diff --git a/cms/djangoapps/contentstore/tasks.py b/cms/djangoapps/contentstore/tasks.py
index b6cb2af53d56..d729828b5eda 100644
--- a/cms/djangoapps/contentstore/tasks.py
+++ b/cms/djangoapps/contentstore/tasks.py
@@ -473,12 +473,12 @@ def sync_discussion_settings(course_key, user):
 
         if (
             ENABLE_NEW_STRUCTURE_DISCUSSIONS.is_enabled()
-            and not course.discussions_settings['provider_type'] == Provider.OPEN_EDX
+            and not course.discussions_settings.get('provider_type', None) == Provider.OPEN_EDX
+            and not course.discussions_settings.get('provider', None) == Provider.OPEN_EDX
         ):
             LOGGER.info(f"New structure is enabled, also updating {course_key} to use new provider")
             course.discussions_settings['enable_graded_units'] = False
             course.discussions_settings['unit_level_visibility'] = True
-            course.discussions_settings['provider'] = Provider.OPEN_EDX
             course.discussions_settings['provider_type'] = Provider.OPEN_EDX
             modulestore().update_item(course, user.id)
 
diff --git a/cms/djangoapps/contentstore/xblock_storage_handlers/view_handlers.py b/cms/djangoapps/contentstore/xblock_storage_handlers/view_handlers.py
index 31a17466769d..b4a65596a04c 100644
--- a/cms/djangoapps/contentstore/xblock_storage_handlers/view_handlers.py
+++ b/cms/djangoapps/contentstore/xblock_storage_handlers/view_handlers.py
@@ -429,6 +429,11 @@ def _save_xblock(
                 for metadata_key, value in metadata.items():
                     field = xblock.fields[metadata_key]
 
+                    # Prevent setting release date to null
+                    # remove field and inherit from parent instead
+                    if metadata_key == "start" and value == "":
+                        value = None
+
                     if value is None:
                         field.delete_from(xblock)
                     else:
diff --git a/cms/envs/common.py b/cms/envs/common.py
index 65425f566597..1507acef1009 100644
--- a/cms/envs/common.py
+++ b/cms/envs/common.py
@@ -564,6 +564,17 @@
     # .. toggle_creation_date: 2024-04-10
     'BADGES_ENABLED': False,
 
+    # .. toggle_name: FEATURES['ENABLE_LEGACY_MD5_HASH_FOR_ANONYMOUS_USER_ID']
+    # .. toggle_implementation: DjangoSetting
+    # .. toggle_default: False
+    # .. toggle_description: Whether to enable the legacy MD5 hashing algorithm to generate anonymous user id
+    #   instead of the newer SHAKE128 hashing algorithm
+    # .. toggle_use_cases: open_edx
+    # .. toggle_creation_date: 2022-08-08
+    # .. toggle_target_removal_date: None
+    # .. toggle_tickets: 'https://github.com/openedx/edx-platform/pull/30832'
+    'ENABLE_LEGACY_MD5_HASH_FOR_ANONYMOUS_USER_ID': False,
+
     # .. toggle_name: FEATURES['IN_CONTEXT_DISCUSSION_ENABLED_DEFAULT']
     # .. toggle_implementation: DjangoSetting
     # .. toggle_default: True
diff --git a/common/djangoapps/student/models/user.py b/common/djangoapps/student/models/user.py
index 7fe69bd678e4..1c1c2aa23393 100644
--- a/common/djangoapps/student/models/user.py
+++ b/common/djangoapps/student/models/user.py
@@ -154,12 +154,21 @@ def anonymous_id_for_user(user, course_id):
         # function: Rotate at will, since the hashes are stored and
         # will not change.
         # include the secret key as a salt, and to make the ids unique across different LMS installs.
-        hasher = hashlib.shake_128()
+        legacy_hash_enabled = settings.FEATURES.get('ENABLE_LEGACY_MD5_HASH_FOR_ANONYMOUS_USER_ID', False)
+        if legacy_hash_enabled:
+            # Use legacy MD5 algorithm if flag enabled
+            hasher = hashlib.md5()
+        else:
+            hasher = hashlib.shake_128()
         hasher.update(settings.SECRET_KEY.encode('utf8'))
         hasher.update(str(user.id).encode('utf8'))
         if course_id:
             hasher.update(str(course_id).encode('utf-8'))
-        anonymous_user_id = hasher.hexdigest(16)
+
+        if legacy_hash_enabled:
+            anonymous_user_id = hasher.hexdigest()
+        else:
+            anonymous_user_id = hasher.hexdigest(16)  # pylint: disable=too-many-function-args
 
         try:
             AnonymousUserId.objects.create(
diff --git a/common/djangoapps/student/roles.py b/common/djangoapps/student/roles.py
index 971433c9c523..cd7ced4e9fdd 100644
--- a/common/djangoapps/student/roles.py
+++ b/common/djangoapps/student/roles.py
@@ -211,7 +211,7 @@ class GlobalStaff(AccessRole):
     The global staff role
     """
     def has_user(self, user):
-        return bool(user and user.is_staff)
+        return bool(user and (user.is_superuser or user.is_staff))
 
     def add_users(self, *users):
         for user in users:
@@ -361,6 +361,25 @@ class CourseLimitedStaffRole(CourseStaffRole):
     BASE_ROLE = CourseStaffRole.ROLE
 
 
+@register_access_role
+class eSHEInstructorRole(CourseStaffRole):
+    """A Staff member of a course without access to the membership tab and enrollment-related operations."""
+
+    ROLE = 'eshe_instructor'
+    BASE_ROLE = CourseStaffRole.ROLE
+
+
+@register_access_role
+class TeachingAssistantRole(CourseStaffRole):
+    """
+    A Staff member of a course without access to the membership tab, enrollment-related operations and
+    grade-related operations.
+    """
+
+    ROLE = 'teaching_assistant'
+    BASE_ROLE = CourseStaffRole.ROLE
+
+
 @register_access_role
 class CourseInstructorRole(CourseRole):
     """A course Instructor"""
diff --git a/common/djangoapps/student/tests/test_roles.py b/common/djangoapps/student/tests/test_roles.py
index da1aad19a803..816e20fa198b 100644
--- a/common/djangoapps/student/tests/test_roles.py
+++ b/common/djangoapps/student/tests/test_roles.py
@@ -17,6 +17,8 @@
     CourseStaffRole,
     CourseFinanceAdminRole,
     CourseSalesAdminRole,
+    eSHEInstructorRole,
+    TeachingAssistantRole,
     LibraryUserRole,
     CourseDataResearcherRole,
     GlobalStaff,
@@ -199,6 +201,8 @@ class RoleCacheTestCase(TestCase):  # lint-amnesty, pylint: disable=missing-clas
     ROLES = (
         (CourseStaffRole(IN_KEY), ('staff', IN_KEY, 'edX')),
         (CourseLimitedStaffRole(IN_KEY), ('limited_staff', IN_KEY, 'edX')),
+        (eSHEInstructorRole(IN_KEY), ('eshe_instructor', IN_KEY, 'edX')),
+        (TeachingAssistantRole(IN_KEY), ('teaching_assistant', IN_KEY, 'edX')),
         (CourseInstructorRole(IN_KEY), ('instructor', IN_KEY, 'edX')),
         (OrgStaffRole(IN_KEY.org), ('staff', None, 'edX')),
         (CourseFinanceAdminRole(IN_KEY), ('finance_admin', IN_KEY, 'edX')),
diff --git a/common/djangoapps/student/tests/tests.py b/common/djangoapps/student/tests/tests.py
index c2e6d3b2aa9c..52440f7a148d 100644
--- a/common/djangoapps/student/tests/tests.py
+++ b/common/djangoapps/student/tests/tests.py
@@ -1056,6 +1056,17 @@ def test_anonymous_id_secret_key_changes_result_in_diff_values_for_same_new_user
             assert anonymous_id != new_anonymous_id
             assert self.user == user_by_anonymous_id(new_anonymous_id)
 
+    def test_enable_legacy_hash_flag(self):
+        """Test that different anonymous id returned if ENABLE_LEGACY_MD5_HASH_FOR_ANONYMOUS_USER_ID enabled."""
+        CourseEnrollment.enroll(self.user, self.course.id)
+        anonymous_id = anonymous_id_for_user(self.user, self.course.id)
+        with patch.dict(settings.FEATURES, ENABLE_LEGACY_MD5_HASH_FOR_ANONYMOUS_USER_ID=True):
+            # Recreate user object to clear cached anonymous id.
+            self.user = User.objects.get(pk=self.user.id)
+            AnonymousUserId.objects.filter(user=self.user).filter(course_id=self.course.id).delete()
+            new_anonymous_id = anonymous_id_for_user(self.user, self.course.id)
+            assert anonymous_id != new_anonymous_id
+
 
