Merge pull request #660 from open-craft/agrendalath/se-6196-privilege…

…-escalation-backport

fix: prevent setting user attributes from JWT in Studio

cms/envs/common.py

@@ -2242,7 +2242,6 @@
 
 ############################ OAUTH2 Provider ###################################
 
-
 # 5 minute expiration time for JWT id tokens issued for external API requests.
 OAUTH_ID_TOKEN_EXPIRATION = 5 * 60
 
@@ -2252,6 +2251,12 @@
 # Affiliate cookie tracking
 AFFILIATE_COOKIE_NAME = 'dev_affiliate_id'
 
+EDX_DRF_EXTENSIONS = {
+    # Set this value to an empty dict in order to prevent automatically updating
+    # user data from values in (possibly stale) JWTs.
+    'JWT_PAYLOAD_USER_ATTRIBUTE_MAPPING': {},
+}
+
 ############## Settings for Studio Context Sensitive Help ##############
 
 HELP_TOKENS_INI_FILE = REPO_ROOT / "cms" / "envs" / "help_tokens.ini"