revert: fix JWT scopes in XBlock callbacks

[cmltaWt0]

Reverts #986

@regisb Please advice about naming for Revert changes in changelog.
I didn't find a [Revert] example in generated changelog template.
Is it ok to leave it as is - [Security] Revert ... or better to change to - [Revert] XBlock JWT security patch introduced in ...

---

How to test:

> tutor config save --set EDX_PLATFORM_VERSION=open-release/quince.master
> tutor images build openedx
...
 => ERROR [code 4/4] RUN curl -fsSL https://github.com/openedx/edx-platform/commit/89f5f69682a5e1422f89e867491e8974dd0a8208.patch | git am                  0.8s
------
 > [code 4/4] RUN curl -fsSL https://github.com/openedx/edx-platform/commit/89f5f69682a5e1422f89e867491e8974dd0a8208.patch | git am:
0.692 error: patch failed: lms/djangoapps/courseware/block_render.py:27
0.692 error: lms/djangoapps/courseware/block_render.py: patch does not apply
0.692 error: patch failed: lms/djangoapps/courseware/tests/test_block_render.py:91
0.692 error: lms/djangoapps/courseware/tests/test_block_render.py: patch does not apply
0.693 hint: Use 'git am --show-current-patch' to see the failed patch
0.693 Applying: fix: add `JwtRestrictedApplication` check to XBlock callback
0.693 Patch failed at 0001 fix: add `JwtRestrictedApplication` check to XBlock callback
0.693 When you have resolved this problem, run "git am --continue".
0.693 If you prefer to skip this patch, run "git am --skip" instead.
0.693 To restore the original branch and stop patching, run "git am --abort".
------
Dockerfile:50
--------------------
  48 |     # Patch edx-platform
  49 |     # XBlock JWT security fix https://github.com/openedx/edx-platform/pull/34047
  50 | >>> RUN curl -fsSL https://github.com/openedx/edx-platform/commit/89f5f69682a5e1422f89e867491e8974dd0a8208.patch | git am

[regisb]

Hi @cmltaWt0! Unfortunately you are facing expected behaviour: https://docs.tutor.edly.io/configuration.html#running-a-fork-of-edx-platform

In particular:

Do not try to run a fork from the open-release/quince.master branch: Tutor will attempt to apply security and bug fix patches that might already be included in the open-release/quince.master but which were not yet applied to the latest release tag. Patch application will thus fail if you base your fork from the open-release/quince.master branch.

We follow this behaviour because most people will want to run the latest released patch, and not the tip of the quince release branch. This is also to make sure that builds are repeatable. To skip these security fixes in your own build, I advise to create a plugin with a dummy "openedx-dockerfile-git-patches-default" patch, including just a # comment.

[cmltaWt0]

Hi @cmltaWt0! Unfortunately you are facing expected behaviour: https://docs.tutor.edly.io/configuration.html#running-a-fork-of-edx-platform

In particular:

Do not try to run a fork from the open-release/quince.master branch: Tutor will attempt to apply security and bug fix patches that might already be included in the open-release/quince.master but which were not yet applied to the latest release tag. Patch application will thus fail if you base your fork from the open-release/quince.master branch.

We follow this behaviour because most people will want to run the latest released patch, and not the tip of the quince release branch. This is also to make sure that builds are repeatable. To skip these security fixes in your own build, I advise to create a plugin with a dummy "openedx-dockerfile-git-patches-default" patch, including just a # comment.

Thanks @regisb! I'm just trying to prepare for Quince.2 release.

Am I correctly understand that you will remove this patch once we have the Quince.2 tag in edx-platform?
And meanwhile for BTR WG to test quince.master branch we have to use the proposed dummy "openedx-dockerfile-git-patches-default" patch? That's also fine!

[cmltaWt0]

Closing the PR. I've got the correct flow.

[regisb]

Yes, you're 100% correct :)