 @skip_unless_lms
 @patch('openedx.core.djangoapps.programs.utils.get_programs')
diff --git a/lms/djangoapps/courseware/tabs.py b/lms/djangoapps/courseware/tabs.py
index 2a67b6454e42..de38871832c1 100644
--- a/lms/djangoapps/courseware/tabs.py
+++ b/lms/djangoapps/courseware/tabs.py
@@ -315,6 +315,12 @@ def link_func(course, _reverse_func):
         tab_dict['link_func'] = link_func
         super().__init__(tab_dict)
 
+    @classmethod
+    def is_enabled(cls, course, user=None):
+        if settings.FEATURES.get('DISABLE_DATES_TAB'):
+            return False
+        return super().is_enabled(course, user)
+
 
 def get_course_tab_list(user, course):
     """
diff --git a/lms/djangoapps/courseware/tests/test_tabs.py b/lms/djangoapps/courseware/tests/test_tabs.py
index 6ad7ef73de01..e882efd3cbbf 100644
--- a/lms/djangoapps/courseware/tests/test_tabs.py
+++ b/lms/djangoapps/courseware/tests/test_tabs.py
@@ -885,3 +885,16 @@ def test_singular_dates_tab(self):
             if tab.type == 'dates':
                 num_dates_tabs += 1
         assert num_dates_tabs == 1
+
+    def test_dates_tab_is_enabled_by_default(self):
+        """Test dates tab is enabled by default."""
+        tab = DatesTab({'type': DatesTab.type, 'name': 'dates'})
+        user = self.create_mock_user()
+        assert self.is_tab_enabled(tab, self.course, user)
+
+    @patch.dict("django.conf.settings.FEATURES", {"DISABLE_DATES_TAB": True})
+    def test_dates_tab_disabled_by_feature_flag(self):
+        """Test dates tab is disabled by the feature flag."""
+        tab = DatesTab({'type': DatesTab.type, 'name': 'dates'})
+        user = self.create_mock_user()
+        assert not self.is_tab_enabled(tab, self.course, user)
diff --git a/lms/djangoapps/instructor/access.py b/lms/djangoapps/instructor/access.py
index a5d25769ca10..732b7b164236 100644
--- a/lms/djangoapps/instructor/access.py
+++ b/lms/djangoapps/instructor/access.py
@@ -19,6 +19,8 @@
     CourseInstructorRole,
     CourseLimitedStaffRole,
     CourseStaffRole,
+    eSHEInstructorRole,
+    TeachingAssistantRole,
 )
 from lms.djangoapps.instructor.enrollment import enroll_email, get_email_params
 from openedx.core.djangoapps.django_comment_common.models import Role
@@ -30,6 +32,8 @@
     'instructor': CourseInstructorRole,
     'staff': CourseStaffRole,
     'limited_staff': CourseLimitedStaffRole,
+    'eshe_instructor': eSHEInstructorRole,
+    'teaching_assistant': TeachingAssistantRole,
     'ccx_coach': CourseCcxCoachRole,
     'data_researcher': CourseDataResearcherRole,
 }
diff --git a/lms/djangoapps/instructor/permissions.py b/lms/djangoapps/instructor/permissions.py
index 24e0079fcce3..26623f70b867 100644
--- a/lms/djangoapps/instructor/permissions.py
+++ b/lms/djangoapps/instructor/permissions.py
@@ -38,6 +38,21 @@
 VIEW_ENROLLMENTS = 'instructor.view_enrollments'
 VIEW_FORUM_MEMBERS = 'instructor.view_forum_members'
 
+# Due to how the roles iheritance is implemented currently, eshe_instructor and teaching_assistant have implicit
+# staff access, but unlike staff, they shouldn't be able to enroll and do grade-related operations as per client's
+# requirements. At the same time, all other staff-derived roles, like Limited Staff, should be able to enroll students.
+# This solution is far from perfect, but it's probably the best we can do untill the roles system is reworked.
+_is_teaching_assistant = HasRolesRule('teaching_assistant')
+_is_eshe_instructor = HasRolesRule('eshe_instructor')
+_is_eshe_instructor_or_teaching_assistant = _is_teaching_assistant | _is_eshe_instructor
+is_staff_but_not_teaching_assistant = (
+    (_is_teaching_assistant & HasAccessRule('staff', strict=True)) |
+    (~_is_teaching_assistant & HasAccessRule('staff'))
+)
+is_staff_but_not_eshe_instructor_or_teaching_assistant = (
+    (_is_eshe_instructor_or_teaching_assistant & HasAccessRule('staff', strict=True)) |
+    (~_is_eshe_instructor_or_teaching_assistant & HasAccessRule('staff'))
+)
 
 perms[ALLOW_STUDENT_TO_BYPASS_ENTRANCE_EXAM] = HasAccessRule('staff')
 perms[ASSIGN_TO_COHORTS] = HasAccessRule('staff')
@@ -51,17 +66,17 @@
 perms[START_CERTIFICATE_REGENERATION] = is_staff | HasAccessRule('instructor')
 perms[CERTIFICATE_EXCEPTION_VIEW] = is_staff | HasAccessRule('instructor')
 perms[CERTIFICATE_INVALIDATION_VIEW] = is_staff | HasAccessRule('instructor')
-perms[GIVE_STUDENT_EXTENSION] = HasAccessRule('staff')
+perms[GIVE_STUDENT_EXTENSION] = is_staff_but_not_teaching_assistant
 perms[VIEW_ISSUED_CERTIFICATES] = HasAccessRule('staff') | HasRolesRule('data_researcher')
 # only global staff or those with the data_researcher role can access the data download tab
 # HasAccessRule('staff') also includes course staff
 perms[CAN_RESEARCH] = is_staff | HasRolesRule('data_researcher')
-perms[CAN_ENROLL] = HasAccessRule('staff')
+perms[CAN_ENROLL] = is_staff_but_not_eshe_instructor_or_teaching_assistant
 perms[CAN_BETATEST] = HasAccessRule('instructor')
 perms[ENROLLMENT_REPORT] = HasAccessRule('staff') | HasRolesRule('data_researcher')
 perms[VIEW_COUPONS] = HasAccessRule('staff') | HasRolesRule('data_researcher')
 perms[EXAM_RESULTS] = HasAccessRule('staff')
-perms[OVERRIDE_GRADES] = HasAccessRule('staff')
+perms[OVERRIDE_GRADES] = is_staff_but_not_teaching_assistant
 perms[SHOW_TASKS] = HasAccessRule('staff') | HasRolesRule('data_researcher')
 perms[EMAIL] = HasAccessRule('staff')
 perms[RESCORE_EXAMS] = HasAccessRule('instructor')
diff --git a/lms/djangoapps/instructor/tests/views/test_instructor_dashboard.py b/lms/djangoapps/instructor/tests/views/test_instructor_dashboard.py
index e48098b9ef80..0a7da6d2b574 100644
--- a/lms/djangoapps/instructor/tests/views/test_instructor_dashboard.py
+++ b/lms/djangoapps/instructor/tests/views/test_instructor_dashboard.py
@@ -30,6 +30,7 @@
 from lms.djangoapps.courseware.tabs import get_course_tab_list
 from lms.djangoapps.courseware.tests.factories import StudentModuleFactory
 from lms.djangoapps.courseware.tests.helpers import LoginEnrollmentTestCase
+from lms.djangoapps.discussion.django_comment_client.tests.factories import RoleFactory
 from lms.djangoapps.grades.config.waffle import WRITABLE_GRADEBOOK
 from lms.djangoapps.instructor.toggles import DATA_DOWNLOAD_V2
 from lms.djangoapps.instructor.views.gradebook_api import calculate_page_info
@@ -38,6 +39,7 @@
     ENABLE_PAGES_AND_RESOURCES_MICROFRONTEND,
     OVERRIDE_DISCUSSION_LEGACY_SETTINGS_FLAG
 )
+from openedx.core.djangoapps.django_comment_common.models import FORUM_ROLE_ADMINISTRATOR
 from openedx.core.djangoapps.site_configuration.models import SiteConfiguration
 
 
@@ -315,6 +317,103 @@ def test_membership_reason_field_visibility(self, enbale_reason_field):
         else:
             self.assertNotContains(response, reason_field)
 
