-----
 2 files changed, 21 insertions(+), 7 deletions(-)

diff --git a/openedx/core/djangoapps/auth_exchange/tests/test_views.py b/openedx/core/djangoapps/auth_exchange/tests/test_views.py
index 9d8f21e6eed5..0ab08ffe37d8 100644
--- a/openedx/core/djangoapps/auth_exchange/tests/test_views.py
+++ b/openedx/core/djangoapps/auth_exchange/tests/test_views.py
@@ -168,11 +168,15 @@ def _verify_response(self, access_token, expected_status_code, token_type='Beare
         if expected_cookie_name:
             assert expected_cookie_name in response.cookies
 
-    def _create_dot_access_token(self, grant_type='Client credentials'):
+    def _create_dot_access_token(self, grant_type='Client credentials', skip_authorization=False):
         """
         Create dot based access token
         """
-        dot_application = dot_factories.ApplicationFactory(user=self.user, authorization_grant_type=grant_type)
+        dot_application = dot_factories.ApplicationFactory(
+            user=self.user,
+            authorization_grant_type=grant_type,
+            skip_authorization=skip_authorization,
+        )
         return dot_factories.AccessTokenFactory(user=self.user, application=dot_application)
 
     def test_failure_with_invalid_token(self):
@@ -189,6 +193,10 @@ def test_failure_with_dot_client_credentials_unsupported(self):
         access_token = self._create_dot_access_token()
         self._verify_response(access_token, expected_status_code=401)
 
+    def test_dot_client_credentials_supported_if_authorization_skipped(self):
+        access_token = self._create_dot_access_token(skip_authorization=True)
+        self._verify_response(access_token, expected_status_code=204, expected_cookie_name='sessionid')
+
     def _create_jwt_token(self, grant_type='password', scope='email profile', use_asymmetric_key=True):
         """
         Create jwt token
diff --git a/openedx/core/djangoapps/auth_exchange/views.py b/openedx/core/djangoapps/auth_exchange/views.py
index e4b302595277..60470aeba520 100644
--- a/openedx/core/djangoapps/auth_exchange/views.py
+++ b/openedx/core/djangoapps/auth_exchange/views.py
@@ -132,9 +132,10 @@ def _get_path_of_arbitrary_backend_for_user(user):
                 return backend_path
 
     @staticmethod
-    def _ensure_access_token_has_password_grant(request):
+    def _ensure_access_token_has_password_grant_or_privileged_application(request):
         """
-        Ensures the access token provided has password type grant.
+        Ensures the access token provided has password type grant, or if 'skip_authorization'
+        has been enabled, implying this is a trusted application.
         """
         if is_jwt_authenticated(request):
             jwt_payload = get_decoded_jwt_from_auth(request)
@@ -143,12 +144,17 @@ def _ensure_access_token_has_password_grant(request):
         else:
             token_query = dot_models.AccessToken.objects.select_related('user')
             dot_token = token_query.filter(token=request.auth).first()
-            if dot_token and dot_token.application.authorization_grant_type == dot_models.Application.GRANT_PASSWORD:
+            if dot_token and (
+                dot_token.application.authorization_grant_type == dot_models.Application.GRANT_PASSWORD
+                or dot_token.application.skip_authorization
+            ):
                 return
 
         raise AuthenticationFailed({
             'error_code': 'non_supported_token',
-            'developer_message': 'Only access tokens with grant type password are supported.'
+            'developer_message': 'Only Django Oauth Toolkit access tokens for applications which '
+                                 'are trusted (with "skip_authentication" set to True, or with grant type '
+                                 'password) are supported.'
         })
 
     @staticmethod
@@ -194,7 +200,7 @@ def post(self, request):
             request.user.backend = self._get_path_of_arbitrary_backend_for_user(request.user)
 
         self._ensure_user_is_not_disabled(request)
-        self._ensure_access_token_has_password_grant(request)
+        self._ensure_access_token_has_password_grant_or_privileged_application(request)
         self._ensure_jwt_is_asymmetric(request)
 
         login(request, request.user)  # login generates and stores the user's cookies in the session

From b801f99876ae53abb6fcf0d2dc04c93a76182a66 Mon Sep 17 00:00:00 2001
From: Arunmozhi <tecoholic@users.noreply.github.com>
Date: Wed, 14 Aug 2024 07:19:29 +1000
Subject: [PATCH 10/24] fix: prevent redirects to /undefined after saml auth

When a user authenticates using SAML, but their accounts aren't linked,
they land on the login page with the message to link their accounts. If the
`OC_REDIRECT_ON_TPA_UNLINKED_ACCOUNT` value is not set, they are redirected to
`/undefined`. This commit checks that the `redirectURL` is a valid non-empty
string before performing the redirect.

The bug was introduced in 91f8d36, so this can be safely dropped once that
temporary commit is removed from our branches. For Redwood, the relevant
commit hash is 64f5deab99.

Internal-ref: https://tasks.opencraft.com/browse/BB-9010
(cherry picked from commit 9ade4eac447f5b90d271b26cfee1c852c2e3c559)
---
 lms/static/js/student_account/views/LoginView.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/lms/static/js/student_account/views/LoginView.js b/lms/static/js/student_account/views/LoginView.js
index 9b7ce2e19908..0bf8fa854903 100644
--- a/lms/static/js/student_account/views/LoginView.js
+++ b/lms/static/js/student_account/views/LoginView.js
@@ -268,7 +268,9 @@
                         this.clearFormErrors();
                         this.renderThirdPartyAuthWarning();
                     }
-                    window.location.href = redirectURL;
+                    if (typeof redirectURL === "string" && redirectURL.length) {
+                        window.location.href = redirectURL;
+                    }
                 } else {
                     this.renderErrors(this.defaultFormErrorsTitle, this.errors);
                 }

From 2337aa9af17beb9172b4eec93922a1d2eaf23c33 Mon Sep 17 00:00:00 2001
From: cef <moncef.abboud95@gmail.com>
Date: Mon, 26 Aug 2024 12:03:29 -0500
Subject: [PATCH 11/24] feat: set links for CourseAuthoring dicussion alert

---
 .../rest_api/v1/views/tests/test_course_index.py          | 8 ++++----
 cms/envs/common.py                                        | 5 +++--
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/cms/djangoapps/contentstore/rest_api/v1/views/tests/test_course_index.py b/cms/djangoapps/contentstore/rest_api/v1/views/tests/test_course_index.py
index eafc2b37aa0c..4ac97b8e943d 100644
--- a/cms/djangoapps/contentstore/rest_api/v1/views/tests/test_course_index.py
+++ b/cms/djangoapps/contentstore/rest_api/v1/views/tests/test_course_index.py
@@ -61,8 +61,8 @@ def test_course_index_response(self):
                 "blocks": [],
                 "advance_settings_url": f"/settings/advanced/{self.course.id}"
             },
-            "discussions_incontext_feedback_url": "",
-            "discussions_incontext_learnmore_url": "",
+            "discussions_incontext_feedback_url": "https://discuss.openedx.org/t/new-and-improved-discussions-forum/9183",  # lint-amnesty, pylint: disable=line-too-long
+            "discussions_incontext_learnmore_url": "https://edx.readthedocs.io/projects/open-edx-building-and-running-a-course/en/open-release-redwood.master/manage_discussions/discussions.html",  # lint-amnesty, pylint: disable=line-too-long
             "is_custom_relative_dates_active": True,
             "initial_state": None,
             "initial_user_clipboard": {
@@ -102,8 +102,8 @@ def test_course_index_response_with_show_locators(self):
                 "blocks": [],
                 "advance_settings_url": f"/settings/advanced/{self.course.id}"
             },
-            "discussions_incontext_feedback_url": "",
-            "discussions_incontext_learnmore_url": "",
+            "discussions_incontext_feedback_url": "https://discuss.openedx.org/t/new-and-improved-discussions-forum/9183",  # lint-amnesty, pylint: disable=line-too-long
+            "discussions_incontext_learnmore_url": "https://edx.readthedocs.io/projects/open-edx-building-and-running-a-course/en/open-release-redwood.master/manage_discussions/discussions.html",  # lint-amnesty, pylint: disable=line-too-long
             "is_custom_relative_dates_active": False,
             "initial_state": {
                 "expanded_locators": [
diff --git a/cms/envs/common.py b/cms/envs/common.py
index 1eb21cd502c5..d4159ec98dde 100644
--- a/cms/envs/common.py
+++ b/cms/envs/common.py
@@ -2891,8 +2891,9 @@
 
 BRAZE_COURSE_ENROLLMENT_CANVAS_ID = ''
 
-DISCUSSIONS_INCONTEXT_FEEDBACK_URL = ''
-DISCUSSIONS_INCONTEXT_LEARNMORE_URL = ''
+# pylint: disable=line-too-long
+DISCUSSIONS_INCONTEXT_FEEDBACK_URL = "https://discuss.openedx.org/t/new-and-improved-discussions-forum/9183"
+DISCUSSIONS_INCONTEXT_LEARNMORE_URL = "https://edx.readthedocs.io/projects/open-edx-building-and-running-a-course/en/open-release-redwood.master/manage_discussions/discussions.html"
 
 #### django-simple-history##
 # disable indexing on date field its coming django-simple-history.

From a7da07156d99c0ca9c1718ba78d3586fa24de3ca Mon Sep 17 00:00:00 2001
From: Kaustav Banerjee <kaustav@opencraft.com>
Date: Sat, 31 Aug 2024 10:31:18 +0530
Subject: [PATCH 12/24] fix: hide new library button for ineligible users in
 split studio view (#675)

