Merge changes I293c5ac2,I1fb4ed7b

* changes: Bug 1595789: More prominent documentation of urlsecret. Bug 1595789: Make NULL urlsecret work during installation

Merge changes I293c5ac2,I1fb4ed7b
* changes: Bug 1595789: More prominent documentation of urlsecret. Bug 1595789: Make NULL urlsecret work during installation
984de894 · Robert Lyon · Gerrit Code Review · 2c8444a3 · 31ab623e · 984de894
Commit 984de894 authored Jun 28, 2016 by Robert Lyon Committed by Gerrit Code Review Jun 28, 2016
--- a/README.md
+++ b/README.md
@@ -40,6 +40,12 @@ To upgrade an existing Mahara installation, follow the instructions here:
 * https://wiki.mahara.org/wiki/System_Administrator%27s_Guide/Upgrading_Mahara
+If you are upgrading from Mahara 15.10 or earlier, you will need to add a "urlsecret"
+value to your config.php file if you wish to use the web-based upgrade and/or cron
+scripts. See:
+ * https://wiki.mahara.org/wiki/System_Administrator%27s_Guide/Upgrading_Mahara#Q:_I.27m_getting_an_error_about_a_.22urlsecret.22
 # SYSTEM REQUIREMENTS
 Here are the system requirements needed to run Mahara 16.10.

--- a/htdocs/admin/upgrade.php
+++ b/htdocs/admin/upgrade.php
@@ -33,8 +33,8 @@ if (param_integer('finished', 0)) {
 }
 // Check if we have come via browser and have the right urlsecret
-if (php_sapi_name() != 'cli') {
+if (php_sapi_name() != 'cli' && get_config('urlsecret') !== null) {
-    $urlsecret = param_alphanumext('urlsecret', null);
+    $urlsecret = param_alphanumext('urlsecret', -1);
    if ($urlsecret !== get_config('urlsecret')) {
        die_info(get_string('accessdeniednourlsecret', 'error'));
    }

--- a/htdocs/config-dist.php
+++ b/htdocs/config-dist.php
@@ -66,6 +66,15 @@ $cfg->dataroot = '/path/to/uploaddir';
 // Example:
 // $cfg->wwwroot = 'https://myhost.com/mahara/';
+/**
+ * urlsecret A secret you need to add to the lib/cron.php or admin/upgrade.php
+ * URL to run it through the browser rather than the commandline to prevent unauthorised users triggering
+ * the cron or an upgrade, eg http://example.com/lib/cron.php?urlsecret=mysupersecret.
+ *
+ * You can disable this functionality by setting $cfg->urlsecret = null.
+ */
+// $cfg->urlsecret = 'mysupersecret';
 /**
 * passwordsaltmain: A secret token used for one-way encryption of user account passwords.
 */

--- a/htdocs/lib/cron.php
+++ b/htdocs/lib/cron.php
@@ -25,8 +25,8 @@ require_once(get_config('docroot') . 'webservice/lib.php');
 // Check if we have come via browser and have the right urlsecret
 // Note: if your crontab hits this file via curl/http thenyou will need
 // to add the urlsecret there for the cron to work.
-if (php_sapi_name() != 'cli') {
+if (php_sapi_name() != 'cli' && get_config('urlsecret') !== null) {
-    $urlsecret = param_alphanumext('urlsecret', null);
+    $urlsecret = param_alphanumext('urlsecret', -1);
    if ($urlsecret !== get_config('urlsecret')) {
        die_info(get_string('accessdeniednourlsecret', 'error'));
    }