+    @ddt.data('eshe_instructor', 'teaching_assistant')
+    def test_membership_tab_content(self, role):
+        """
+        Verify that eSHE Instructors and Teaching Assistants don't have access to membership tab and
+        work correctly with other roles.
+        """
+
+        membership_section = (
+            '<li class="nav-item">'
+            '<button type="button" class="btn-link membership" data-section="membership">'
+            'Membership'
+            '</button>'
+            '</li>'
+        )
+        batch_enrollment = (
+            '<fieldset class="batch-enrollment membership-section">'
+        )
+
+        user = UserFactory.create()
+        self.client.login(username=user.username, password=self.TEST_PASSWORD)
+
+        # eSHE Instructors / Teaching Assistants shouldn't have access to membership tab
+        CourseAccessRoleFactory(
+            course_id=self.course.id,
+            user=user,
+            role=role,
+            org=self.course.id.org
+        )
+        response = self.client.get(self.url)
+        self.assertNotContains(response, membership_section)
+
+        # However if combined with forum_admin, they should have access to this
+        # tab, but not to batch enrollment
+        forum_admin_role = RoleFactory(name=FORUM_ROLE_ADMINISTRATOR, course_id=self.course.id)
+        forum_admin_role.users.add(user)
+        response = self.client.get(self.url)
+        self.assertContains(response, membership_section)
+        self.assertNotContains(response, batch_enrollment)
+
+        # Combined with course staff, should have union of all three roles
+        # permissions sets
+        CourseAccessRoleFactory(
+            course_id=self.course.id,
+            user=user,
+            role='staff',
+            org=self.course.id.org
+        )
+        response = self.client.get(self.url)
+        self.assertContains(response, membership_section)
+        self.assertContains(response, batch_enrollment)
+
+    def test_student_admin_tab_content(self):
+        """
+        Verify that Teaching Assistants don't have access to the gradebook-related sections
+        of the student admin tab.
+        """
+
+        # Should be visible to Teaching Assistants
+        view_enrollment_status = '<div class="student-enrollment-status-container action-type-container">'
+        view_progress = '<div class="student-progress-container action-type-container">'
+
+        # Should not be visible to Teaching Assistants
+        view_gradebook = '<div class="action-type-container ">'
+        adjust_learner_grade = '<div class="student-grade-container action-type-container ">'
+        adjust_all_learners_grades = '<div class="course-specific-container action-type-container ">'
+
+        user = UserFactory.create()
+        self.client.login(username=user.username, password=self.TEST_PASSWORD)
+
+        # Teaching Assistants shouldn't have access to the gradebook-related sections
+        CourseAccessRoleFactory(
+            course_id=self.course.id,
+            user=user,
+            role='teaching_assistant',
+            org=self.course.id.org
+        )
+        response = self.client.get(self.url)
+        self.assertContains(response, view_enrollment_status)
+        self.assertContains(response, view_progress)
+        self.assertNotContains(response, view_gradebook)
+        self.assertNotContains(response, adjust_learner_grade)
+        self.assertNotContains(response, adjust_all_learners_grades)
+
+        # However if combined with instructor, they should have access to all sections
+        CourseAccessRoleFactory(
+            course_id=self.course.id,
+            user=user,
+            role='instructor',
+            org=self.course.id.org
+        )
+        response = self.client.get(self.url)
+        self.assertContains(response, view_enrollment_status)
+        self.assertContains(response, view_progress)
+        self.assertContains(response, view_gradebook)
+        self.assertContains(response, adjust_learner_grade)
+        self.assertContains(response, adjust_all_learners_grades)
+
     def test_student_admin_staff_instructor(self):
         """
         Verify that staff users are not able to see course-wide options, while still
diff --git a/lms/djangoapps/instructor/views/instructor_dashboard.py b/lms/djangoapps/instructor/views/instructor_dashboard.py
index b6057f819452..937ba4f5f440 100644
--- a/lms/djangoapps/instructor/views/instructor_dashboard.py
+++ b/lms/djangoapps/instructor/views/instructor_dashboard.py
@@ -31,7 +31,10 @@
     CourseFinanceAdminRole,
     CourseInstructorRole,
     CourseSalesAdminRole,
-    CourseStaffRole
+    CourseStaffRole,
+    eSHEInstructorRole,
+    TeachingAssistantRole,
+    strict_role_checking,
 )
 from common.djangoapps.util.json_request import JsonResponse
 from lms.djangoapps.bulk_email.api import is_bulk_email_feature_enabled
@@ -122,6 +125,8 @@ def instructor_dashboard_2(request, course_id):  # lint-amnesty, pylint: disable
     access = {
         'admin': request.user.is_staff,
         'instructor': bool(has_access(request.user, 'instructor', course)),
+        'eshe_instructor': eSHEInstructorRole(course_key).has_user(request.user),
+        'teaching_assistant': TeachingAssistantRole(course_key).has_user(request.user),
         'finance_admin': CourseFinanceAdminRole(course_key).has_user(request.user),
         'sales_admin': CourseSalesAdminRole(course_key).has_user(request.user),
         'staff': bool(has_access(request.user, 'staff', course)),
@@ -129,6 +134,9 @@ def instructor_dashboard_2(request, course_id):  # lint-amnesty, pylint: disable
         'data_researcher': request.user.has_perm(permissions.CAN_RESEARCH, course_key),
     }
 
+    with strict_role_checking():
+        access['explicit_staff'] = bool(has_access(request.user, 'staff', course))
+
     if not request.user.has_perm(permissions.VIEW_DASHBOARD, course_key):
         raise Http404()
 
@@ -518,7 +526,19 @@ def _section_membership(course, access):
             'update_forum_role_membership',
             kwargs={'course_id': str(course_key)}
         ),
-        'is_reason_field_enabled': configuration_helpers.get_value('ENABLE_MANUAL_ENROLLMENT_REASON_FIELD', False)
+        'is_reason_field_enabled': configuration_helpers.get_value('ENABLE_MANUAL_ENROLLMENT_REASON_FIELD', False),
+
+        # Membership section should be hidden for eSHE instructors.
+        # Since they get Course Staff role implicitly, we need to hide this
+        # section if the user doesn't have the Course Staff role set explicitly
+        # or have the Discussion Admin role.
+        'is_hidden': (
+            not access['forum_admin']
+            and (
+                (access['eshe_instructor'] or access['teaching_assistant'])
+                and not access['explicit_staff']
+            )
+        ),
     }
     return section_data
 
diff --git a/lms/envs/common.py b/lms/envs/common.py
index 763bd83b9d8e..02b5a212d7fb 100644
--- a/lms/envs/common.py
+++ b/lms/envs/common.py
@@ -1067,6 +1067,46 @@
     # .. toggle_creation_date: 2024-04-02
     # .. toggle_target_removal_date: None
     'BADGES_ENABLED': False,
+
+    # .. toggle_name: FEATURES['ENABLE_LEGACY_MD5_HASH_FOR_ANONYMOUS_USER_ID']
+    # .. toggle_implementation: DjangoSetting
+    # .. toggle_default: False
+    # .. toggle_description: Whether to enable the legacy MD5 hashing algorithm to generate anonymous user id
+    #   instead of the newer SHAKE128 hashing algorithm
+    # .. toggle_use_cases: open_edx
+    # .. toggle_creation_date: 2022-08-08
+    # .. toggle_target_removal_date: None
+    # .. toggle_tickets: 'https://github.com/openedx/edx-platform/pull/30832'
+    'ENABLE_LEGACY_MD5_HASH_FOR_ANONYMOUS_USER_ID': False,
+
+    # .. toggle_name: FEATURES['ENABLE_ESHE_INSTRUCTOR_ROLE']
+    # .. toggle_implementation: DjangoSetting
+    # .. toggle_default: False
+    # .. toggle_description: Whether to enable the ESHE Instructor role
+    # .. toggle_use_cases: open_edx
+    # .. toggle_creation_date: 2023-07-31
+    # .. toggle_target_removal_date: None
+    # .. toggle_tickets: 'https://github.com/open-craft/edx-platform/pull/561/files'
+    'ENABLE_ESHE_INSTRUCTOR_ROLE': False,
+
+    # .. toggle_name: FEATURES['ENABLE_TEACHING_ASSISTANT_ROLE']
+    # .. toggle_implementation: DjangoSetting
+    # .. toggle_default: False
+    # .. toggle_description: Whether to enable the Teaching Assistant role
+    # .. toggle_use_cases: open_edx
+    # .. toggle_creation_date: 2024-02-12
+    # .. toggle_target_removal_date: None
+    # .. toggle_tickets: 'https://github.com/open-craft/edx-platform/pull/632/files'
+    'ENABLE_TEACHING_ASSISTANT_ROLE': False,
+
+    # .. toggle_name: FEATURES['DISABLE_DATES_TAB']
+    # .. toggle_implementation: DjangoSetting
+    # .. toggle_default: False
+    # .. toggle_description: Disables dates tab for all courses.
+    # .. toggle_use_cases: open_edx
+    # .. toggle_creation_date: 2024-04-15
+    # .. toggle_tickets: https://github.com/openedx/edx-platform/pull/34511
+    'DISABLE_DATES_TAB': False,
 }
 