(cherry picked from commit 661ee89adfdf2077809c5b340913eaab7f15e670)
---
 cms/djangoapps/contentstore/utils.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/cms/djangoapps/contentstore/utils.py b/cms/djangoapps/contentstore/utils.py
index 9bcd77c3eea9..7d9a66f1d1c7 100644
--- a/cms/djangoapps/contentstore/utils.py
+++ b/cms/djangoapps/contentstore/utils.py
@@ -1534,6 +1534,7 @@ def get_library_context(request, request_is_json=False):
     )
     from cms.djangoapps.contentstore.views.library import (
         LIBRARIES_ENABLED,
+        user_can_create_library,
     )
 
     libraries = _accessible_libraries_iter(request.user) if LIBRARIES_ENABLED else []
@@ -1547,7 +1548,7 @@ def get_library_context(request, request_is_json=False):
             'in_process_course_actions': [],
             'courses': [],
             'libraries_enabled': LIBRARIES_ENABLED,
-            'show_new_library_button': LIBRARIES_ENABLED and request.user.is_active,
+            'show_new_library_button': user_can_create_library(request.user) and request.user.is_active,
             'user': request.user,
             'request_course_creator_url': reverse('request_course_creator'),
             'course_creator_status': _get_course_creator_status(request.user),

From 10aec43a69c01a3ce5e952d3c20f19141ec568a4 Mon Sep 17 00:00:00 2001
From: Kaustav Banerjee <kaustav@opencraft.com>
Date: Mon, 2 Sep 2024 19:08:48 +0530
Subject: [PATCH 13/24] feat: in-context discussion for units can be disabled
 by default (#676)

---
 cms/envs/common.py        | 8 ++++++++
 xmodule/vertical_block.py | 3 ++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/cms/envs/common.py b/cms/envs/common.py
index d4159ec98dde..ac29857ac5a8 100644
--- a/cms/envs/common.py
+++ b/cms/envs/common.py
@@ -592,6 +592,14 @@
     # .. toggle_creation_date: 2024-04-10
     'BADGES_ENABLED': False,
 
+    # .. toggle_name: FEATURES['IN_CONTEXT_DISCUSSION_ENABLED_DEFAULT']
+    # .. toggle_implementation: DjangoSetting
+    # .. toggle_default: True
+    # .. toggle_description: Set to False to not enable in-context discussion for units by default.
+    # .. toggle_use_cases: open_edx
+    # .. toggle_creation_date: 2024-09-02
+    'IN_CONTEXT_DISCUSSION_ENABLED_DEFAULT': True,
+
     # .. toggle_name: FEATURES['ENABLE_LEGACY_MD5_HASH_FOR_ANONYMOUS_USER_ID']
     # .. toggle_implementation: DjangoSetting
     # .. toggle_default: False
diff --git a/xmodule/vertical_block.py b/xmodule/vertical_block.py
index 2a10ae44497f..b03aa5a42dfb 100644
--- a/xmodule/vertical_block.py
+++ b/xmodule/vertical_block.py
@@ -9,6 +9,7 @@
 from functools import reduce
 
 import pytz
+from django.conf import settings
 from lxml import etree
 from openedx_filters.learning.filters import VerticalBlockChildRenderStarted, VerticalBlockRenderCompleted
 from web_fragments.fragment import Fragment
@@ -43,7 +44,7 @@ class VerticalFields:
     discussion_enabled = Boolean(
         display_name=_("Enable in-context discussions for the Unit"),
         help=_("Add discussion for the Unit."),
-        default=True,
+        default=settings.FEATURES.get('IN_CONTEXT_DISCUSSION_ENABLED_DEFAULT', True),
         scope=Scope.settings,
     )
 

From 11ddc19e69adb8b41ede30175fa268660757b588 Mon Sep 17 00:00:00 2001
From: Paulo Viadanna <paulo@opencraft.com>
Date: Wed, 4 Sep 2024 16:39:40 -0300
Subject: [PATCH 14/24] fix: unhide discussion tab when enabling it (#677)

---
 openedx/core/djangoapps/discussions/serializers.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/openedx/core/djangoapps/discussions/serializers.py b/openedx/core/djangoapps/discussions/serializers.py
index 88648a499598..8eeb7e10278a 100644
--- a/openedx/core/djangoapps/discussions/serializers.py
+++ b/openedx/core/djangoapps/discussions/serializers.py
@@ -354,6 +354,12 @@ def _update_course_configuration(
                     key not in LegacySettingsSerializer.Meta.fields_cohorts
                 )
             }
+        # toogle discussion tab is_hidden
+        for tab in course.tabs:
+            if tab.tab_id == 'discussion' and tab.is_hidden != instance.enabled:
+                tab.is_hidden = not instance.enabled
+                save = True
+                break
         if save:
             modulestore().update_item(course, self.context['user_id'])
         return instance

From 80e27f6d2e915c033344d4d2d9e14614876a8769 Mon Sep 17 00:00:00 2001
From: Paulo Viadanna <paulo@opencraft.com>
Date: Wed, 4 Sep 2024 18:35:24 -0300
Subject: [PATCH 15/24] fix: unhide discussion tab when enabling it (#677)

---
 openedx/core/djangoapps/discussions/serializers.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/openedx/core/djangoapps/discussions/serializers.py b/openedx/core/djangoapps/discussions/serializers.py
index 8eeb7e10278a..6cc18605df9f 100644
--- a/openedx/core/djangoapps/discussions/serializers.py
+++ b/openedx/core/djangoapps/discussions/serializers.py
@@ -356,7 +356,7 @@ def _update_course_configuration(
             }
         # toogle discussion tab is_hidden
         for tab in course.tabs:
-            if tab.tab_id == 'discussion' and tab.is_hidden != instance.enabled:
+            if tab.tab_id == 'discussion' and tab.is_hidden == instance.enabled:
                 tab.is_hidden = not instance.enabled
                 save = True
                 break

From 50470c1e5804899742899cef49b70cddabdcb26a Mon Sep 17 00:00:00 2001
From: Demid <demid@opencraft.com>
Date: Tue, 10 Sep 2024 10:11:34 +0300
Subject: [PATCH 16/24] feat: add has_course_author_access to
 CourseHomeMetadataView response (#682)

Cherry-picked from https://github.com/openedx/edx-platform/pull/35313
---
 common/djangoapps/student/auth.py             | 14 ++++----
 .../course_metadata/serializers.py            |  1 +
 .../course_metadata/tests/test_views.py       | 36 ++++++++++++++++++-
 .../course_home_api/course_metadata/views.py  |  7 ++++
 4 files changed, 51 insertions(+), 7 deletions(-)

diff --git a/common/djangoapps/student/auth.py b/common/djangoapps/student/auth.py
index d3dc51616c75..de9ccfc7bf2f 100644
--- a/common/djangoapps/student/auth.py
+++ b/common/djangoapps/student/auth.py
@@ -73,7 +73,7 @@ def user_has_role(user, role):
     return False
 
 
-def get_user_permissions(user, course_key, org=None):
+def get_user_permissions(user, course_key, org=None, service_variant=None):
     """
     Get the bitmask of permissions that this user has in the given course context.
     Can also set course_key=None and pass in an org to get the user's
@@ -103,7 +103,7 @@ def get_user_permissions(user, course_key, org=None):
     #  the LMS and Studio permissions will be separated as a part of this project. Once this is done (and this code is
     #  not removed during its implementation), we can replace the Limited Staff permissions with more granular ones.
     if course_key and user_has_role(user, CourseLimitedStaffRole(course_key)):
-        if settings.SERVICE_VARIANT == 'lms':
+        if (service_variant or settings.SERVICE_VARIANT) == 'lms':
             return STUDIO_EDIT_CONTENT
         else:
             return STUDIO_NO_PERMISSIONS
@@ -119,7 +119,7 @@ def get_user_permissions(user, course_key, org=None):
     return STUDIO_NO_PERMISSIONS
 
 
-def has_studio_write_access(user, course_key):
+def has_studio_write_access(user, course_key, service_variant=None):
     """
     Return True if user has studio write access to the given course.
     Note that the CMS permissions model is with respect to courses.
@@ -131,15 +131,17 @@ def has_studio_write_access(user, course_key):
 
     :param user:
     :param course_key: a CourseKey
+    :param service_variant: the variant of the service (lms or cms). Permissions may differ between the two,
+        see the comment in get_user_permissions for more details.
     """
-    return bool(STUDIO_EDIT_CONTENT & get_user_permissions(user, course_key))
+    return bool(STUDIO_EDIT_CONTENT & get_user_permissions(user, course_key, service_variant=service_variant))
 
 
-def has_course_author_access(user, course_key):
+def has_course_author_access(user, course_key, service_variant=None):
     """
     Old name for has_studio_write_access
     """
-    return has_studio_write_access(user, course_key)
+    return has_studio_write_access(user, course_key, service_variant)
 
 
 def has_studio_advanced_settings_access(user):
diff --git a/lms/djangoapps/course_home_api/course_metadata/serializers.py b/lms/djangoapps/course_home_api/course_metadata/serializers.py
index 7683a9089453..ccb22e86b9fa 100644
--- a/lms/djangoapps/course_home_api/course_metadata/serializers.py
+++ b/lms/djangoapps/course_home_api/course_metadata/serializers.py
@@ -58,3 +58,4 @@ class CourseHomeMetadataSerializer(VerifiedModeSerializer):
     can_view_certificate = serializers.BooleanField()
     course_modes = CourseModeSerrializer(many=True)
     is_new_discussion_sidebar_view_enabled = serializers.BooleanField()
+    has_course_author_access = serializers.BooleanField()
diff --git a/lms/djangoapps/course_home_api/course_metadata/tests/test_views.py b/lms/djangoapps/course_home_api/course_metadata/tests/test_views.py
index 4b3524eb1ee2..86aeee883a7c 100644
--- a/lms/djangoapps/course_home_api/course_metadata/tests/test_views.py
+++ b/lms/djangoapps/course_home_api/course_metadata/tests/test_views.py
@@ -12,7 +12,12 @@
 
