v8.0.0

What's Changed

• feanil/make upgrade by @feanil in #328
• feanil/django pyfs by @feanil in #327

Full Changelog: 7.3.0...v8.0.0

refactor: fix module-containing imports

What's Changed

• [BD-13][BB-6926] refactor: fix module-containing imports by @0x29a in #320

Full Changelog: 7.2.3...7.3.0

Fix bug in rending buttons and message in PII sharing consent dialog.

This release fixes a bug in the way that the PII sharing consent dialog renders. The bug resulted in the "OK" and "Cancel" buttons as well as the text of the PII sharing consent prompt appearing inside an inappropriate component when there was more than one LTI component in a unit.

7.2.2 Fixes LTI 1.3 grade injection vulnerability

https://github.com/openedx/xblock-lti-consumer/blob/master/CHANGELOG.rst#722---2023-01-12

7.2.1 URL configuration support

feat: new release for url settings (#323)

Fix PII Sharing Behavior and Enable PII Sharing in LTI 1.3 Launches and Fix LTI 1.3 Modal Launches

This release addresses a number of issues with and bugs in sharing personally identifiable information (PII) in LTI
launches.

• Replaces the PII sharing consent modal with an inline PII sharing consent dialog to better suit the three different
  LTI launch types (i.e. inline, modal, and new_window).

• Adds a PII consent dialog for inline LTI launches.

• Fixes a bug in the modal LTI launch in LTI 1.3 that was preventing the LTI launch.

• Fixes a bug in evaluating and caching whether PII sharing is enabled via the CourseAllowPIISharingInLTIFlag.

  • This fixes a bug where the PII sharing fields in the LTI XBlock edit menu appeared regardless of the existence or
    value of this flag. The PII sharing fields will now always be hidden if either no CourseAllowPIISharingInLTIFlag
    exists for a course or if a CourseAllowPIISharingInLTIFlag exists for the course but is not enabled.
  • This fixes a bug in the backwards compatibility code in lti_access_to_learners_editable. Now,
    CourseAllowPIISharingInLTIFlag will always be created for courses that contain (an) LTI XBlock(s) that have (a)
    PII sharing field(s) set to True when a user opens the LTI XBlock edit menu. Before, this would occur inconsistently
    due to a bug in the caching code.

• Enables sharing username and email in LTI 1.3 launches.

  • Adds preferred_username and email attributes to the Lti1p3LaunchData class. The application or context
    that instantiates Lti1p3LaunchData is responsible for ensuring that username and email can be sent via an LTI
    1.3 launch and supplying these data, if appropriate.

• Adds code to eventually support the value of CourseAllowPIISharingInLTIFlag controlling PII sharing for a given
  course in LTI 1.1 and LTI 1.3 launches.

  • This code does not currently work, because the LTI configuration service is not available or defined in all runtime
    contexts. This code works in the LTI XBlock edit menu (i.e. the studio_view), but it does not work in the Studio
    preview context (i.e. the author_view) or the LMS (i.e. the student_view). The effect is that
    the CourseAllowPIISharingInLTIFlag can only control the appearance of the username and email PII sharing fields in
    the XBlock edit menu; it does not control PII sharing. We plan to fix this bug in the future.

7.1.0 Allow disabling NRPS pii

feat: adds setting to prevent nrps pii (#315)

We would like to enable PII in an LTI1.3 launch but turning that flag on would allow the tool to grab PII for the entire course roster via NRPS. We have not fully evaluated the privacy concerns if that is allowed. For the time being this platform setting can wholly disable PII over NRPS to avoid the issue

7.0.3 Remove LMS Waffle on model

fix: remove lms specific waffle check (#312)

* fix: remove lms specific waffle check

Fix LTI 1.1 Basic Outcomes Service and LTI 2.0 Result Service to Support External User IDs

In #307, we added the ability to send a stable, static user identifier (i.e. external user ID) to fix failed launches with the QwikLabs tool. This is because the QwikLabs tool did not work with the course-anonymized user IDs we used to send (i.e. anonymous user IDs). Inadvertently, this change broke the LTI 1.1 Basic Outcomes Service and the LTI 2.0 Result Service for courses that use the external user ID (i.e. they have the lti_consumer.enable_external_user_id_1p1_launches CourseWaffleFlag enabled). The Basic Outcomes Service and Result Service handle grade pass backs. Because we now have two ways to identify a user in LTI 1.1/2.0, we must update the Basic Outcomes Service and Result Service to support both.

• Fix the LTI 1.1 Outcome Results Service to be able to tie an outcome pass back to a user when the user ID is an
  external_user_id.
• Fix the LTI 2.0 Result Service to be able to tie a result pass back to a user when the user ID is an
  external_user_id.
• Update the RESULT_SERVICE_SUFFIX_PARSER regex string to be able to parse UUIDs to accommodate external_user_ids.
• Add a get_lti_1p1_user_from_user_id method to the LtiConsumerXBlock to get the user object associated with a user
  ID.

Fix LtiConfiguration clean method to look only at location not block

Fix LtiConfiguration clean method to look only at location so that it can work in environments that cannot load the block.