From 6843f142fdcef43a54a4bae11df39e3ac8aa09f9 Mon Sep 17 00:00:00 2001
From: David Ormsbee <dave@axim.org>
Date: Wed, 2 Oct 2024 12:50:16 -0400
Subject: [PATCH] feat: create volume for private LMS/CMS media assets (#1124)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Content Libraries will store asset files like images, transcripts, and
PDFs using Learning Core–which in turn uses django-storages and expects
some backing file store. These files should NOT be directly accessible
via the browser, both because of access policies and the fact that the
filenames will not be meaningful by themselves and must be translated by
app logic. For details see:

* https://github.com/openedx/openedx-learning/blob/main/docs/decisions/0015-serving-static-assets.rst
* https://github.com/openedx/openedx-learning/blob/main/openedx_learning/apps/authoring/contents/models.py
* https://github.com/openedx/openedx-learning/blob/main/openedx_learning/apps/authoring/components/models.py

The existing /data/openedx-media -> /openedx/media mount is publicly
accessible by browser, and so is not appropriate for this purpose. This
commit creates a parallel /data/openedx-media-private ->
/openedx/media-private volume mapping instead.

This commit also creates configuration needed for openedx-learning to
point to this new directory.

This commit does NOT currently add support for this in k8s, as that will
require changes to the minio plugin.
---
 changelog.d/20240926_151223_dave_private_media.md        | 1 +
 .../apps/openedx/settings/partials/common_all.py         | 9 +++++++++
 tutor/templates/local/docker-compose.yml                 | 5 +++++
 3 files changed, 15 insertions(+)
 create mode 100644 changelog.d/20240926_151223_dave_private_media.md

diff --git a/changelog.d/20240926_151223_dave_private_media.md b/changelog.d/20240926_151223_dave_private_media.md
new file mode 100644
index 0000000000..d7d3d16581
--- /dev/null
+++ b/changelog.d/20240926_151223_dave_private_media.md
@@ -0,0 +1 @@
+- [Feature] Create a new /data/openedx-media-private volume to store media files that are not publicly accessible via the browser, and create configuration that Learning Core (openedx-learning) will use to access this storage space. Learning Core will use a sub-directory of /data/openedx-media-private to store Content Library file uploads, but other apps can create their own sub-directories for their own use. (by @ormsbee)
diff --git a/tutor/templates/apps/openedx/settings/partials/common_all.py b/tutor/templates/apps/openedx/settings/partials/common_all.py
index c317f4c06f..105ac5383c 100644
--- a/tutor/templates/apps/openedx/settings/partials/common_all.py
+++ b/tutor/templates/apps/openedx/settings/partials/common_all.py
@@ -246,5 +246,14 @@
     "user": None,
 }
 
+OPENEDX_LEARNING = {
+    'MEDIA': {
+        "BACKEND": "django.core.files.storage.FileSystemStorage",
+        "OPTIONS": {
+            "location": "/openedx/media-private/openedx-learning",
+        }
+    }
+}
+
 {{ patch("openedx-common-settings") }}
 ######## End of settings common to LMS and CMS
diff --git a/tutor/templates/local/docker-compose.yml b/tutor/templates/local/docker-compose.yml
index 63c2d3c7d3..eddc29cb81 100644
--- a/tutor/templates/local/docker-compose.yml
+++ b/tutor/templates/local/docker-compose.yml
@@ -15,6 +15,7 @@ services:
       - ../../data/lms:/mounts/lms
       - ../../data/cms:/mounts/cms
       - ../../data/openedx-media:/mounts/openedx
+      - ../../data/openedx-media-private:/mounts/openedx-private
       {% if RUN_MONGODB %}- ../../data/mongodb:/mounts/mongodb{% endif %}
       {% if RUN_MYSQL %}- ../../data/mysql:/mounts/mysql{% endif %}
       {% if RUN_ELASTICSEARCH %}- ../../data/elasticsearch:/mounts/elasticsearch{% endif %}
@@ -112,6 +113,7 @@ services:
       - ../apps/openedx/uwsgi.ini:/openedx/uwsgi.ini:ro
       - ../../data/lms:/openedx/data
       - ../../data/openedx-media:/openedx/media
+      - ../../data/openedx-media-private:/openedx/media-private
       {%- for mount in iter_mounts(MOUNTS, "openedx", "lms") %}
       - {{ mount }}
       {%- endfor %}
@@ -138,6 +140,7 @@ services:
       - ../apps/openedx/uwsgi.ini:/openedx/uwsgi.ini:ro
       - ../../data/cms:/openedx/data
       - ../../data/openedx-media:/openedx/media
+      - ../../data/openedx-media-private:/openedx/media-private
       {%- for mount in iter_mounts(MOUNTS, "openedx", "cms") %}
       - {{ mount }}
       {%- endfor %}
@@ -166,6 +169,7 @@ services:
       - ../apps/openedx/config:/openedx/config:ro
       - ../../data/lms:/openedx/data
       - ../../data/openedx-media:/openedx/media
+      - ../../data/openedx-media-private:/openedx/media-private
       {%- for mount in iter_mounts(MOUNTS, "openedx", "lms-worker") %}
       - {{ mount }}
       {%- endfor %}
@@ -185,6 +189,7 @@ services:
       - ../apps/openedx/config:/openedx/config:ro
       - ../../data/cms:/openedx/data
       - ../../data/openedx-media:/openedx/media
+      - ../../data/openedx-media-private:/openedx/media-private
       {%- for mount in iter_mounts(MOUNTS, "openedx", "cms-worker") %}
       - {{ mount }}
       {%- endfor %}