 from common.djangoapps.course_modes.models import CourseMode
 from common.djangoapps.student.models import CourseEnrollment
-from common.djangoapps.student.roles import CourseInstructorRole
+from common.djangoapps.student.roles import (
+    CourseBetaTesterRole,
+    CourseInstructorRole,
+    CourseLimitedStaffRole,
+    CourseStaffRole
+)
 from common.djangoapps.student.tests.factories import UserFactory
 from lms.djangoapps.course_home_api.tests.utils import BaseCourseHomeTests
 from lms.djangoapps.courseware.toggles import (
@@ -248,3 +253,32 @@ def test_discussion_tab_visible(self, visible):
             assert 'discussion' in tab_ids
         else:
             assert 'discussion' not in tab_ids
+
+    @ddt.data(
+        {
+            'course_team_role': None,
+            'has_course_author_access': False
+        },
+        {
+            'course_team_role': CourseBetaTesterRole,
+            'has_course_author_access': False
+        },
+        {
+            'course_team_role': CourseStaffRole,
+            'has_course_author_access': True
+        },
+        {
+            'course_team_role': CourseLimitedStaffRole,
+            'has_course_author_access': False
+        },
+    )
+    @ddt.unpack
+    def test_has_course_author_access_for_staff_roles(self, course_team_role, has_course_author_access):
+        CourseEnrollment.enroll(self.user, self.course.id, CourseMode.VERIFIED)
+
+        if course_team_role:
+            course_team_role(self.course.id).add_users(self.user)
+
+        response = self.client.get(self.url)
+        assert response.status_code == 200
+        assert response.data['has_course_author_access'] == has_course_author_access
diff --git a/lms/djangoapps/course_home_api/course_metadata/views.py b/lms/djangoapps/course_home_api/course_metadata/views.py
index 248f90389d40..7ad2a2537000 100644
--- a/lms/djangoapps/course_home_api/course_metadata/views.py
+++ b/lms/djangoapps/course_home_api/course_metadata/views.py
@@ -16,6 +16,7 @@
 from openedx.core.djangoapps.courseware_api.utils import get_celebrations_dict
 
 from common.djangoapps.course_modes.models import CourseMode
+from common.djangoapps.student.auth import has_course_author_access
 from common.djangoapps.student.models import CourseEnrollment
 from lms.djangoapps.course_api.api import course_detail
 from lms.djangoapps.course_goals.models import UserActivity
@@ -139,6 +140,12 @@ def get(self, request, *args, **kwargs):
             'can_view_certificate': certificates_viewable_for_course(course),
             'course_modes': course_modes,
             'is_new_discussion_sidebar_view_enabled': new_discussion_sidebar_view_is_enabled(course_key),
+            # We check the course author access in the context of CMS here because this field is used
+            # to determine whether the user can access the course authoring tools in the CMS.
+            # This is a temporary solution until the course author role is split into "Course Author" and
+            # "Course Editor" as described in the permission matrix here:
+            # https://github.com/openedx/platform-roadmap/issues/246
+            'has_course_author_access': has_course_author_access(request.user, course_key, 'cms'),
         }
         context = self.get_serializer_context()
         context['course'] = course

From 87e95fa5e185b2443bde2caa83289c9eb0c7e4cb Mon Sep 17 00:00:00 2001
From: Demid <demid@opencraft.com>
Date: Thu, 12 Sep 2024 19:36:35 +0300
Subject: [PATCH 17/24] feat: add can_access_advanced_settings to studio home
 (#35426)

(cherry picked from commit 448edd7e5fd4fd24181eb86cf639f2fb2269fc33)
---
 cms/djangoapps/contentstore/rest_api/v1/serializers/home.py      | 1 +
 cms/djangoapps/contentstore/rest_api/v1/views/home.py            | 1 +
 cms/djangoapps/contentstore/rest_api/v1/views/tests/test_home.py | 1 +
 cms/djangoapps/contentstore/utils.py                             | 1 +
 4 files changed, 4 insertions(+)

diff --git a/cms/djangoapps/contentstore/rest_api/v1/serializers/home.py b/cms/djangoapps/contentstore/rest_api/v1/serializers/home.py
index 1afc51ed77af..0aa06d8b8dcc 100644
--- a/cms/djangoapps/contentstore/rest_api/v1/serializers/home.py
+++ b/cms/djangoapps/contentstore/rest_api/v1/serializers/home.py
@@ -51,6 +51,7 @@ class CourseHomeSerializer(serializers.Serializer):
         allow_empty=True
     )
     archived_courses = CourseCommonSerializer(required=False, many=True)
+    can_access_advanced_settings = serializers.BooleanField()
     can_create_organizations = serializers.BooleanField()
     course_creator_status = serializers.CharField()
     courses = CourseCommonSerializer(required=False, many=True)
diff --git a/cms/djangoapps/contentstore/rest_api/v1/views/home.py b/cms/djangoapps/contentstore/rest_api/v1/views/home.py
index d41ceb2647c5..d72042cff611 100644
--- a/cms/djangoapps/contentstore/rest_api/v1/views/home.py
+++ b/cms/djangoapps/contentstore/rest_api/v1/views/home.py
@@ -52,6 +52,7 @@ def get(self, request: Request):
             "allow_unicode_course_id": false,
             "allowed_organizations": [],
             "archived_courses": [],
+            "can_access_advanced_settings": true,
             "can_create_organizations": true,
             "course_creator_status": "granted",
             "courses": [],
diff --git a/cms/djangoapps/contentstore/rest_api/v1/views/tests/test_home.py b/cms/djangoapps/contentstore/rest_api/v1/views/tests/test_home.py
index 1b8bfaa84728..a8b4cf5e3933 100644
--- a/cms/djangoapps/contentstore/rest_api/v1/views/tests/test_home.py
+++ b/cms/djangoapps/contentstore/rest_api/v1/views/tests/test_home.py
@@ -44,6 +44,7 @@ def test_home_page_courses_response(self):
             "allow_unicode_course_id": False,
             "allowed_organizations": [],
             "archived_courses": [],
+            "can_access_advanced_settings": True,
             "can_create_organizations": True,
             "course_creator_status": "granted",
             "courses": [],
diff --git a/cms/djangoapps/contentstore/utils.py b/cms/djangoapps/contentstore/utils.py
index 7d9a66f1d1c7..780e00fce3b9 100644
--- a/cms/djangoapps/contentstore/utils.py
+++ b/cms/djangoapps/contentstore/utils.py
@@ -1712,6 +1712,7 @@ def get_home_context(request, no_course=False):
         'allowed_organizations': get_allowed_organizations(user),
         'allowed_organizations_for_libraries': get_allowed_organizations_for_libraries(user),
         'can_create_organizations': user_can_create_organizations(user),
+        'can_access_advanced_settings': auth.has_studio_advanced_settings_access(user),
     }
 
     return home_context

From b75c2db7a34f2d3d0158d586f570e8c2cf731bcf Mon Sep 17 00:00:00 2001
From: Agrendalath <piotr@surowiec.it>
Date: Mon, 31 May 2021 17:45:03 +0200
Subject: [PATCH 18/24] fix: increase grades rounding precision

Enabling the rounding in #16837 has been causing noticeable (up to 1 percentage
point) differences between non-rounded subsection grades and a total grade for
a course. This increases the grade precision to reduce the negative
implications of double rounding.

(cherry picked from commit 84d2ad95151d11960d76fb97bf484a070d6dfc5a)
---
 lms/djangoapps/grades/rest_api/v1/tests/test_views.py    | 8 ++++----
 lms/djangoapps/grades/scores.py                          | 4 ++--
 lms/djangoapps/grades/tests/test_course_grade_factory.py | 8 ++++----
 lms/djangoapps/grades/tests/test_subsection_grade.py     | 2 +-
 xmodule/graders.py                                       | 6 +++---
 5 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/lms/djangoapps/grades/rest_api/v1/tests/test_views.py b/lms/djangoapps/grades/rest_api/v1/tests/test_views.py
index cd2107ec7c29..656e7e6b4396 100644
--- a/lms/djangoapps/grades/rest_api/v1/tests/test_views.py
+++ b/lms/djangoapps/grades/rest_api/v1/tests/test_views.py
@@ -302,7 +302,7 @@ def setUpClass(cls):
             + [
                 {
                     'category': 'Homework',
-                    'detail': 'Homework Average = 0%',
+                    'detail': 'Homework Average = 0.00%',
                     'label': 'HW Avg', 'percent': 0.0,
                     'prominent': True
                 }
@@ -332,21 +332,21 @@ def setUpClass(cls):
                 },
                 {
                     'category': 'Lab',
-                    'detail': 'Lab Average = 0%',
+                    'detail': 'Lab Average = 0.00%',
                     'label': 'Lab Avg',
                     'percent': 0.0,
                     'prominent': True
                 },
                 {
                     'category': 'Midterm Exam',
-                    'detail': 'Midterm Exam = 0%',
+                    'detail': 'Midterm Exam = 0.00%',
                     'label': 'Midterm',
                     'percent': 0.0,
                     'prominent': True
                 },
                 {
                     'category': 'Final Exam',
-                    'detail': 'Final Exam = 0%',
+                    'detail': 'Final Exam = 0.00%',
                     'label': 'Final',
                     'percent': 0.0,
                     'prominent': True
diff --git a/lms/djangoapps/grades/scores.py b/lms/djangoapps/grades/scores.py
index f621d85ea17b..38dd0dc18926 100644
--- a/lms/djangoapps/grades/scores.py
+++ b/lms/djangoapps/grades/scores.py
@@ -162,8 +162,8 @@ def compute_percent(earned, possible):
      Returns the percentage of the given earned and possible values.
      """
     if possible > 0:
-        # Rounds to two decimal places.
-        return around(earned / possible, decimals=2)
+        # Rounds to four decimal places.
+        return around(earned / possible, decimals=4)
     else:
         return 0.0
 
