GitLab

We've always had the ability for auth instances to define ->logout, this
adds ->login as well, along a very similar vein.

it was using string 'name' rather than $name when fetching config
variables

Most annoying on public pages where the login box is shown. When it gets
the focus it scrolls the document there which is annoying when you were
reading something below the fold, like a forum post.

Also destroy the session when creating a new user, to prevent strange session-out-of-sync problems. I think they only happen when a crash happens while creating a user account but you can't be too careful.

Hasn't been needed since before Mahara 1.0!

Add auth_handle_institution_expiries, email site and institutional admins, suspend institutions if we are allowed to automatically do so.

Rename relevant elements from institutionexpiry... to institutionmembershipexpiry... to avoid naming clash.

Add in a column to the resultset of auth_get_auth_instances_for_institutions so it matches auth_get_auth_instances, and thus doesn't cause a notice on the admin Add User page.
(cherry picked from commit ac932c92)

This leads to login disaster.

During an upgrade, an error message "unknown variable $config" emerged
as require_once() did not actually included the script version.php if
this script was already included earlier during processing.

Don't do queries to get profile field values that are in the session. Saves three queries every page load.

Don't check for required profile fields on a json request, since it's very unlikely to be able to deal with it. Saves unnecessary database queries

You can now enter your username and be sent a password reminder too.

Several users of MyPortfolio have reported issues when they thought they knew their username but they didn't. Hopefully the email now telling you your username will help this.

Several language strings had to be changed. This is a bit suck, going on 1.0_STABLE.

Improve the robustness of authinstance-in-session handling, to handle an unduplicatable bug (at least by me).

All users who log in to the system should have a valid authinstance in their session. Apparently however, some don't. I can't narrow down how this happens, but this patch will make sure things don't blow up in this case.

This is called when there is an explicit logout request with no more processing on the page to be performed - i.e. the user clicks logout or their session times out.

In the case of an MNET user whose session has timed out, if they have a parent authentication method (i.e. they can use the login form as well), then we continue to remember that they originally signed in using an XMLRPC authinstance, so that when they click logout later, they're correctly taken back to their remote application.

When an MNET user in Mahara clicks a logout link, they are logged out of Mahara, a kill_parent request is sent to the remote application, and they are sent back to their remote application. The overall affect is a much nicer user experience, as they're taken back somewhere that they can log in.

If users do not have an e-mail address in LDAP, they will be required to set one when they log in.

This bug fixed thanks to Howard Miller and Glasgow University.

Otherwise, the user sees the message no matter what when forced to change their password, which looks stupid.

This at least gives admins the chance of doing this if they want to.

We haven't been clearing out session files since I first chose to make us hash the session directory back in 2006. Talk about a timebomb...

The cron job uses `find' and `xargs' to do the removing. These tools are required on debian (as part of findutils), and are installed in /usr/bin. I haven't bothered with a configuration directive for specifying a path to them for now, but that might be necessary later.
(cherry picked from commit 335d66a7)

If a logged out person hits a public page which has thrown an AccessDeniedException, redirect them to the login page.

Real users are only going to try logging in anyway, and non users aren't going to be able to log in, so it's just a usability improvement.

It might be worth adding a message to say what's happened later.