 # Specifies extra XBlock fields that should available when requested via the Course Blocks API
diff --git a/lms/static/js/fixtures/instructor_dashboard/membership.html b/lms/static/js/fixtures/instructor_dashboard/membership.html
index 85ab52c9665e..383552f7d83f 100644
--- a/lms/static/js/fixtures/instructor_dashboard/membership.html
+++ b/lms/static/js/fixtures/instructor_dashboard/membership.html
@@ -11,6 +11,8 @@ <h3 class="hd hd-3">Course Team Management</h3>
         <select id="member-lists-selector" class="member-lists-selector">
           <option value="staff">Staff</option>
           <option value="limited_staff">Limited Staff</option>
+          <option value="eshe_instructor">eSHE Instructor</option>
+          <option value="teaching_assistant">Teaching Assistant</option>
           <option value="instructor">Admin</option>
           <option value="beta">Beta Testers</option>
           <option value="Administrator">Discussion Admins</option>
diff --git a/lms/static/js/student_account/views/LoginView.js b/lms/static/js/student_account/views/LoginView.js
index 5832f2c088be..0bf8fa854903 100644
--- a/lms/static/js/student_account/views/LoginView.js
+++ b/lms/static/js/student_account/views/LoginView.js
@@ -216,6 +216,7 @@
             saveError: function(error) {
                 var errorCode;
                 var msg;
+                var redirectURL;
                 if (error.status === 0) {
                     msg = gettext('An error has occurred. Check your Internet connection and try again.');
                 } else if (error.status === 500) {
@@ -245,6 +246,7 @@
                 } else if (error.responseJSON !== undefined) {
                     msg = error.responseJSON.value;
                     errorCode = error.responseJSON.error_code;
+                    redirectURL = error.responseJSON.redirect_url;
                 } else {
                     msg = gettext('An unexpected error has occurred.');
                 }
@@ -266,6 +268,9 @@
                         this.clearFormErrors();
                         this.renderThirdPartyAuthWarning();
                     }
+                    if (typeof redirectURL === "string" && redirectURL.length) {
+                        window.location.href = redirectURL;
+                    }
                 } else {
                     this.renderErrors(this.defaultFormErrorsTitle, this.errors);
                 }
diff --git a/lms/templates/instructor/instructor_dashboard_2/membership.html b/lms/templates/instructor/instructor_dashboard_2/membership.html
index 9b1f64dfb9d1..e6d6cf48eea7 100644
--- a/lms/templates/instructor/instructor_dashboard_2/membership.html
+++ b/lms/templates/instructor/instructor_dashboard_2/membership.html
@@ -5,6 +5,13 @@
 from django.utils.translation import pgettext
 from openedx.core.djangolib.markup import HTML, Text
 %>
+
+<%
+  eshe_instructor_or_teaching_assistant_access = section_data['access']['eshe_instructor'] or section_data['access']['teaching_assistant']
+  membership_section_visible = not eshe_instructor_or_teaching_assistant_access or section_data['access']['explicit_staff']
+%>
+
+% if membership_section_visible:
 <fieldset class="batch-enrollment membership-section">
     <legend id="heading-batch-enrollment" class="hd hd-3">${_("Batch Enrollment")}</legend>
     <label>
@@ -92,6 +99,8 @@ <h3 class="hd hd-3">${_("Register/Enroll Students")}</h3>
 </div>
 %endif
 
+%endif
+
 <hr class="divider" />
 
 %if section_data['access']['instructor']:
@@ -193,6 +202,34 @@ <h3 class="hd hd-3">${_("Course Team Management")}</h3>
       data-add-button-label="${_("Add Limited Staff")}"
     ></div>
 
+    %if settings.FEATURES.get('ENABLE_ESHE_INSTRUCTOR_ROLE', None):
+    <div class="auth-list-container"
+      data-rolename="eshe_instructor"
+      data-display-name="${_("eSHE Instructor")}"
+      data-info-text="
+        ${_("Course team members with the eSHE Instructor role help you manage your course. "
+        "eSHE Instructor permissions are similar to Staff, but they can't assign course team roles and "
+        "can't enroll and unenroll learners")}"
+      data-list-endpoint="${ section_data['list_course_role_members_url'] }"
+      data-modify-endpoint="${ section_data['modify_access_url'] }"
+      data-add-button-label="${_("Add eSHE Instructor")}"
+    ></div>
+    %endif
+
+    %if settings.FEATURES.get('ENABLE_TEACHING_ASSISTANT_ROLE', None):
+    <div class="auth-list-container"
+      data-rolename="teaching_assistant"
+      data-display-name="${_("Teaching Assistant")}"
+      data-info-text="
+        ${_("Course team members with the Teaching Assistant role help you manage your course. "
+        "Teaching Assistant permissions are similar to Staff, but they can't assign course team roles, "
+        "enroll and unenroll learners and view or override grades")}"
+      data-list-endpoint="${ section_data['list_course_role_members_url'] }"
+      data-modify-endpoint="${ section_data['modify_access_url'] }"
+      data-add-button-label="${_("Add Teaching Assistant")}"
+    ></div>
+    %endif%
+
     ## Note that "Admin" is identified as "Instructor" in the Django admin panel.
     <div class="auth-list-container"
       data-rolename="instructor"
diff --git a/lms/templates/instructor/instructor_dashboard_2/student_admin.html b/lms/templates/instructor/instructor_dashboard_2/student_admin.html
index 668488bbf768..a699c13967c9 100644
--- a/lms/templates/instructor/instructor_dashboard_2/student_admin.html
+++ b/lms/templates/instructor/instructor_dashboard_2/student_admin.html
@@ -1,7 +1,13 @@
 <%page args="section_data" expression_filter="h"/>
 <%! from django.utils.translation import gettext as _ %>
+
+<%
+  teaching_assistant_access = section_data['access']['teaching_assistant']
+  gradebook_related_sections_hidden = teaching_assistant_access and not section_data['access']['explicit_staff']
+%>
+
 %if section_data['access']['staff'] or section_data['access']['instructor']:
-<div class="action-type-container">
+<div class="action-type-container ${'hidden' if gradebook_related_sections_hidden else ''}">
     %if section_data.get('writable_gradebook_url') or section_data.get('is_small_course'):
         <br><br>
         <h4 class="hd hd-4">${_("View gradebook for enrolled learners")}</h4>
@@ -59,7 +65,7 @@ <h4 class="hd hd-4">${_("View a specific learner's grades and progress")}</h4>
   <hr>
 </div>
 
-<div class="student-grade-container action-type-container">
+<div class="student-grade-container action-type-container ${'hidden' if gradebook_related_sections_hidden else ''}">
     <h4 class="hd hd-4">${_("Adjust a learner's grade for a specific problem")}</h4>
     <div class="request-response-error"></div>
     <label for="student-select-grade">
@@ -132,7 +138,7 @@ <h5 class="hd hd-5">${_("Task Status")}</h5>
 </div>
 
 % if course.entrance_exam_enabled:
-<div class="entrance-exam-grade-container action-type-container">
+<div class="entrance-exam-grade-container action-type-container ${'hidden' if gradebook_related_sections_hidden else ''}">
     <h4 class="hd hd-4">${_("Adjust a learner's entrance exam results")}</h4>
     <div class="request-response-error"></div>
 
@@ -194,7 +200,7 @@ <h5 class="hd hd-5">${_("Task Status")}</h5>
 
 %if section_data['access']['instructor']:
 %if settings.FEATURES.get('ENABLE_INSTRUCTOR_BACKGROUND_TASKS'):
-<div class="course-specific-container action-type-container">
+<div class="course-specific-container action-type-container ${'hidden' if gradebook_related_sections_hidden else ''}">
     <h4 class="hd hd-4">${_("Adjust all enrolled learners' grades for a specific problem")}</h4>
     <div class="request-response-error"></div>
 
@@ -232,7 +238,7 @@ <h5 class="hd hd-5">${_("Task Status")}</h5>
 %endif
 
 %if settings.FEATURES.get('ENABLE_INSTRUCTOR_BACKGROUND_TASKS'):
-<div class="running-tasks-container action-type-container">
+<div class="running-tasks-container action-type-container ${'hidden' if gradebook_related_sections_hidden else ''}">
     <h4 class="hd hd-4">${_("Pending Tasks")}</h4>
     <div class="running-tasks-section">
         <label>${_("The status for any active tasks appears in a table below.")}</label>
diff --git a/openedx/core/djangoapps/agreements/api.py b/openedx/core/djangoapps/agreements/api.py
index 2489cefb8533..11ad23dddd25 100644
--- a/openedx/core/djangoapps/agreements/api.py
+++ b/openedx/core/djangoapps/agreements/api.py
@@ -3,17 +3,15 @@
 """
 
 import logging
+from datetime import datetime
+from typing import Iterable, Optional
 
 from django.contrib.auth import get_user_model
 from django.core.exceptions import ObjectDoesNotExist
 from opaque_keys.edx.keys import CourseKey
 