diff --git a/lms/djangoapps/grades/tests/test_course_grade_factory.py b/lms/djangoapps/grades/tests/test_course_grade_factory.py
index 4e3bcde0ad95..2066b6cd0d7c 100644
--- a/lms/djangoapps/grades/tests/test_course_grade_factory.py
+++ b/lms/djangoapps/grades/tests/test_course_grade_factory.py
@@ -185,26 +185,26 @@ def test_course_grade_summary(self):
             'section_breakdown': [
                 {
                     'category': 'Homework',
-                    'detail': 'Homework 1 - Test Sequential X with an & Ampersand - 50% (1/2)',
+                    'detail': 'Homework 1 - Test Sequential X with an & Ampersand - 50.00% (1/2)',
                     'label': 'HW 01',
                     'percent': 0.5
                 },
                 {
                     'category': 'Homework',
-                    'detail': 'Homework 2 - Test Sequential A - 0% (0/1)',
+                    'detail': 'Homework 2 - Test Sequential A - 0.00% (0/1)',
                     'label': 'HW 02',
                     'percent': 0.0
                 },
                 {
                     'category': 'Homework',
-                    'detail': 'Homework Average = 25%',
+                    'detail': 'Homework Average = 25.00%',
                     'label': 'HW Avg',
                     'percent': 0.25,
                     'prominent': True
                 },
                 {
                     'category': 'NoCredit',
-                    'detail': 'NoCredit Average = 0%',
+                    'detail': 'NoCredit Average = 0.00%',
                     'label': 'NC Avg',
                     'percent': 0,
                     'prominent': True
diff --git a/lms/djangoapps/grades/tests/test_subsection_grade.py b/lms/djangoapps/grades/tests/test_subsection_grade.py
index 7dd39af4ece2..2398e7a71000 100644
--- a/lms/djangoapps/grades/tests/test_subsection_grade.py
+++ b/lms/djangoapps/grades/tests/test_subsection_grade.py
@@ -14,7 +14,7 @@
 @ddt
 class SubsectionGradeTest(GradeTestBase):  # lint-amnesty, pylint: disable=missing-class-docstring
 
-    @data((50, 100, .50), (59.49, 100, .59), (59.51, 100, .60), (59.50, 100, .60), (60.5, 100, .60))
+    @data((50, 100, .5), (.5949, 100, .0059), (.5951, 100, .006), (.595, 100, .0059), (.605, 100, .006))
     @unpack
     def test_create_and_read(self, mock_earned, mock_possible, expected_result):
         with mock_get_score(mock_earned, mock_possible):
diff --git a/xmodule/graders.py b/xmodule/graders.py
index a587204d682e..5261b9f4479a 100644
--- a/xmodule/graders.py
+++ b/xmodule/graders.py
@@ -387,7 +387,7 @@ def grade(self, grade_sheet, generate_random_scores=False):
                     section_name = scores[i].display_name
 
                 percentage = scores[i].percent_graded
-                summary_format = "{section_type} {index} - {name} - {percent:.0%} ({earned:.3n}/{possible:.3n})"
+                summary_format = "{section_type} {index} - {name} - {percent:.2%} ({earned:.3n}/{possible:.3n})"
                 summary = summary_format.format(
                     index=i + self.starting_index,
                     section_type=self.section_type,
@@ -421,7 +421,7 @@ def grade(self, grade_sheet, generate_random_scores=False):
         if len(breakdown) == 1:
             # if there is only one entry in a section, suppress the existing individual entry and the average,
             # and just display a single entry for the section.
-            total_detail = "{section_type} = {percent:.0%}".format(
+            total_detail = "{section_type} = {percent:.2%}".format(
                 percent=total_percent,
                 section_type=self.section_type,
             )
@@ -430,7 +430,7 @@ def grade(self, grade_sheet, generate_random_scores=False):
                           'detail': total_detail, 'category': self.category, 'prominent': True}, ]
         else:
             # Translators: "Homework Average = 0%"
-            total_detail = _("{section_type} Average = {percent:.0%}").format(
+            total_detail = _("{section_type} Average = {percent:.2%}").format(
                 percent=total_percent,
                 section_type=self.section_type
             )

From 6aecb88e2b98ab5b42f3cc994eea58cc04800bf9 Mon Sep 17 00:00:00 2001
From: Agrendalath <piotr@surowiec.it>
Date: Mon, 19 Aug 2024 17:05:58 +0200
Subject: [PATCH 19/24] fix: handle missing name in readonly enterprise account
 fields

The `settings.ENTERPRISE_READONLY_ACCOUNT_FIELDS` list can be overridden.
Removing the `name` from it should not raise the `ValueError` exception.
---
 openedx/features/enterprise_support/tests/test_utils.py | 6 ++++--
 openedx/features/enterprise_support/utils.py            | 2 +-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/openedx/features/enterprise_support/tests/test_utils.py b/openedx/features/enterprise_support/tests/test_utils.py
index fbf2cccf9dbc..d693f6be72b6 100644
--- a/openedx/features/enterprise_support/tests/test_utils.py
+++ b/openedx/features/enterprise_support/tests/test_utils.py
@@ -269,10 +269,11 @@ def test_update_account_settings_context_for_enterprise(self, mock_get_fields):
         mock_get_fields.assert_called_once_with(user)
         assert expected_context == context
 
+    @ddt.data(settings.ENTERPRISE_READONLY_ACCOUNT_FIELDS, ['username', 'email', 'country'])
     @mock.patch('openedx.features.enterprise_support.utils.get_current_request')
     @mock.patch('openedx.features.enterprise_support.api.enterprise_customer_for_request')
     def test_get_enterprise_readonly_account_fields_no_sync_learner_profile_data(
-            self, mock_customer_for_request, mock_get_current_request,
+            self, readonly_fields, mock_customer_for_request, mock_get_current_request,
     ):
         mock_get_current_request.return_value = mock.Mock(
             GET={'enterprise_customer': 'some-uuid'},
@@ -284,7 +285,8 @@ def test_get_enterprise_readonly_account_fields_no_sync_learner_profile_data(
         }
         user = mock.Mock()
 
-        actual_fields = get_enterprise_readonly_account_fields(user)
+        with override_settings(ENTERPRISE_READONLY_ACCOUNT_FIELDS=readonly_fields):
+            actual_fields = get_enterprise_readonly_account_fields(user)
         assert set() == actual_fields
         mock_customer_for_request.assert_called_once_with(mock_get_current_request.return_value)
         mock_get_current_request.assert_called_once_with()
diff --git a/openedx/features/enterprise_support/utils.py b/openedx/features/enterprise_support/utils.py
index 4604b5c4fb00..6b007ebed57b 100644
--- a/openedx/features/enterprise_support/utils.py
+++ b/openedx/features/enterprise_support/utils.py
@@ -277,7 +277,7 @@ def get_enterprise_readonly_account_fields(user):
     # if user has no `UserSocialAuth` record then allow to edit `fullname`
     # whether the `sync_learner_profile_data` is enabled or disabled
     user_social_auth_record = _user_has_social_auth_record(user, enterprise_customer)
-    if not user_social_auth_record:
+    if not user_social_auth_record and 'name' in enterprise_readonly_account_fields:
         enterprise_readonly_account_fields.remove('name')
 
     sync_learner_profile_data = _get_sync_learner_profile_data(enterprise_customer)

From 3b56ccadb23072e69645ed3eacf80c31b6a6f0d8 Mon Sep 17 00:00:00 2001
From: Agrendalath <piotr@surowiec.it>
Date: Thu, 23 May 2024 17:04:50 +0200
Subject: [PATCH 20/24] fix: receive XBlock visibility from the Learning MFE

---
 lms/static/completion/js/ViewedEvent.js | 46 +++++++++++++++++++++++--
 1 file changed, 44 insertions(+), 2 deletions(-)

diff --git a/lms/static/completion/js/ViewedEvent.js b/lms/static/completion/js/ViewedEvent.js
index 1ad936f8a158..b2b9d5ff5bc4 100644
--- a/lms/static/completion/js/ViewedEvent.js
+++ b/lms/static/completion/js/ViewedEvent.js
@@ -109,7 +109,13 @@ export class ViewedEventTracker {
     constructor() {
         this.elementViewings = new Set();
         this.handlers = [];
-        this.registerDomHandlers();
+        if (window === window.parent) {
+          // Preview (legacy LMS frontend).
+          this.registerDomHandlers();
+        } else {
+          // Learning MFE.
+          window.addEventListener('message', this.handleVisibilityMessage.bind(this));
+        }
     }
 
     /** Add an element to track.  */
@@ -121,7 +127,11 @@ export class ViewedEventTracker {
                 (el, event) => this.callHandlers(el, event),
             ),
         );
-        this.updateVisible();
+        // Update visibility status immediately after adding the element (in case it's already visible).
+        // We don't need this for the Learning MFE because it will send a message once the iframe is loaded.
+        if (window === window.parent) {
+          this.updateVisible();
+        }
     }
 
     /** Register a new handler to be called when an element has been viewed.  */
@@ -177,4 +187,36 @@ export class ViewedEventTracker {
             handler(el, event);
         });
     }
+
+    /** Handle a unit.visibilityStatus message from the Learning MFE. */
+    handleVisibilityMessage(event) {
+        if (event.data.type === 'unit.visibilityStatus') {
+          const { topPosition, viewportHeight } = event.data.data;
+
+          this.elementViewings.forEach((elv) => {
+              const rect = elv.getBoundingRect();
+              let visible = false;
+
+              // Convert iframe-relative rect coordinates to be relative to the parent's viewport.
+              const elTopPosition = rect.top + topPosition;
+              const elBottomPosition = rect.bottom + topPosition;
+
+              // Check if the element is visible in the parent's viewport.
+              if (elTopPosition < viewportHeight && elTopPosition >= 0) {
+                  elv.markTopSeen();
+                  visible = true;
+              }
+              if (elBottomPosition <= viewportHeight && elBottomPosition > 0) {
+                  elv.markBottomSeen();
+                  visible = true;
+              }
+
+              if (visible) {
+                  elv.handleVisible();
+              } else {
+                  elv.handleNotVisible();
+              }
+          });
+      }
+    }
 }

