Commit 984de894 authored by Robert Lyon's avatar Robert Lyon Committed by Gerrit Code Review
Browse files

Merge changes I293c5ac2,I1fb4ed7b

* changes:
  Bug 1595789: More prominent documentation of urlsecret.
  Bug 1595789: Make NULL urlsecret work during installation
parents 2c8444a3 31ab623e
......@@ -40,6 +40,12 @@ To upgrade an existing Mahara installation, follow the instructions here:
* https://wiki.mahara.org/wiki/System_Administrator%27s_Guide/Upgrading_Mahara
If you are upgrading from Mahara 15.10 or earlier, you will need to add a "urlsecret"
value to your config.php file if you wish to use the web-based upgrade and/or cron
scripts. See:
* https://wiki.mahara.org/wiki/System_Administrator%27s_Guide/Upgrading_Mahara#Q:_I.27m_getting_an_error_about_a_.22urlsecret.22
# SYSTEM REQUIREMENTS
Here are the system requirements needed to run Mahara 16.10.
......
......@@ -33,8 +33,8 @@ if (param_integer('finished', 0)) {
}
// Check if we have come via browser and have the right urlsecret
if (php_sapi_name() != 'cli') {
$urlsecret = param_alphanumext('urlsecret', null);
if (php_sapi_name() != 'cli' && get_config('urlsecret') !== null) {
$urlsecret = param_alphanumext('urlsecret', -1);
if ($urlsecret !== get_config('urlsecret')) {
die_info(get_string('accessdeniednourlsecret', 'error'));
}
......
......@@ -66,6 +66,15 @@ $cfg->dataroot = '/path/to/uploaddir';
// Example:
// $cfg->wwwroot = 'https://myhost.com/mahara/';
/**
* urlsecret A secret you need to add to the lib/cron.php or admin/upgrade.php
* URL to run it through the browser rather than the commandline to prevent unauthorised users triggering
* the cron or an upgrade, eg http://example.com/lib/cron.php?urlsecret=mysupersecret.
*
* You can disable this functionality by setting $cfg->urlsecret = null.
*/
// $cfg->urlsecret = 'mysupersecret';
/**
* passwordsaltmain: A secret token used for one-way encryption of user account passwords.
*/
......
......@@ -25,8 +25,8 @@ require_once(get_config('docroot') . 'webservice/lib.php');
// Check if we have come via browser and have the right urlsecret
// Note: if your crontab hits this file via curl/http thenyou will need
// to add the urlsecret there for the cron to work.
if (php_sapi_name() != 'cli') {
$urlsecret = param_alphanumext('urlsecret', null);
if (php_sapi_name() != 'cli' && get_config('urlsecret') !== null) {
$urlsecret = param_alphanumext('urlsecret', -1);
if ($urlsecret !== get_config('urlsecret')) {
die_info(get_string('accessdeniednourlsecret', 'error'));
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment