From efd8df600d6d07ae543af1f39990bf7ba9cba158 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9gis=20Behmo?= <regis@behmo.com>
Date: Mon, 22 Jan 2024 09:31:36 +0100
Subject: [PATCH] security: fix JWT scopes in XBlock callbacks

See:
https://github.com/openedx/edx-platform/security/advisories/GHSA-qx8m-mqx3-j9fm
https://github.com/openedx/edx-platform/pull/34047
---
 changelog.d/20240122_093036_regis_jwt_security.md | 1 +
 tutor/templates/build/openedx/Dockerfile          | 2 ++
 2 files changed, 3 insertions(+)
 create mode 100644 changelog.d/20240122_093036_regis_jwt_security.md

diff --git a/changelog.d/20240122_093036_regis_jwt_security.md b/changelog.d/20240122_093036_regis_jwt_security.md
new file mode 100644
index 0000000..88ed777
--- /dev/null
+++ b/changelog.d/20240122_093036_regis_jwt_security.md
@@ -0,0 +1 @@
+- [Security] Fix JWT scopes in XBlock callbacks. (by @regisb)
diff --git a/tutor/templates/build/openedx/Dockerfile b/tutor/templates/build/openedx/Dockerfile
index 0aef8e8..51e7db4 100644
--- a/tutor/templates/build/openedx/Dockerfile
+++ b/tutor/templates/build/openedx/Dockerfile
@@ -51,6 +51,8 @@ RUN git config --global user.email "tutor@overhang.io" \
 {{ patch("openedx-dockerfile-git-patches-default") }}
 {%- else %}
 # Patch edx-platform
+# XBlock JWT security fix https://github.com/openedx/edx-platform/pull/34047
+RUN curl -fsSL https://github.com/openedx/edx-platform/commit/89f5f69682a5e1422f89e867491e8974dd0a8208.patch | git am
 {%- endif %}
 
 {# Example: RUN curl -fsSL https://github.com/openedx/edx-platform/commit/<GITSHA1>.patch | git am #}