From 321f2d0b66cba57acc2f6e9d67bba983cb9cf0dd Mon Sep 17 00:00:00 2001
From: Paulo Viadanna <paulo@opencraft.com>
Date: Wed, 9 Oct 2024 19:19:14 -0300
Subject: [PATCH 21/24] fix: bump ora2 to fix uploads (#693)

---
 requirements/common_constraints.txt               | 15 +++++++--------
 requirements/edx-sandbox/base.txt                 |  4 ++--
 requirements/edx/base.txt                         |  9 +++++----
 requirements/edx/bundled.in                       |  8 +++++++-
 requirements/edx/development.txt                  | 12 ++++++------
 requirements/edx/doc.txt                          |  8 ++++----
 requirements/edx/semgrep.txt                      |  4 ++--
 requirements/edx/testing.txt                      | 12 ++++++------
 requirements/pip-tools.txt                        | 10 ++++------
 .../structures_pruning/requirements/testing.txt   |  4 ++--
 scripts/user_retirement/requirements/testing.txt  |  4 ++--
 11 files changed, 47 insertions(+), 43 deletions(-)

diff --git a/requirements/common_constraints.txt b/requirements/common_constraints.txt
index 4abc9ae22cb3..605871970bd8 100644
--- a/requirements/common_constraints.txt
+++ b/requirements/common_constraints.txt
@@ -21,15 +21,14 @@ Django<5.0
 
 # elasticsearch>=7.14.0 includes breaking changes in it which caused issues in discovery upgrade process.
 # elastic search changelog: https://www.elastic.co/guide/en/enterprise-search/master/release-notes-7.14.0.html
+# See https://github.com/openedx/edx-platform/issues/35126 for more info
 elasticsearch<7.14.0
 
 # django-simple-history>3.0.0 adds indexing and causes a lot of migrations to be affected
 
-# opentelemetry requires version 6.x at the moment:
-# https://github.com/open-telemetry/opentelemetry-python/issues/3570
-# Normally this could be added as a constraint in edx-django-utils, where we're
-# adding the opentelemetry dependency. However, when we compile pip-tools.txt,
-# that uses version 7.x, and then there's no undoing that when compiling base.txt.
-# So we need to pin it globally, for now.
-# Ticket for unpinning: https://github.com/openedx/edx-lint/issues/407
-importlib-metadata<7
+# Cause: https://github.com/openedx/event-tracking/pull/290
+# event-tracking 2.4.1 upgrades to pymongo 4.4.0 which is not supported on edx-platform.
+# We will pin event-tracking to do not break existing installations
+# This can be unpinned once https://github.com/openedx/edx-platform/issues/34586
+# has been resolved and edx-platform is running with pymongo>=4.4.0
+event-tracking<2.4.1
diff --git a/requirements/edx-sandbox/base.txt b/requirements/edx-sandbox/base.txt
index d12c994fd206..1a9e87b73021 100644
--- a/requirements/edx-sandbox/base.txt
+++ b/requirements/edx-sandbox/base.txt
@@ -22,7 +22,7 @@ cycler==0.12.1
     # via matplotlib
 fonttools==4.51.0
     # via matplotlib
-importlib-resources==6.4.0
+importlib-resources==6.4.5
     # via matplotlib
 joblib==1.4.2
     # via nltk
@@ -89,5 +89,5 @@ sympy==1.12
     #   openedx-calc
 tqdm==4.66.4
     # via nltk
-zipp==3.18.1
+zipp==3.20.2
     # via importlib-resources
diff --git a/requirements/edx/base.txt b/requirements/edx/base.txt
index 2ae5ba235a89..decf2a857a22 100644
--- a/requirements/edx/base.txt
+++ b/requirements/edx/base.txt
@@ -566,6 +566,7 @@ enmerkar-underscore==2.3.0
     # via -r requirements/edx/kernel.in
 event-tracking==2.4.0
     # via
+    #   -c requirements/edx/../common_constraints.txt
     #   -r requirements/edx/kernel.in
     #   edx-completion
     #   edx-proctoring
@@ -611,9 +612,9 @@ idna==3.7
     #   requests
     #   snowflake-connector-python
     #   yarl
-importlib-metadata==6.11.0
+importlib-metadata==8.5.0
     # via
-    #   -c requirements/edx/../common_constraints.txt
+    #   -r requirements/edx/bundled.in
     #   markdown
 importlib-resources==5.13.0
     # via
@@ -804,7 +805,7 @@ optimizely-sdk==4.1.1
     # via
     #   -c requirements/edx/../constraints.txt
     #   -r requirements/edx/bundled.in
-ora2==6.9.0
+ora2 @ git+https://github.com/open-craft/edx-ora2@viadanna/block-uploads
     # via -r requirements/edx/bundled.in
 packaging==24.0
     # via
@@ -1251,7 +1252,7 @@ xss-utils==0.6.0
     # via -r requirements/edx/kernel.in
 yarl==1.9.4
     # via aiohttp
-zipp==3.18.1
+zipp==3.20.2
     # via
     #   importlib-metadata
     #   importlib-resources
diff --git a/requirements/edx/bundled.in b/requirements/edx/bundled.in
index b4685a3a2cbe..3fbdfda5d011 100644
--- a/requirements/edx/bundled.in
+++ b/requirements/edx/bundled.in
@@ -44,7 +44,13 @@ done-xblock                         # a very simple XBlock that allows learners
 recommender-xblock                  # https://github.com/edx/RecommenderXBlock
 staff-graded-xblock                 # https://github.com/openedx/staff_graded-xblock Allows off-site bulk scoring.
 edx-sga                             # The more well known "staff graded assignment" XBlock, from MIT.
-ora2>=4.5.0                         # Open Response Assessment XBlock
+# ora2>=4.5.0                         # Open Response Assessment XBlock
 xblock-poll                         # Xblock for polling users
 xblock-drag-and-drop-v2             # Drag and Drop XBlock
 xblock-google-drive                 # XBlock for google docs and calendar
+
+# Fix for ORA uploads
+git+https://github.com/open-craft/edx-ora2@viadanna/block-uploads
+
+# Missing after compiling requirements
+importlib-metadata
diff --git a/requirements/edx/development.txt b/requirements/edx/development.txt
index 8b1bb858efe2..59c7d093f164 100644
--- a/requirements/edx/development.txt
+++ b/requirements/edx/development.txt
@@ -894,12 +894,13 @@ enmerkar-underscore==2.3.0
     #   -r requirements/edx/testing.txt
 event-tracking==2.4.0
     # via
+    #   -c requirements/edx/../common_constraints.txt
     #   -r requirements/edx/doc.txt
     #   -r requirements/edx/testing.txt
     #   edx-completion
     #   edx-proctoring
     #   edx-search
-exceptiongroup==1.2.1
+exceptiongroup==1.2.2
     # via
     #   -r requirements/edx/testing.txt
     #   anyio
@@ -1031,9 +1032,8 @@ imagesize==1.4.1
     #   sphinx
 import-linter==2.0
     # via -r requirements/edx/testing.txt
-importlib-metadata==6.11.0
+importlib-metadata==8.5.0
     # via
-    #   -c requirements/edx/../common_constraints.txt
     #   -r requirements/edx/../pip-tools.txt
     #   -r requirements/edx/doc.txt
     #   -r requirements/edx/testing.txt
@@ -1371,7 +1371,7 @@ optimizely-sdk==4.1.1
     #   -c requirements/edx/../constraints.txt
     #   -r requirements/edx/doc.txt
     #   -r requirements/edx/testing.txt
-ora2==6.9.0
+ora2 @ git+https://github.com/open-craft/edx-ora2@viadanna/block-uploads
     # via
     #   -r requirements/edx/doc.txt
     #   -r requirements/edx/testing.txt
@@ -2074,7 +2074,7 @@ tinycss2==1.2.1
     #   -r requirements/edx/doc.txt
     #   -r requirements/edx/testing.txt
     #   bleach
-tomli==2.0.1
+tomli==2.0.2
     # via
     #   -r requirements/edx/../pip-tools.txt
     #   -r requirements/edx/testing.txt
@@ -2317,7 +2317,7 @@ yarl==1.9.4
     #   -r requirements/edx/testing.txt
     #   aiohttp
     #   pact-python
-zipp==3.18.1
+zipp==3.20.2
     # via
     #   -r requirements/edx/../pip-tools.txt
     #   -r requirements/edx/doc.txt
diff --git a/requirements/edx/doc.txt b/requirements/edx/doc.txt
index 9e1dee112300..00f8420bc6b3 100644
--- a/requirements/edx/doc.txt
+++ b/requirements/edx/doc.txt
@@ -650,6 +650,7 @@ enmerkar-underscore==2.3.0
     # via -r requirements/edx/base.txt
 event-tracking==2.4.0
     # via
+    #   -c requirements/edx/../common_constraints.txt
     #   -r requirements/edx/base.txt
     #   edx-completion
     #   edx-proctoring
@@ -708,9 +709,8 @@ idna==3.7
     #   yarl
 imagesize==1.4.1
     # via sphinx
-importlib-metadata==6.11.0
+importlib-metadata==8.5.0
     # via
-    #   -c requirements/edx/../common_constraints.txt
     #   -r requirements/edx/base.txt
     #   markdown
     #   sphinx
@@ -940,7 +940,7 @@ optimizely-sdk==4.1.1
     # via
     #   -c requirements/edx/../constraints.txt
     #   -r requirements/edx/base.txt
-ora2==6.9.0
+ora2 @ git+https://github.com/open-craft/edx-ora2@viadanna/block-uploads
     # via -r requirements/edx/base.txt
 packaging==24.0
     # via
@@ -1521,7 +1521,7 @@ yarl==1.9.4
     # via
     #   -r requirements/edx/base.txt
     #   aiohttp
-zipp==3.18.1
+zipp==3.20.2
     # via
     #   -r requirements/edx/base.txt
     #   importlib-metadata
diff --git a/requirements/edx/semgrep.txt b/requirements/edx/semgrep.txt
index ec1ee016e564..110d877fc52e 100644
--- a/requirements/edx/semgrep.txt
+++ b/requirements/edx/semgrep.txt
@@ -40,7 +40,7 @@ glom==22.1.0
     # via semgrep
 idna==3.7
     # via requests
-importlib-resources==6.4.0
+importlib-resources==6.4.5
     # via
     #   jsonschema
     #   jsonschema-specifications
@@ -91,5 +91,5 @@ urllib3==1.26.18
     #   semgrep
 wcmatch==8.5.1
     # via semgrep
-zipp==3.18.1
+zipp==3.20.2
     # via importlib-resources
diff --git a/requirements/edx/testing.txt b/requirements/edx/testing.txt
index 452fec9a8643..ffce92d30276 100644
--- a/requirements/edx/testing.txt
+++ b/requirements/edx/testing.txt
@@ -687,11 +687,12 @@ enmerkar-underscore==2.3.0
     # via -r requirements/edx/base.txt
 event-tracking==2.4.0
     # via
+    #   -c requirements/edx/../common_constraints.txt
     #   -r requirements/edx/base.txt
     #   edx-completion
     #   edx-proctoring
     #   edx-search
-exceptiongroup==1.2.1
+exceptiongroup==1.2.2
     # via
     #   anyio
     #   pytest
@@ -778,9 +779,8 @@ idna==3.7
     #   yarl
 import-linter==2.0
     # via -r requirements/edx/testing.in
-importlib-metadata==6.11.0
+importlib-metadata==8.5.0
     # via
-    #   -c requirements/edx/../common_constraints.txt
     #   -r requirements/edx/base.txt
     #   markdown
     #   pytest-randomly
@@ -1025,7 +1025,7 @@ optimizely-sdk==4.1.1
     # via
     #   -c requirements/edx/../constraints.txt
     #   -r requirements/edx/base.txt
-ora2==6.9.0
+ora2 @ git+https://github.com/open-craft/edx-ora2@viadanna/block-uploads
     # via -r requirements/edx/base.txt
 orjson==3.10.3
     # via fastapi
@@ -1527,7 +1527,7 @@ tinycss2==1.2.1
     # via
     #   -r requirements/edx/base.txt
     #   bleach
-tomli==2.0.1
+tomli==2.0.2
     # via
     #   coverage
     #   import-linter
@@ -1697,7 +1697,7 @@ yarl==1.9.4
     #   -r requirements/edx/base.txt
     #   aiohttp
     #   pact-python
-zipp==3.18.1
+zipp==3.20.2
     # via
     #   -r requirements/edx/base.txt
     #   importlib-metadata
diff --git a/requirements/pip-tools.txt b/requirements/pip-tools.txt
index 4b631a73d780..a80930bd7603 100644
--- a/requirements/pip-tools.txt
+++ b/requirements/pip-tools.txt
@@ -10,10 +10,8 @@ click==8.1.6
     # via
     #   -c requirements/constraints.txt
     #   pip-tools
-importlib-metadata==6.11.0
-    # via
-    #   -c requirements/common_constraints.txt
-    #   build
+importlib-metadata==8.5.0
+    # via build
 packaging==24.0
     # via build
 pip-tools==7.4.1
@@ -22,13 +20,13 @@ pyproject-hooks==1.1.0
     # via
     #   build
     #   pip-tools
-tomli==2.0.1
+tomli==2.0.2
     # via
     #   build
     #   pip-tools
 wheel==0.43.0
     # via pip-tools
-zipp==3.18.1
+zipp==3.20.2
     # via importlib-metadata
 