-from openedx.core.djangoapps.agreements.models import IntegritySignature
-from openedx.core.djangoapps.agreements.models import LTIPIITool
-from openedx.core.djangoapps.agreements.models import LTIPIISignature
-
-from .data import LTIToolsReceivingPIIData
-from .data import LTIPIISignatureData
+from .data import LTIPIISignatureData, LTIToolsReceivingPIIData, UserAgreementRecordData
+from .models import IntegritySignature, LTIPIISignature, LTIPIITool, UserAgreementRecord
 
 log = logging.getLogger(__name__)
 User = get_user_model()
@@ -240,3 +238,48 @@ def _user_signature_out_of_date(username, course_id):
         return False
     else:
         return user_lti_pii_signature_hash != course_lti_pii_tools_hash
+
+
+def get_user_agreements(user: User) -> Iterable[UserAgreementRecordData]:
+    """
+    Retrieves all the agreements that the specified user has acknowledged.
+    """
+    for agreement_record in UserAgreementRecord.objects.filter(user=user):
+        yield UserAgreementRecordData.from_model(agreement_record)
+
+
+def get_latest_user_agreement_record(
+    user: User,
+    agreement_type: str,
+    agreed_after: datetime = None,
+) -> Optional[UserAgreementRecordData]:
+    """
+    Retrieve the user agreement record for the specified user and agreement type.
+
+    An agreement update timestamp can be provided to return a record only if it
+    was signed after that timestamp.
+    """
+    try:
+        record_query = UserAgreementRecord.objects.filter(
+            user=user,
+            agreement_type=agreement_type,
+        )
+        if agreed_after:
+            record_query = record_query.filter(timestamp__gte=agreed_after)
+        record = record_query.latest("timestamp")
+        return UserAgreementRecordData.from_model(record)
+    except UserAgreementRecord.DoesNotExist:
+        return None
+
+
+def create_user_agreement_record(user: User, agreement_type: str) -> UserAgreementRecordData:
+    """
+    Creates a user agreement record if one doesn't already exist, or updates existing
+    record to current timestamp.
+    """
+    record = UserAgreementRecord.objects.create(
+        user=user,
+        agreement_type=agreement_type,
+        timestamp=datetime.now(),
+    )
+    return UserAgreementRecordData.from_model(record)
diff --git a/openedx/core/djangoapps/agreements/data.py b/openedx/core/djangoapps/agreements/data.py
index 9d843c73cb04..01d83665c009 100644
--- a/openedx/core/djangoapps/agreements/data.py
+++ b/openedx/core/djangoapps/agreements/data.py
@@ -1,8 +1,13 @@
 """
 Public data structures for this app.
 """
+from dataclasses import dataclass
+from datetime import datetime
+
 import attr
 
+from .models import UserAgreementRecord
+
 
 @attr.s(frozen=True, auto_attribs=True)
 class LTIToolsReceivingPIIData:
@@ -21,3 +26,21 @@ class LTIPIISignatureData:
     course_id: str
     lti_tools: str
     lti_tools_hash: str
+
+
+@dataclass
+class UserAgreementRecordData:
+    """
+    Data for a single user agreement record.
+    """
+    username: str
+    agreement_type: str
+    accepted_at: datetime
+
+    @classmethod
+    def from_model(cls, model: UserAgreementRecord):
+        return UserAgreementRecordData(
+            username=model.user.username,
+            agreement_type=model.agreement_type,
+            accepted_at=model.timestamp,
+        )
diff --git a/openedx/core/djangoapps/agreements/migrations/0006_useragreementrecord.py b/openedx/core/djangoapps/agreements/migrations/0006_useragreementrecord.py
new file mode 100644
index 000000000000..2e0985adb6de
--- /dev/null
+++ b/openedx/core/djangoapps/agreements/migrations/0006_useragreementrecord.py
@@ -0,0 +1,25 @@
+# Generated by Django 4.2.16 on 2024-12-06 11:34
+
+from django.conf import settings
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+        ('agreements', '0005_timestampedmodels'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='UserAgreementRecord',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('agreement_type', models.CharField(max_length=255)),
+                ('timestamp', models.DateTimeField(auto_now_add=True)),
+                ('user', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to=settings.AUTH_USER_MODEL)),
+            ],
+        ),
+    ]
diff --git a/openedx/core/djangoapps/agreements/models.py b/openedx/core/djangoapps/agreements/models.py
index 2672a4f47b24..2ceeeb98109f 100644
--- a/openedx/core/djangoapps/agreements/models.py
+++ b/openedx/core/djangoapps/agreements/models.py
@@ -70,3 +70,20 @@ class ProctoringPIISignature(TimeStampedModel):
 
     class Meta:
         app_label = 'agreements'
+
+
+class UserAgreementRecord(models.Model):
+    """
+    This model stores the agreements a user has accepted or acknowledged.
+
+    Each record here represents a user agreeing to the agreement type represented
+    by `agreement_type` at a particular time.
+
+    .. no_pii:
+    """
+    user = models.ForeignKey(User, db_index=True, on_delete=models.CASCADE)
+    agreement_type = models.CharField(max_length=255)
+    timestamp = models.DateTimeField(auto_now_add=True)
+
+    class Meta:
+        app_label = 'agreements'
diff --git a/openedx/core/djangoapps/agreements/serializers.py b/openedx/core/djangoapps/agreements/serializers.py
index 11e9d57f4054..0ecade7afd97 100644
--- a/openedx/core/djangoapps/agreements/serializers.py
+++ b/openedx/core/djangoapps/agreements/serializers.py
@@ -3,9 +3,10 @@
 """
 from rest_framework import serializers
 
-from openedx.core.djangoapps.agreements.models import IntegritySignature, LTIPIISignature
 from openedx.core.lib.api.serializers import CourseKeyField
 
+from .models import IntegritySignature, LTIPIISignature
+
 
 class IntegritySignatureSerializer(serializers.ModelSerializer):
     """
@@ -31,3 +32,12 @@ class LTIPIISignatureSerializer(serializers.ModelSerializer):
     class Meta:
         model = LTIPIISignature
         fields = ('username', 'course_id', 'lti_tools', 'created_at')
+
+
+class UserAgreementsSerializer(serializers.Serializer):
+    """
+    Serializer for UserAgreementRecord model
+    """
+    username = serializers.CharField(read_only=True)
+    agreement_type = serializers.CharField(read_only=True)
+    accepted_at = serializers.DateTimeField()
diff --git a/openedx/core/djangoapps/agreements/tests/test_api.py b/openedx/core/djangoapps/agreements/tests/test_api.py
index c66065789939..eb1e02956dc5 100644
--- a/openedx/core/djangoapps/agreements/tests/test_api.py
+++ b/openedx/core/djangoapps/agreements/tests/test_api.py
@@ -2,25 +2,29 @@
 Tests for the Agreements API
 """
 import logging
+from datetime import datetime, timedelta
 
+from django.test import TestCase
+from opaque_keys.edx.keys import CourseKey
 from testfixtures import LogCapture
 
 from common.djangoapps.student.tests.factories import UserFactory
-from openedx.core.djangoapps.agreements.api import (
+from openedx.core.djangolib.testing.utils import skip_unless_lms
+from xmodule.modulestore.tests.django_utils import SharedModuleStoreTestCase
+from xmodule.modulestore.tests.factories import CourseFactory
+
+from ..api import (
     create_integrity_signature,
+    create_lti_pii_signature,
+    create_user_agreement_record,
     get_integrity_signature,
     get_integrity_signatures_for_course,
+    get_lti_pii_signature,
     get_pii_receiving_lti_tools,
-    create_lti_pii_signature,
-    get_lti_pii_signature
+    get_latest_user_agreement_record,
+    get_user_agreements
 )
-from openedx.core.djangolib.testing.utils import skip_unless_lms
-from xmodule.modulestore.tests.django_utils import SharedModuleStoreTestCase  # lint-amnesty, pylint: disable=wrong-import-order
-from xmodule.modulestore.tests.factories import CourseFactory  # lint-amnesty, pylint: disable=wrong-import-order
-from ..models import (
-    LTIPIITool,
-)
-from opaque_keys.edx.keys import CourseKey
+from ..models import LTIPIITool
 
 LOGGER_NAME = "openedx.core.djangoapps.agreements.api"
 
@@ -186,3 +190,37 @@ def _assert_ltitools(self, lti_list):
         Helper function to assert the returned list has the correct tools
         """
         self.assertEqual(self.lti_tools, lti_list)
+
+
+@skip_unless_lms
+class UserAgreementsTests(TestCase):
+    """
+    Tests for the python APIs related to user agreements.
+    """
+    def setUp(self):
+        self.user = UserFactory()
+
+    def test_get_user_agreements(self, ):
+        result = list(get_user_agreements(self.user))
+        assert len(result) == 0
+
+        record = create_user_agreement_record(self.user, 'test_type')
+        result = list(get_user_agreements(self.user))
+
+        assert len(result) == 1
+        assert result[0].agreement_type == 'test_type'
+        assert result[0].username == self.user.username
+        assert result[0].accepted_at == record.accepted_at
+
+    def test_get_user_agreement_record(self):
+        record = create_user_agreement_record(self.user, 'test_type')
+        result = get_latest_user_agreement_record(self.user, 'test_type')
+
+        assert result == record
+
+        result = get_latest_user_agreement_record(self.user, 'test_type', datetime.now() + timedelta(days=1))
+
+        assert result is None
+
+    def tearDown(self):
+        self.user.delete()
diff --git a/openedx/core/djangoapps/agreements/tests/test_views.py b/openedx/core/djangoapps/agreements/tests/test_views.py
index 4c52e5853f05..61cc8661fb43 100644
--- a/openedx/core/djangoapps/agreements/tests/test_views.py
+++ b/openedx/core/djangoapps/agreements/tests/test_views.py
@@ -2,26 +2,28 @@
 Tests for agreements views
 """
 
+import json
 from datetime import datetime, timedelta
 from unittest.mock import patch
 
 from django.conf import settings
 from django.urls import reverse
-from rest_framework.test import APITestCase
-from rest_framework import status
 from freezegun import freeze_time
-import json
+from rest_framework import status
+from rest_framework.test import APITestCase
 
-from common.djangoapps.student.tests.factories import UserFactory, AdminFactory
 from common.djangoapps.student.roles import CourseStaffRole
-from openedx.core.djangoapps.agreements.api import (
+from common.djangoapps.student.tests.factories import AdminFactory, UserFactory
+from openedx.core.djangolib.testing.utils import skip_unless_lms
+from xmodule.modulestore.tests.django_utils import ModuleStoreTestCase
+from xmodule.modulestore.tests.factories import CourseFactory
+
+from ..api import (
     create_integrity_signature,
+    create_user_agreement_record,
     get_integrity_signatures_for_course,
     get_lti_pii_signature
 )
-from openedx.core.djangolib.testing.utils import skip_unless_lms
-from xmodule.modulestore.tests.django_utils import ModuleStoreTestCase  # lint-amnesty, pylint: disable=wrong-import-order
-from xmodule.modulestore.tests.factories import CourseFactory  # lint-amnesty, pylint: disable=wrong-import-order
 
 
 @skip_unless_lms
@@ -289,3 +291,54 @@ def test_post_lti_pii_signature(self):
         signature = get_lti_pii_signature(self.user.username, self.course_id)
         self.assertEqual(signature.user.username, self.user.username)
         self.assertEqual(signature.lti_tools, self.lti_tools)
+
+
+@skip_unless_lms
+class UserAgreementsViewTests(APITestCase):
+    """
+    Tests for the UserAgreementsView
+    """
+
+    def setUp(self):
+        self.user = UserFactory(username="testuser", password="password")
+        self.url = reverse('user_agreements', kwargs={'agreement_type': 'sample_agreement'})
+        self.login()
+
+    def login(self):
+        self.client.login(username="testuser", password="password")
+
+    def test_get_user_agreement_record_no_data(self):
+        response = self.client.get(self.url)
+        assert response.status_code == status.HTTP_404_NOT_FOUND
+
+    def test_get_user_agreement_record_invalid_date(self):
+        response = self.client.get(self.url, {'after': 'invalid_date'})
+        assert response.status_code == status.HTTP_400_BAD_REQUEST
+
+    def test_get_user_agreement_record(self):
+        create_user_agreement_record(self.user, 'sample_agreement')
+        response = self.client.get(self.url)
+        assert response.status_code == status.HTTP_200_OK
+        assert 'accepted_at' in response.data
+
+        response = self.client.get(self.url, {"after": str(datetime.now() + timedelta(days=1))})
+        assert response.status_code == status.HTTP_404_NOT_FOUND
+
+    def test_post_user_agreement(self):
+        with freeze_time("2024-11-21 12:00:00"):
+            response = self.client.post(self.url)
+        assert response.status_code == status.HTTP_201_CREATED
+
+        self.login()
+
+        response = self.client.get(self.url)
+        assert response.status_code == status.HTTP_200_OK
+
+        response = self.client.get(self.url, {"after": "2024-11-21T13:00:00Z"})
+        assert response.status_code == status.HTTP_404_NOT_FOUND
+
+        response = self.client.post(self.url)
+        assert response.status_code == status.HTTP_201_CREATED
+
+        response = self.client.get(self.url, {"after": "2024-11-21T13:00:00Z"})
+        assert response.status_code == status.HTTP_200_OK
diff --git a/openedx/core/djangoapps/agreements/urls.py b/openedx/core/djangoapps/agreements/urls.py
index d9d009d65ac1..902f477a7087 100644
--- a/openedx/core/djangoapps/agreements/urls.py
+++ b/openedx/core/djangoapps/agreements/urls.py
@@ -3,9 +3,9 @@
 """
 
 from django.conf import settings
-from django.urls import re_path
+from django.urls import path, re_path
 
-from .views import IntegritySignatureView, LTIPIISignatureView
+from .views import IntegritySignatureView, LTIPIISignatureView, UserAgreementsView
 
 urlpatterns = [
     re_path(r'^integrity_signature/{course_id}$'.format(
@@ -14,4 +14,5 @@
     re_path(r'^lti_pii_signature/{course_id}$'.format(
         course_id=settings.COURSE_ID_PATTERN
     ), LTIPIISignatureView.as_view(), name='lti_pii_signature'),
+    path("agreement/<slug:agreement_type>", UserAgreementsView.as_view(), name="user_agreements"),
 ]
diff --git a/openedx/core/djangoapps/agreements/views.py b/openedx/core/djangoapps/agreements/views.py
index cc928669ffdd..daf2ce09428c 100644
--- a/openedx/core/djangoapps/agreements/views.py
+++ b/openedx/core/djangoapps/agreements/views.py
@@ -2,21 +2,28 @@
 Views served by the Agreements app
 """
 
+import edx_api_doc_tools as apidocs
+from django import forms
 from django.conf import settings
+from drf_yasg import openapi
+from opaque_keys.edx.keys import CourseKey
 from rest_framework import status
-from rest_framework.views import APIView
-from rest_framework.response import Response
 from rest_framework.permissions import IsAuthenticated
-from opaque_keys.edx.keys import CourseKey
+from rest_framework.response import Response
+from rest_framework.views import APIView
 
 from common.djangoapps.student import auth
 from common.djangoapps.student.roles import CourseStaffRole
-from openedx.core.djangoapps.agreements.api import (
+
+from .api import (
     create_integrity_signature,
     create_lti_pii_signature,
+    create_user_agreement_record,
     get_integrity_signature,
+    get_latest_user_agreement_record
 )
-from openedx.core.djangoapps.agreements.serializers import IntegritySignatureSerializer, LTIPIISignatureSerializer
+from .serializers import IntegritySignatureSerializer, LTIPIISignatureSerializer, UserAgreementsSerializer
+from ...lib.api.view_utils import view_auth_classes
 