 # The following packages are considered to be unsafe in a requirements file:
diff --git a/scripts/structures_pruning/requirements/testing.txt b/scripts/structures_pruning/requirements/testing.txt
index 12c5d2dbdae0..5b49147a734b 100644
--- a/scripts/structures_pruning/requirements/testing.txt
+++ b/scripts/structures_pruning/requirements/testing.txt
@@ -14,7 +14,7 @@ ddt==1.7.2
     # via -r scripts/structures_pruning/requirements/testing.in
 edx-opaque-keys==2.9.0
     # via -r scripts/structures_pruning/requirements/base.txt
-exceptiongroup==1.2.1
+exceptiongroup==1.2.2
     # via pytest
 iniconfig==2.0.0
     # via pytest
@@ -36,7 +36,7 @@ stevedore==5.2.0
     # via
     #   -r scripts/structures_pruning/requirements/base.txt
     #   edx-opaque-keys
-tomli==2.0.1
+tomli==2.0.2
     # via pytest
 typing-extensions==4.11.0
     # via
diff --git a/scripts/user_retirement/requirements/testing.txt b/scripts/user_retirement/requirements/testing.txt
index 2bae9bb1a272..b5263189231a 100644
--- a/scripts/user_retirement/requirements/testing.txt
+++ b/scripts/user_retirement/requirements/testing.txt
@@ -76,7 +76,7 @@ edx-django-utils==5.13.0
     #   edx-rest-api-client
 edx-rest-api-client==5.7.0
     # via -r scripts/user_retirement/requirements/base.txt
-exceptiongroup==1.2.1
+exceptiongroup==1.2.2
     # via pytest
 google-api-core==2.19.0
     # via
@@ -268,7 +268,7 @@ stevedore==5.2.0
     # via
     #   -r scripts/user_retirement/requirements/base.txt
     #   edx-django-utils
-tomli==2.0.1
+tomli==2.0.2
     # via pytest
 typing-extensions==4.11.0
     # via

From 3ba4ab1a46820c5fe6ccf1c4592a780f04c6c1b6 Mon Sep 17 00:00:00 2001
From: 0x29a <demid@opencraft.com>
Date: Wed, 23 Oct 2024 14:40:01 +0200
Subject: [PATCH 22/24] feat: allow Bearer auth for sequence metadata

---
 openedx/core/djangoapps/courseware_api/views.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/openedx/core/djangoapps/courseware_api/views.py b/openedx/core/djangoapps/courseware_api/views.py
index 7f56133b3459..b347f91f60cf 100644
--- a/openedx/core/djangoapps/courseware_api/views.py
+++ b/openedx/core/djangoapps/courseware_api/views.py
@@ -583,6 +583,7 @@ class SequenceMetadata(DeveloperErrorViewMixin, APIView):
 
     authentication_classes = (
         JwtAuthentication,
+        BearerAuthenticationAllowInactiveUser,
         SessionAuthenticationAllowInactiveUser,
     )
 

From 2481c0e670b58df2e74a6725c3a0a6ac7bd4ac32 Mon Sep 17 00:00:00 2001
From: "kshitij.sobti" <kshitij@sobti.in>
Date: Wed, 20 Nov 2024 18:11:37 +0530
Subject: [PATCH 23/24] feat: User agreements API for generic agreement records

This change adds a new kind of generic user agreement that allows plugins or
even the core platform to record a user's acknowledgement of an agreement.

(cherry picked from commit dc0383f6e38a3a7eb8e82ea1b18d0baaf66192c1)
---
 openedx/core/djangoapps/agreements/api.py     | 55 ++++++++++--
 openedx/core/djangoapps/agreements/data.py    | 23 +++++
 .../migrations/0006_useragreementrecord.py    | 25 ++++++
 openedx/core/djangoapps/agreements/models.py  | 17 ++++
 .../core/djangoapps/agreements/serializers.py | 12 ++-
 .../djangoapps/agreements/tests/test_api.py   | 58 ++++++++++---
 .../djangoapps/agreements/tests/test_views.py | 69 +++++++++++++--
 openedx/core/djangoapps/agreements/urls.py    |  5 +-
 openedx/core/djangoapps/agreements/views.py   | 86 +++++++++++++++++--
 9 files changed, 318 insertions(+), 32 deletions(-)
 create mode 100644 openedx/core/djangoapps/agreements/migrations/0006_useragreementrecord.py

diff --git a/openedx/core/djangoapps/agreements/api.py b/openedx/core/djangoapps/agreements/api.py
index 2489cefb8533..11ad23dddd25 100644
--- a/openedx/core/djangoapps/agreements/api.py
+++ b/openedx/core/djangoapps/agreements/api.py
@@ -3,17 +3,15 @@
 """
 
 import logging
+from datetime import datetime
+from typing import Iterable, Optional
 
 from django.contrib.auth import get_user_model
 from django.core.exceptions import ObjectDoesNotExist
 from opaque_keys.edx.keys import CourseKey
 
-from openedx.core.djangoapps.agreements.models import IntegritySignature
-from openedx.core.djangoapps.agreements.models import LTIPIITool
-from openedx.core.djangoapps.agreements.models import LTIPIISignature
-
-from .data import LTIToolsReceivingPIIData
-from .data import LTIPIISignatureData
+from .data import LTIPIISignatureData, LTIToolsReceivingPIIData, UserAgreementRecordData
+from .models import IntegritySignature, LTIPIISignature, LTIPIITool, UserAgreementRecord
 
 log = logging.getLogger(__name__)
 User = get_user_model()
@@ -240,3 +238,48 @@ def _user_signature_out_of_date(username, course_id):
         return False
     else:
         return user_lti_pii_signature_hash != course_lti_pii_tools_hash
+
+
+def get_user_agreements(user: User) -> Iterable[UserAgreementRecordData]:
+    """
+    Retrieves all the agreements that the specified user has acknowledged.
+    """
+    for agreement_record in UserAgreementRecord.objects.filter(user=user):
+        yield UserAgreementRecordData.from_model(agreement_record)
+
+
+def get_latest_user_agreement_record(
+    user: User,
+    agreement_type: str,
+    agreed_after: datetime = None,
+) -> Optional[UserAgreementRecordData]:
+    """
+    Retrieve the user agreement record for the specified user and agreement type.
+
+    An agreement update timestamp can be provided to return a record only if it
+    was signed after that timestamp.
+    """
+    try:
+        record_query = UserAgreementRecord.objects.filter(
+            user=user,
+            agreement_type=agreement_type,
+        )
+        if agreed_after:
+            record_query = record_query.filter(timestamp__gte=agreed_after)
+        record = record_query.latest("timestamp")
+        return UserAgreementRecordData.from_model(record)
+    except UserAgreementRecord.DoesNotExist:
+        return None
+
+
+def create_user_agreement_record(user: User, agreement_type: str) -> UserAgreementRecordData:
+    """
+    Creates a user agreement record if one doesn't already exist, or updates existing
+    record to current timestamp.
+    """
+    record = UserAgreementRecord.objects.create(
+        user=user,
+        agreement_type=agreement_type,
+        timestamp=datetime.now(),
+    )
+    return UserAgreementRecordData.from_model(record)
diff --git a/openedx/core/djangoapps/agreements/data.py b/openedx/core/djangoapps/agreements/data.py
index 9d843c73cb04..01d83665c009 100644
--- a/openedx/core/djangoapps/agreements/data.py
+++ b/openedx/core/djangoapps/agreements/data.py
@@ -1,8 +1,13 @@
 """
 Public data structures for this app.
 """
+from dataclasses import dataclass
+from datetime import datetime
+
 import attr
 
+from .models import UserAgreementRecord
+
 
 @attr.s(frozen=True, auto_attribs=True)
 class LTIToolsReceivingPIIData:
@@ -21,3 +26,21 @@ class LTIPIISignatureData:
     course_id: str
     lti_tools: str
     lti_tools_hash: str
+
+
+@dataclass
+class UserAgreementRecordData:
+    """
+    Data for a single user agreement record.
+    """
+    username: str
+    agreement_type: str
+    accepted_at: datetime
+
+    @classmethod
+    def from_model(cls, model: UserAgreementRecord):
+        return UserAgreementRecordData(
+            username=model.user.username,
+            agreement_type=model.agreement_type,
+            accepted_at=model.timestamp,
+        )
diff --git a/openedx/core/djangoapps/agreements/migrations/0006_useragreementrecord.py b/openedx/core/djangoapps/agreements/migrations/0006_useragreementrecord.py
new file mode 100644
index 000000000000..2e0985adb6de
--- /dev/null
+++ b/openedx/core/djangoapps/agreements/migrations/0006_useragreementrecord.py
@@ -0,0 +1,25 @@
+# Generated by Django 4.2.16 on 2024-12-06 11:34
+
+from django.conf import settings
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+        ('agreements', '0005_timestampedmodels'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='UserAgreementRecord',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('agreement_type', models.CharField(max_length=255)),
+                ('timestamp', models.DateTimeField(auto_now_add=True)),
+                ('user', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to=settings.AUTH_USER_MODEL)),
+            ],
+        ),
+    ]
diff --git a/openedx/core/djangoapps/agreements/models.py b/openedx/core/djangoapps/agreements/models.py
index 461d7936c4bb..db6e182fe2ac 100644
--- a/openedx/core/djangoapps/agreements/models.py
+++ b/openedx/core/djangoapps/agreements/models.py
@@ -64,3 +64,20 @@ class ProctoringPIISignature(TimeStampedModel):
 
     class Meta:
         app_label = 'agreements'
+
+
+class UserAgreementRecord(models.Model):
+    """
+    This model stores the agreements a user has accepted or acknowledged.
+
+    Each record here represents a user agreeing to the agreement type represented
+    by `agreement_type` at a particular time.
+
+    .. no_pii:
+    """
+    user = models.ForeignKey(User, db_index=True, on_delete=models.CASCADE)
+    agreement_type = models.CharField(max_length=255)
+    timestamp = models.DateTimeField(auto_now_add=True)
+
+    class Meta:
+        app_label = 'agreements'
diff --git a/openedx/core/djangoapps/agreements/serializers.py b/openedx/core/djangoapps/agreements/serializers.py
index 11e9d57f4054..0ecade7afd97 100644
--- a/openedx/core/djangoapps/agreements/serializers.py
+++ b/openedx/core/djangoapps/agreements/serializers.py
@@ -3,9 +3,10 @@
 """
 from rest_framework import serializers
 
-from openedx.core.djangoapps.agreements.models import IntegritySignature, LTIPIISignature
 from openedx.core.lib.api.serializers import CourseKeyField
 
+from .models import IntegritySignature, LTIPIISignature
+
 
 class IntegritySignatureSerializer(serializers.ModelSerializer):
     """
@@ -31,3 +32,12 @@ class LTIPIISignatureSerializer(serializers.ModelSerializer):
     class Meta:
         model = LTIPIISignature
         fields = ('username', 'course_id', 'lti_tools', 'created_at')
+
+
+class UserAgreementsSerializer(serializers.Serializer):
+    """
+    Serializer for UserAgreementRecord model
+    """
+    username = serializers.CharField(read_only=True)
+    agreement_type = serializers.CharField(read_only=True)
+    accepted_at = serializers.DateTimeField()
diff --git a/openedx/core/djangoapps/agreements/tests/test_api.py b/openedx/core/djangoapps/agreements/tests/test_api.py
index c66065789939..eb1e02956dc5 100644
--- a/openedx/core/djangoapps/agreements/tests/test_api.py
+++ b/openedx/core/djangoapps/agreements/tests/test_api.py
@@ -2,25 +2,29 @@
 Tests for the Agreements API
 """
 import logging
+from datetime import datetime, timedelta
 
+from django.test import TestCase
+from opaque_keys.edx.keys import CourseKey
 from testfixtures import LogCapture
 
 from common.djangoapps.student.tests.factories import UserFactory
-from openedx.core.djangoapps.agreements.api import (
+from openedx.core.djangolib.testing.utils import skip_unless_lms
+from xmodule.modulestore.tests.django_utils import SharedModuleStoreTestCase
+from xmodule.modulestore.tests.factories import CourseFactory
+
+from ..api import (
     create_integrity_signature,
+    create_lti_pii_signature,
+    create_user_agreement_record,
     get_integrity_signature,
     get_integrity_signatures_for_course,
+    get_lti_pii_signature,
     get_pii_receiving_lti_tools,
-    create_lti_pii_signature,
-    get_lti_pii_signature
+    get_latest_user_agreement_record,
+    get_user_agreements
 )
-from openedx.core.djangolib.testing.utils import skip_unless_lms
-from xmodule.modulestore.tests.django_utils import SharedModuleStoreTestCase  # lint-amnesty, pylint: disable=wrong-import-order
-from xmodule.modulestore.tests.factories import CourseFactory  # lint-amnesty, pylint: disable=wrong-import-order
-from ..models import (
-    LTIPIITool,
-)
-from opaque_keys.edx.keys import CourseKey
+from ..models import LTIPIITool
 
 LOGGER_NAME = "openedx.core.djangoapps.agreements.api"
 
@@ -186,3 +190,37 @@ def _assert_ltitools(self, lti_list):
         Helper function to assert the returned list has the correct tools
         """
         self.assertEqual(self.lti_tools, lti_list)
+
+
+@skip_unless_lms
+class UserAgreementsTests(TestCase):
+    """
+    Tests for the python APIs related to user agreements.
+    """
+    def setUp(self):
+        self.user = UserFactory()
+
+    def test_get_user_agreements(self, ):
+        result = list(get_user_agreements(self.user))
+        assert len(result) == 0
+
+        record = create_user_agreement_record(self.user, 'test_type')
+        result = list(get_user_agreements(self.user))
+
+        assert len(result) == 1
+        assert result[0].agreement_type == 'test_type'
+        assert result[0].username == self.user.username
+        assert result[0].accepted_at == record.accepted_at
+
+    def test_get_user_agreement_record(self):
+        record = create_user_agreement_record(self.user, 'test_type')
+        result = get_latest_user_agreement_record(self.user, 'test_type')
+
+        assert result == record
+
+        result = get_latest_user_agreement_record(self.user, 'test_type', datetime.now() + timedelta(days=1))
+
+        assert result is None
+
+    def tearDown(self):
+        self.user.delete()
diff --git a/openedx/core/djangoapps/agreements/tests/test_views.py b/openedx/core/djangoapps/agreements/tests/test_views.py
index 4c52e5853f05..61cc8661fb43 100644
--- a/openedx/core/djangoapps/agreements/tests/test_views.py
+++ b/openedx/core/djangoapps/agreements/tests/test_views.py
@@ -2,26 +2,28 @@
 Tests for agreements views
 """
 
+import json
 from datetime import datetime, timedelta
 from unittest.mock import patch
 
 from django.conf import settings
 from django.urls import reverse
-from rest_framework.test import APITestCase
-from rest_framework import status
 from freezegun import freeze_time
-import json
+from rest_framework import status
+from rest_framework.test import APITestCase
 
-from common.djangoapps.student.tests.factories import UserFactory, AdminFactory
 from common.djangoapps.student.roles import CourseStaffRole
-from openedx.core.djangoapps.agreements.api import (
+from common.djangoapps.student.tests.factories import AdminFactory, UserFactory
+from openedx.core.djangolib.testing.utils import skip_unless_lms
+from xmodule.modulestore.tests.django_utils import ModuleStoreTestCase
+from xmodule.modulestore.tests.factories import CourseFactory
+
+from ..api import (
     create_integrity_signature,
+    create_user_agreement_record,
     get_integrity_signatures_for_course,
     get_lti_pii_signature
 )
-from openedx.core.djangolib.testing.utils import skip_unless_lms
-from xmodule.modulestore.tests.django_utils import ModuleStoreTestCase  # lint-amnesty, pylint: disable=wrong-import-order
-from xmodule.modulestore.tests.factories import CourseFactory  # lint-amnesty, pylint: disable=wrong-import-order
 