 
 def is_user_course_or_global_staff(user, course_id):
@@ -159,3 +166,72 @@ def post(self, request, course_id):
         else:
             statusStr = status.HTTP_500_INTERNAL_SERVER_ERROR
         return Response(data=serializer.data, status=statusStr)
+
+
+@view_auth_classes(is_authenticated=True)
+class UserAgreementsView(APIView):
+    """
+    Endpoint for the user agreements API.
+    """
+
+    class QueryFilterForm(forms.Form):
+        """
+        Query parameters for the GET method.
+        """
+        after = forms.DateTimeField(required=False)
+
+    @apidocs.schema(
+        parameters=[
+            apidocs.string_parameter(
+                'agreement_type',
+                apidocs.ParameterLocation.PATH,
+                description="Agreement ID/Type",
+            ),
+            openapi.Parameter(
+                'after',
+                apidocs.ParameterLocation.QUERY,
+                required=False,
+                type=openapi.TYPE_STRING,
+                format=openapi.FORMAT_DATETIME,
+                description="Return records after this date/time",
+            ),
+        ],
+        responses={
+            200: UserAgreementsSerializer,
+            400: "Bad Request",
+            404: "Not Found",
+        },
+    )
+    def get(self, request, agreement_type):
+        """
+        Get a user's acknowledgement record for this agreement type.
+        """
+        params = UserAgreementsView.QueryFilterForm(request.query_params)
+        if not params.is_valid():
+            return Response(status=status.HTTP_400_BAD_REQUEST)
+        record = get_latest_user_agreement_record(request.user, agreement_type, params.cleaned_data.get('after'))
+        if record is None:
+            return Response(status=status.HTTP_404_NOT_FOUND)
+        serializer = UserAgreementsSerializer(record)
+        return Response(serializer.data)
+
+    @apidocs.schema(
+        parameters=[
+            apidocs.string_parameter(
+                'agreement_type',
+                apidocs.ParameterLocation.PATH,
+                description="Agreement ID/Type",
+            ),
+        ],
+        responses={
+            200: UserAgreementsSerializer,
+            400: "Bad Request",
+        },
+    )
+    def post(self, request, agreement_type):
+        """
+        Marks a user's acknowledgement of this agreement type.
+        """
+        record = create_user_agreement_record(request.user, agreement_type)
+        serializer = UserAgreementsSerializer(record)
+        return Response(serializer.data, status=status.HTTP_201_CREATED)
diff --git a/openedx/core/djangoapps/courseware_api/views.py b/openedx/core/djangoapps/courseware_api/views.py
index 576f0472b770..8ad3d102f6fd 100644
--- a/openedx/core/djangoapps/courseware_api/views.py
+++ b/openedx/core/djangoapps/courseware_api/views.py
@@ -579,6 +579,7 @@ class SequenceMetadata(DeveloperErrorViewMixin, APIView):
 
     authentication_classes = (
         JwtAuthentication,
+        BearerAuthenticationAllowInactiveUser,
         SessionAuthenticationAllowInactiveUser,
     )
 
diff --git a/openedx/core/djangoapps/discussions/serializers.py b/openedx/core/djangoapps/discussions/serializers.py
index 88648a499598..6cc18605df9f 100644
--- a/openedx/core/djangoapps/discussions/serializers.py
+++ b/openedx/core/djangoapps/discussions/serializers.py
@@ -354,6 +354,12 @@ def _update_course_configuration(
                     key not in LegacySettingsSerializer.Meta.fields_cohorts
                 )
             }
+        # toogle discussion tab is_hidden
+        for tab in course.tabs:
+            if tab.tab_id == 'discussion' and tab.is_hidden == instance.enabled:
+                tab.is_hidden = not instance.enabled
+                save = True
+                break
         if save:
             modulestore().update_item(course, self.context['user_id'])
         return instance
diff --git a/openedx/core/djangoapps/discussions/tasks.py b/openedx/core/djangoapps/discussions/tasks.py
index fea20dc59bd4..4b08112f8266 100644
--- a/openedx/core/djangoapps/discussions/tasks.py
+++ b/openedx/core/djangoapps/discussions/tasks.py
@@ -196,7 +196,14 @@ def update_unit_discussion_state_from_discussion_blocks(course_key: CourseKey, u
     """
     store = modulestore()
     course = store.get_course(course_key)
-    provider = course.discussions_settings.get('provider', None)
+    # The provider information has been written to both `provider_type` and `provider`.
+    # Both of these serve the same purpose and this is an accident of early development.
+    # The `provider_type` key is now treated as read-only to allow existing values
+    # to be respected while moving to the `provider` key in the future.
+    provider = course.discussions_settings.get(
+        'provider_type',
+        course.discussions_settings.get('provider', None),
+    )
     # Only migrate to the new discussion provider if the current provider is the legacy provider.
     log.info(f"Current provider for {course_key} is {provider}")
     if provider is not None and provider != Provider.LEGACY and not force:
diff --git a/openedx/core/djangoapps/django_comment_common/comment_client/user.py b/openedx/core/djangoapps/django_comment_common/comment_client/user.py
index eaac6b408659..ad259c937630 100644
--- a/openedx/core/djangoapps/django_comment_common/comment_client/user.py
+++ b/openedx/core/djangoapps/django_comment_common/comment_client/user.py
@@ -238,7 +238,7 @@ def _retrieve(self, *args, **kwargs):
         if course_id:
             course_id = str(course_id)
             retrieve_params['course_id'] = course_id
-        course_key = utils.get_course_key(course_id)
+        course_key = utils.get_course_key(course_id) or utils.get_course_key(kwargs.get("course_key"))
 
         if is_forum_v2_enabled(course_key):
             group_ids = [retrieve_params['group_id']] if 'group_id' in retrieve_params else []
@@ -251,6 +251,7 @@ def _retrieve(self, *args, **kwargs):
                     complete=is_complete
                 )
             except ForumV2RequestError as e:
+                course_id = str(course_key)
                 self.save({"course_id": course_id})
                 response = forum_api.get_user(
                     self.attributes["id"],
diff --git a/openedx/core/djangoapps/schedules/management/commands/__init__.py b/openedx/core/djangoapps/schedules/management/commands/__init__.py
index bd0082f5331e..0b7255976563 100644
--- a/openedx/core/djangoapps/schedules/management/commands/__init__.py
+++ b/openedx/core/djangoapps/schedules/management/commands/__init__.py
@@ -29,12 +29,28 @@ def add_arguments(self, parser):
             '--override-recipient-email',
             help='Send all emails to this address instead of the actual recipient'
         )
-        parser.add_argument('site_domain_name')
+        parser.add_argument(
+            'site_domain_name',
+            nargs='?',
+            default=None,
+            help=(
+                'Domain name for the site to use. '
+                'Do not provide a domain if you wish to run this for all sites'
+            )
+        )
         parser.add_argument(
             '--weeks',
             type=int,
             help='Number of weekly emails to be sent',
         )
+        parser.add_argument(
+            '--override-middlewares',
+            action='append',
+            help=(
+                'Use this middleware when emulating http requests. '
+                'To use multiple middlewares, provide this argument multiple times'
+            )
+        )
 
     def handle(self, *args, **options):
         self.log_debug('Args = %r', options)
@@ -49,19 +65,26 @@ def handle(self, *args, **options):
             tzinfo=pytz.UTC
         )
         self.log_debug('Current date = %s', current_date.isoformat())
+        override_recipient_email = options.get('override_recipient_email')
+        override_middlewares = options.get('override_middlewares')
 
-        site = Site.objects.get(domain__iexact=options['site_domain_name'])
-        self.log_debug('Running for site %s', site.domain)
+        site_domain_name = options['site_domain_name']
+        sites = Site.objects.filter(domain__iexact=site_domain_name) if site_domain_name else Site.objects.all()
 
-        override_recipient_email = options.get('override_recipient_email')
-        self.send_emails(site, current_date, override_recipient_email)
+        if sites:
+            for site in sites:
+                self.log_debug('Running for site %s', site.domain)
+                self.send_emails(site, current_date, override_recipient_email, override_middlewares)
+        else:
+            self.log_info("No matching site found")
 
-    def enqueue(self, day_offset, site, current_date, override_recipient_email=None):
+    def enqueue(self, day_offset, site, current_date, override_recipient_email=None, override_middlewares=None):
         self.async_send_task.enqueue(
             site,
             current_date,
             day_offset,
             override_recipient_email,
+            override_middlewares,
         )
 
     def send_emails(self, *args, **kwargs):
diff --git a/openedx/core/djangoapps/schedules/management/commands/tests/test_send_email_base_command.py b/openedx/core/djangoapps/schedules/management/commands/tests/test_send_email_base_command.py
index 47ba67cc0999..11b33d585195 100644
--- a/openedx/core/djangoapps/schedules/management/commands/tests/test_send_email_base_command.py
+++ b/openedx/core/djangoapps/schedules/management/commands/tests/test_send_email_base_command.py
@@ -10,6 +10,7 @@
 import ddt
 import pytz
 from django.conf import settings
+from django.contrib.sites.models import Site
 
 from openedx.core.djangoapps.schedules.management.commands import SendEmailBaseCommand
 from openedx.core.djangoapps.site_configuration.tests.factories import SiteConfigurationFactory, SiteFactory
@@ -33,9 +34,23 @@ def test_handle(self):
             send_emails.assert_called_once_with(
                 self.site,
                 datetime.datetime(2017, 9, 29, tzinfo=pytz.UTC),
+                None,
                 None
             )
 
+    def test_handle_all_sites(self):
+        with patch.object(self.command, 'send_emails') as send_emails:
+            self.command.handle(site_domain_name=None, date='2017-09-29')
+            expected_sites = Site.objects.all()
+            for expected_site in expected_sites:
+                send_emails.assert_any_call(
+                    expected_site,
+                    datetime.datetime(2017, 9, 29, tzinfo=pytz.UTC),
+                    None,
+                    None
+                )
+            assert send_emails.call_count == len(expected_sites)
+
     def test_weeks_option(self):
         with patch.object(self.command, 'enqueue') as enqueue:
             self.command.handle(site_domain_name=self.site.domain, date='2017-09-29', weeks=12)
diff --git a/openedx/core/djangoapps/schedules/tasks.py b/openedx/core/djangoapps/schedules/tasks.py
index 6a999d3dd8ed..bdb510a3348c 100644
--- a/openedx/core/djangoapps/schedules/tasks.py
+++ b/openedx/core/djangoapps/schedules/tasks.py
@@ -20,6 +20,7 @@
     set_custom_attribute
 )
 from eventtracking import tracker
+from importlib import import_module
 from opaque_keys.edx.keys import CourseKey
 
 from openedx.core.djangoapps.content.course_overviews.models import CourseOverview
@@ -103,7 +104,7 @@ class BinnedScheduleMessageBaseTask(ScheduleMessageBaseTask):
     task_instance = None
 
     @classmethod
-    def enqueue(cls, site, current_date, day_offset, override_recipient_email=None):  # lint-amnesty, pylint: disable=missing-function-docstring
+    def enqueue(cls, site, current_date, day_offset, override_recipient_email=None, override_middlewares=None):  # lint-amnesty, pylint: disable=missing-function-docstring
         set_code_owner_attribute_from_module(__name__)
         current_date = resolvers._get_datetime_beginning_of_day(current_date)  # lint-amnesty, pylint: disable=protected-access
 
@@ -120,6 +121,7 @@ def enqueue(cls, site, current_date, day_offset, override_recipient_email=None):
                 day_offset,
                 bin,
                 override_recipient_email,
+                override_middlewares,
             )
             cls.log_info('Launching task with args = %r', task_args)
             cls.task_instance.apply_async(
@@ -128,16 +130,17 @@ def enqueue(cls, site, current_date, day_offset, override_recipient_email=None):
             )
 
     def run(  # lint-amnesty, pylint: disable=arguments-differ
-        self, site_id, target_day_str, day_offset, bin_num, override_recipient_email=None,
+        self, site_id, target_day_str, day_offset, bin_num, override_recipient_email=None, override_middlewares=None,
     ):
         set_code_owner_attribute_from_module(__name__)
         site = Site.objects.select_related('configuration').get(id=site_id)
-        with emulate_http_request(site=site):
+        middlewares = [self.class_from_classpath(cls) for cls in override_middlewares] if override_middlewares else None
+        with emulate_http_request(site=site, middleware_classes=middlewares) as request:
             msg_type = self.make_message_type(day_offset)
-            _annotate_for_monitoring(msg_type, site, bin_num, target_day_str, day_offset)
+            _annotate_for_monitoring(msg_type, request.site, bin_num, target_day_str, day_offset)
             return self.resolver(  # lint-amnesty, pylint: disable=not-callable
                 self.async_send_task,
-                site,
+                request.site,
                 deserialize(target_day_str),
                 day_offset,
                 bin_num,
@@ -147,6 +150,11 @@ def run(  # lint-amnesty, pylint: disable=arguments-differ
     def make_message_type(self, day_offset):
         raise NotImplementedError
 
+    def class_from_classpath(self, class_path):
+        module_name, klass = class_path.rsplit('.', 1)
+        module = import_module(module_name)
+        return getattr(module, klass)
+
 
 @shared_task(base=LoggedTask, ignore_result=True)
 @set_code_owner_attribute
diff --git a/openedx/core/djangoapps/user_authn/views/login.py b/openedx/core/djangoapps/user_authn/views/login.py
index 266dec73b755..a2141104505a 100644
--- a/openedx/core/djangoapps/user_authn/views/login.py
+++ b/openedx/core/djangoapps/user_authn/views/login.py
@@ -81,7 +81,7 @@ def _do_third_party_auth(request):
 
     try:
         return pipeline.get_authenticated_user(requested_provider, username, third_party_uid)
-    except USER_MODEL.DoesNotExist:
+    except USER_MODEL.DoesNotExist as err:
         AUDIT_LOG.info(
             "Login failed - user with username {username} has no social auth "
             "with backend_name {backend_name}".format(username=username, backend_name=backend_name)
@@ -102,7 +102,13 @@ def _do_third_party_auth(request):
             register_label_strong=HTML("<strong>{register_text}</strong>").format(register_text=_("Register")),
         )
 
-        raise AuthFailedError(message, error_code="third-party-auth-with-no-linked-account")  # lint-amnesty, pylint: disable=raise-missing-from
+        redirect_url = configuration_helpers.get_value('OC_REDIRECT_ON_TPA_UNLINKED_ACCOUNT', None)
+
+        raise AuthFailedError(
+            message,
+            error_code='third-party-auth-with-no-linked-account',
+            redirect_url=redirect_url
+        ) from err
 
 
 def _get_user_by_email(email):
diff --git a/openedx/core/djangoapps/user_authn/views/logout.py b/openedx/core/djangoapps/user_authn/views/logout.py
index 616b792b9f22..083e8d4ccb0d 100644
--- a/openedx/core/djangoapps/user_authn/views/logout.py
+++ b/openedx/core/djangoapps/user_authn/views/logout.py
@@ -8,7 +8,6 @@
 import nh3
 from django.conf import settings
 from django.contrib.auth import logout
-from django.shortcuts import redirect
 from django.utils.http import urlencode
 from django.views.generic import TemplateView
 from oauth2_provider.models import Application
@@ -47,7 +46,13 @@ def target(self):
         If a redirect_url is specified in the querystring for this request, and the value is a safe
         url for redirect, the view will redirect to this page after rendering the template.
         If it is not specified, we will use the default target url.
+        Redirect to tpa_logout_url if TPA_AUTOMATIC_LOGOUT_ENABLED is set to True and if
+        tpa_logout_url is configured.
         """
+
+        if getattr(settings, 'TPA_AUTOMATIC_LOGOUT_ENABLED', False) and self.tpa_logout_url:
+            return self.tpa_logout_url
+
         target_url = self.request.GET.get('redirect_url') or self.request.GET.get('next')
 
         #  Some third party apps do not build URLs correctly and send next query param without URL-encoding, resulting
@@ -85,16 +90,6 @@ def dispatch(self, request, *args, **kwargs):
 
         mark_user_change_as_expected(None)
 
-        # Redirect to tpa_logout_url if TPA_AUTOMATIC_LOGOUT_ENABLED is set to True and if
-        # tpa_logout_url is configured.
-        #
-        # NOTE: This step skips rendering logout.html, which is used to log the user out from the
-        # different IDAs. To ensure the user is logged out of all the IDAs be sure to redirect
-        # back to <LMS>/logout after logging out of the TPA.
-        if getattr(settings, 'TPA_AUTOMATIC_LOGOUT_ENABLED', False):
-            if self.tpa_logout_url:
-                return redirect(self.tpa_logout_url)
-
         return response
 
     def _build_logout_url(self, url):
diff --git a/openedx/core/djangoapps/user_authn/views/tests/test_logout.py b/openedx/core/djangoapps/user_authn/views/tests/test_logout.py
index c59969c2d00d..77c21c86e1b1 100644
--- a/openedx/core/djangoapps/user_authn/views/tests/test_logout.py
+++ b/openedx/core/djangoapps/user_authn/views/tests/test_logout.py
@@ -211,8 +211,10 @@ def test_automatic_tpa_logout_url_redirect(self):
             mock_idp_logout_url.return_value = idp_logout_url
             self._authenticate_with_oauth(client)
             response = self.client.get(reverse('logout'))
-            assert response.status_code == 302
-            assert response.url == idp_logout_url
+            expected = {
+                'target': idp_logout_url,
+            }
+            self.assertDictContainsSubset(expected, response.context_data)
 
     @mock.patch('django.conf.settings.TPA_AUTOMATIC_LOGOUT_ENABLED', True)
     def test_no_automatic_tpa_logout_without_logout_url(self):
diff --git a/openedx/core/lib/celery/task_utils.py b/openedx/core/lib/celery/task_utils.py
index 9a54f1b3a550..10a3809fa651 100644
--- a/openedx/core/lib/celery/task_utils.py
+++ b/openedx/core/lib/celery/task_utils.py
@@ -45,7 +45,7 @@ def emulate_http_request(site=None, user=None, middleware_classes=None):
         _run_method_if_implemented(middleware, 'process_request', request)
 
     try:
-        yield
+        yield request
     except Exception as exc:
         for middleware in reversed(middleware_instances):
             _run_method_if_implemented(middleware, 'process_exception', request, exc)