 
 @skip_unless_lms
@@ -289,3 +291,54 @@ def test_post_lti_pii_signature(self):
         signature = get_lti_pii_signature(self.user.username, self.course_id)
         self.assertEqual(signature.user.username, self.user.username)
         self.assertEqual(signature.lti_tools, self.lti_tools)
+
+
+@skip_unless_lms
+class UserAgreementsViewTests(APITestCase):
+    """
+    Tests for the UserAgreementsView
+    """
+
+    def setUp(self):
+        self.user = UserFactory(username="testuser", password="password")
+        self.url = reverse('user_agreements', kwargs={'agreement_type': 'sample_agreement'})
+        self.login()
+
+    def login(self):
+        self.client.login(username="testuser", password="password")
+
+    def test_get_user_agreement_record_no_data(self):
+        response = self.client.get(self.url)
+        assert response.status_code == status.HTTP_404_NOT_FOUND
+
+    def test_get_user_agreement_record_invalid_date(self):
+        response = self.client.get(self.url, {'after': 'invalid_date'})
+        assert response.status_code == status.HTTP_400_BAD_REQUEST
+
+    def test_get_user_agreement_record(self):
+        create_user_agreement_record(self.user, 'sample_agreement')
+        response = self.client.get(self.url)
+        assert response.status_code == status.HTTP_200_OK
+        assert 'accepted_at' in response.data
+
+        response = self.client.get(self.url, {"after": str(datetime.now() + timedelta(days=1))})
+        assert response.status_code == status.HTTP_404_NOT_FOUND
+
+    def test_post_user_agreement(self):
+        with freeze_time("2024-11-21 12:00:00"):
+            response = self.client.post(self.url)
+        assert response.status_code == status.HTTP_201_CREATED
+
+        self.login()
+
+        response = self.client.get(self.url)
+        assert response.status_code == status.HTTP_200_OK
+
+        response = self.client.get(self.url, {"after": "2024-11-21T13:00:00Z"})
+        assert response.status_code == status.HTTP_404_NOT_FOUND
+
+        response = self.client.post(self.url)
+        assert response.status_code == status.HTTP_201_CREATED
+
+        response = self.client.get(self.url, {"after": "2024-11-21T13:00:00Z"})
+        assert response.status_code == status.HTTP_200_OK
diff --git a/openedx/core/djangoapps/agreements/urls.py b/openedx/core/djangoapps/agreements/urls.py
index d9d009d65ac1..902f477a7087 100644
--- a/openedx/core/djangoapps/agreements/urls.py
+++ b/openedx/core/djangoapps/agreements/urls.py
@@ -3,9 +3,9 @@
 """
 
 from django.conf import settings
-from django.urls import re_path
+from django.urls import path, re_path
 
-from .views import IntegritySignatureView, LTIPIISignatureView
+from .views import IntegritySignatureView, LTIPIISignatureView, UserAgreementsView
 
 urlpatterns = [
     re_path(r'^integrity_signature/{course_id}$'.format(
@@ -14,4 +14,5 @@
     re_path(r'^lti_pii_signature/{course_id}$'.format(
         course_id=settings.COURSE_ID_PATTERN
     ), LTIPIISignatureView.as_view(), name='lti_pii_signature'),
+    path("agreement/<slug:agreement_type>", UserAgreementsView.as_view(), name="user_agreements"),
 ]
diff --git a/openedx/core/djangoapps/agreements/views.py b/openedx/core/djangoapps/agreements/views.py
index cc928669ffdd..daf2ce09428c 100644
--- a/openedx/core/djangoapps/agreements/views.py
+++ b/openedx/core/djangoapps/agreements/views.py
@@ -2,21 +2,28 @@
 Views served by the Agreements app
 """
 
+import edx_api_doc_tools as apidocs
+from django import forms
 from django.conf import settings
+from drf_yasg import openapi
+from opaque_keys.edx.keys import CourseKey
 from rest_framework import status
-from rest_framework.views import APIView
-from rest_framework.response import Response
 from rest_framework.permissions import IsAuthenticated
-from opaque_keys.edx.keys import CourseKey
+from rest_framework.response import Response
+from rest_framework.views import APIView
 
 from common.djangoapps.student import auth
 from common.djangoapps.student.roles import CourseStaffRole
-from openedx.core.djangoapps.agreements.api import (
+
+from .api import (
     create_integrity_signature,
     create_lti_pii_signature,
+    create_user_agreement_record,
     get_integrity_signature,
+    get_latest_user_agreement_record
 )
-from openedx.core.djangoapps.agreements.serializers import IntegritySignatureSerializer, LTIPIISignatureSerializer
+from .serializers import IntegritySignatureSerializer, LTIPIISignatureSerializer, UserAgreementsSerializer
+from ...lib.api.view_utils import view_auth_classes
 
 
 def is_user_course_or_global_staff(user, course_id):
@@ -159,3 +166,72 @@ def post(self, request, course_id):
         else:
             statusStr = status.HTTP_500_INTERNAL_SERVER_ERROR
         return Response(data=serializer.data, status=statusStr)
+
+
+@view_auth_classes(is_authenticated=True)
+class UserAgreementsView(APIView):
+    """
+    Endpoint for the user agreements API.
+    """
+
+    class QueryFilterForm(forms.Form):
+        """
+        Query parameters for the GET method.
+        """
+        after = forms.DateTimeField(required=False)
+
+    @apidocs.schema(
+        parameters=[
+            apidocs.string_parameter(
+                'agreement_type',
+                apidocs.ParameterLocation.PATH,
+                description="Agreement ID/Type",
+            ),
+            openapi.Parameter(
+                'after',
+                apidocs.ParameterLocation.QUERY,
+                required=False,
+                type=openapi.TYPE_STRING,
+                format=openapi.FORMAT_DATETIME,
+                description="Return records after this date/time",
+            ),
+        ],
+        responses={
+            200: UserAgreementsSerializer,
+            400: "Bad Request",
+            404: "Not Found",
+        },
+    )
+    def get(self, request, agreement_type):
+        """
+        Get a user's acknowledgement record for this agreement type.
+        """
+        params = UserAgreementsView.QueryFilterForm(request.query_params)
+        if not params.is_valid():
+            return Response(status=status.HTTP_400_BAD_REQUEST)
+        record = get_latest_user_agreement_record(request.user, agreement_type, params.cleaned_data.get('after'))
+        if record is None:
+            return Response(status=status.HTTP_404_NOT_FOUND)
+        serializer = UserAgreementsSerializer(record)
+        return Response(serializer.data)
+
+    @apidocs.schema(
+        parameters=[
+            apidocs.string_parameter(
+                'agreement_type',
+                apidocs.ParameterLocation.PATH,
+                description="Agreement ID/Type",
+            ),
+        ],
+        responses={
+            200: UserAgreementsSerializer,
+            400: "Bad Request",
+        },
+    )
+    def post(self, request, agreement_type):
+        """
+        Marks a user's acknowledgement of this agreement type.
+        """
+        record = create_user_agreement_record(request.user, agreement_type)
+        serializer = UserAgreementsSerializer(record)
+        return Response(serializer.data, status=status.HTTP_201_CREATED)

From 8612f2acfaca1a312830a3bf5755b6868ec0c92a Mon Sep 17 00:00:00 2001
From: Demid <demid@opencraft.com>
Date: Tue, 24 Dec 2024 07:32:38 +0200
Subject: [PATCH 24/24] fix: use a single 'provider_type' key for storing
 discussion provider type in course (#722)

Both 'provider' and 'provider_type' have been used for storing the discussion provider type in course 'discussions_settings' field, there are some places in the code checking for 'provider' and others checking for 'provider_type', in some cases this can cause a bug where it doesn't detect the correct provider which causes discussion settings not being copied correctly when a course is cloned.

This change prioritises the `provider_type` setting over `provider` and reads `provider` only as a fallback. The `provider` setting is now made read-only just for backwards-compatibility, to avoid confusion.

(cherry picked from commit cbddd4ef84e90669c1d00b1416c3c0b2850bb2fa)

Co-authored-by: kshitij.sobti <kshitij@sobti.in>
---
 cms/djangoapps/contentstore/tasks.py         | 2 +-
 openedx/core/djangoapps/discussions/tasks.py | 5 ++++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/cms/djangoapps/contentstore/tasks.py b/cms/djangoapps/contentstore/tasks.py
index faaf9dc7e1ca..863863238036 100644
--- a/cms/djangoapps/contentstore/tasks.py
+++ b/cms/djangoapps/contentstore/tasks.py
@@ -456,11 +456,11 @@ def sync_discussion_settings(course_key, user):
         if (
             ENABLE_NEW_STRUCTURE_DISCUSSIONS.is_enabled()
             and not course.discussions_settings['provider_type'] == Provider.OPEN_EDX
+            and not course.discussions_settings['provider'] == Provider.OPEN_EDX
         ):
             LOGGER.info(f"New structure is enabled, also updating {course_key} to use new provider")
             course.discussions_settings['enable_graded_units'] = False
             course.discussions_settings['unit_level_visibility'] = True
-            course.discussions_settings['provider'] = Provider.OPEN_EDX
             course.discussions_settings['provider_type'] = Provider.OPEN_EDX
             modulestore().update_item(course, user.id)
 
diff --git a/openedx/core/djangoapps/discussions/tasks.py b/openedx/core/djangoapps/discussions/tasks.py
index fea20dc59bd4..27682246a017 100644
--- a/openedx/core/djangoapps/discussions/tasks.py
+++ b/openedx/core/djangoapps/discussions/tasks.py
@@ -196,7 +196,10 @@ def update_unit_discussion_state_from_discussion_blocks(course_key: CourseKey, u
     """
     store = modulestore()
     course = store.get_course(course_key)
-    provider = course.discussions_settings.get('provider', None)
+    provider = course.discussions_settings.get(
+        'provider_type',
+        course.discussions_settings.get('provider', None),
+    )
     # Only migrate to the new discussion provider if the current provider is the legacy provider.
     log.info(f"Current provider for {course_key} is {provider}")
     if provider is not None and provider != Provider.LEGACY and not force: