to match the new terminology of "Registered users"
rather than "Logged-in users".

Change-Id: I5f88660e58f1df82ff936e7487d5a82cd3a2a062
Signed-off-by: Kristina D.C. Hoeppner <kristina@catalyst.net.nz>

The help icons will be fixed up during the CSS
review and thus don't need to be worried about
at this stage.

Change-Id: I087b292ec5062fa6cda7c4f3c015262a26b4bd10
Signed-off-by: Kristina D.C. Hoeppner <kristina@catalyst.net.nz>

Change-Id: Ib0d6028fd81ac0b66f0c9d49e201825c07c41d98

Change-Id: I0c2db9c1fefcea2dfd7e442729ee0d46e822a781
Signed-off-by: Tony Butler <tonyjbutler@gmail.com>

Chris Wharton authored Dec 22, 2014 and Robert Lyon committed Jan 21, 2015

This patch adds an admin setting. If enabled, newly created users will
have multiple blogs by default.

Change-Id: I0beb474d007b49cfd09a6a6a1c479db0b03e68ae

Bug 1411459: Google's site that issues recaptcha keys calls them
"site" and "secret" instead of "public" and "private".
We should do the same, to avoid confusing users.

Change-Id: I591f267ccce440459d3033bed04215a65bcb46cf

Change-Id: I001850f421e3520ee17a8afbcfb2811ff213eec4

Various lang string fixes right before RC1

Change-Id: If25cca56b8dd6fff16d586f58d9df9b02fcde31f
Signed-off-by: Kristina D.C. Hoeppner <kristina@catalyst.net.nz>

This patch contains:
- The export queue system where pages/collections on release from
submission are added to the export queue table ready to be archived.
- The export queue admin page showing what is in the queue to be
exported. The cron runs every 6 minutes. Queue items failed to export
are also shown here.
- The archive list admin page, where one can download the generated
leap2a files for the archived submissions.

In this patch you should be able to add things to the export queue by
either releasing a sumbission on a group that has 'archive
submissions' option ticked. This will add the archive to that archived
submission page, or you can also run a leap2a export from portfolio
export which will add the export queue and send you an email once the
export is done.

Things to note:
- The is a server busy function that stops the export queue from
running but I'm not too sure if the threshold is too low/high
- The export queue tries to export the first 100 items each run but if
resources are fine in handling that easily then the number could be
higher but I'm not sure of what will be a good number.
- Currently there is alsoe infrastructure like table columns for dealing
with releasing submissions from external systems (eg moodle) but that
functuionality is yet to be built.
- The checking of server busy in MS windows untested - may need to
just let MS ignore server busy check as there doesn't seem to be
standard way to check this.

Change-Id: If4c1d272e9c5d46fbf16b2ff73ceb2687c06ffd4
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

This patch adds support for anonymising pages.

It creates a site option in the General Settings section named 'Allow
anonymous pages' that must be checked for any page to be anonymised.

If the site option is enabled, a new 'Anonymise' setting in the
'Edit title and description' tab of pages is enabled, allowing the owner
to request that this page be anonymised.

When both settings are enabled and a user views a page, two things may
happen to the author's information.

First, if the user is not logged in or does not have admin, staff or
owner privileges for the page, the author's name is replaced by the
anonymous text (defaulting to "(Author's name hidden)") in both the
body of the page and the metadata author field.

If the user does have admin, staff or owner privileges for the page,
the author's name is anonymised as above except that the text displayed
is made into a link. When this link is clicked, the anonymous author
text is replaced by the normal author information for the page.

Anonymous pages displayed in the 'Latest pages' block and shared with
a group are also anonymised by this patch.

Change-Id: I2e2c92f641329a1a305cf58a5c5d47bf95436a8b
Signed-off-by: Nigel Cunningham <nigelc@catalyst-au.net>

Change-Id: I9b87550d4b542b5e46df9a055968fdd48cb6867f
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

The "Homepageinfo" and "Homeinfo" strings were not
consistent as they sometimes referred to the
dashboard. I changed them where needed.

Change-Id: I1061c5e662d76402d6041a6a0adffe9a698267bc
Signed-off-by: Kristina D.C. Hoeppner <kristina@catalyst.net.nz>

Bug 1317265

Change-Id: Iff2a4942f8d48bc7ad3084cc25da7cd84b72266b
Signed-off-by: Son Nguyen <son.nguyen@catalyst.net.nz>

- Each activity type can specify a default notification method. They default
  to 'email' to remain backwards compatible.
- Each activity type can specify if it is allowed to be set to 'none'. Defaults
  to 'allowed' for backwards compatibility.
- Removed 'required' from notification settings - it didn't make sense, and the
  change above deals with this in a better way.
- The site wide defaults for each activity type can be edited in
  Site options -> Notification settings. These are applied to new users or
  whenever a user does not have the appropriate usr_activity_preference records.
- Removed 'Default notification method' as it's functionality is now covered by
  the change above.
- There is a separate help next to each activity type to explain what messages
  will be affected by the setting.

Change-Id: I131cdeefbeaa8e43688aefd9d770fc8cb9bceea8
Signed-off-by: Nathan Lewis <nathan.lewis@totaralms.com>

Change-Id: Ia97d30cac00f4a68966fa1c6488af4a7eded7c8d
Signed-off-by: Kristina D.C. Hoeppner <kristina@catalyst.net.nz>

Gregor Anzelj authored Jan 15, 2014 and Aaron Wells committed Mar 27, 2014

- added ability for file and blogpost items that get updated via js to
also update the proogess bar as well without needing page reload.

-- made the system more pluggable and created a pseudo plugin called
'social' to handle the social progress bar items

Change-Id: I39c83018879b4717667ad32a6aa28cf902e42137
Signed-off-by: Gregor Anzelj <gregor.anzelj@gmail.com>

Tobias Zeuch authored Sep 11, 2013 and Robert Lyon committed Mar 26, 2014

Introducing a new plugin watchlistnotification that responds to the
events saveartefact, blockinstancecommit and deleteblockinstance. It
stores the changed view and the blockinstance in a table watchlist_queue
and checks via cron if there were any changes on a view and if for that
view the last change has happened some time ago (the minutes are stored
in config under watchlistnotification_delay, the default is 20min).

If so, a message is generated that informs the watchlist recipient about
which view and which block-instances on this view have been touched
(added or changed).

As there is no way to disable the built-in/old watchlist-notification-
system, this is disabled in the mahara-core code, that is,
artefact/lib.php and lib/view.php

Change-Id: I039c5285cdd1b09ed9eb38a647e0c1510c3cabb9
Signed-off-by: Tobias Zeuch <tobias.zeuch@kit.edu>

If set, this option will overwrite the institution 'Confirm
registration' setting

Change-Id: I28cf952c3629005d86c31354e39581e74324a26f
Signed-off-by: Son Nguyen <son.nguyen@catalyst.net.nz>

Bug 1252098

Change-Id: I9f2386fcb69510a23f66efc3bce32697fb8c8616

Thinking of privacy issues here - when should the users showup on
search results.

This patch allows users to show up based on the access of their
profile page (accesstypes: public, loggedin, friends) and whether
'Show users in public search' is set or not.

Normally all profile pages are accessible by logged in users - but
this can be altered if 'Logged-in profile access' is unchecked and
users remove the access off their profile page.

Change-Id: I4daa8cb2812bddb231ba489dfeefb4843b653d40
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

Currently the getConnection() in Elastica/Client.php can give false
positive and also throws error if no connection.

What is needed is a true/false check to allow for things like notice
feedback on extensions page or giving a warning when switching to
'elasticsearch' on site options page when it is unreachable.

Change-Id: I43506f03b943d79eb019d39fe794037fc50bd05a
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

Adrian Schlegel authored Sep 12, 2013 and Robert Lyon committed Nov 28, 2013

This patch introduces a setting which, if turned on, allows users to
access linked site files which are placed in subfolders.

Linked site files are set up under Configure site -> Menus

Change-Id: Iae4b9e10ef6a921cbf5a3afd9881f33b4c9f280c
Signed-off-by: Adrian Schlegel <adrian@liip.ch>

This reverts commit 35a6a62a.

Change-Id: I5902b77157fdb8df7c73dba27921c832c69b338b

if it is activated in config.php

The skins setting is added to Site config page as well

Change-Id: I4464867db90dc9fd34220b1d865fb5b3527ef168
Signed-off-by: Son Nguyen <son.nguyen@catalyst.net.nz>

- have updated copyright for the pages that had existing copyright
notices (except for the lib/pieforms/ section as i'm not too sure if
that needs changing as it is a different Catalyst IT product)

Change-Id: I11c65ad26cb9cd856cf16b1dccbd4223ba086645
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>
Signed-off-by: Aaron Wells <aaronw@catalyst.net.nz>

Bug1237183 : This typo caused a warning to be thrown when changing the search plugin

Change-Id: Ia8b6cc9eb8fd878a90437a2212f915e0450cd063

- rebasing change

Change-Id: I4c262c0a22b75a3f9de6d43569765f65ee32c555

Bug 1078591

Change-Id: Ica1de7ce33d56de4a97f6e0a12dfad6d6591b788

Added site options to allow for override of user expiry when
setting site expiry (if the user is not site admin).

- for new users
- for new users and existing users without expiry set
- for all users

Allowing for switching back to 'no end date'.
Need to force refresh the page to display info correctly after save.

Change-Id: I0a772b3db7c2ae5144ed4120cf851d4bba633f66
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

Added text so admins know to turn on logging
for masquerading sessions.

Change-Id: Ieccb6519334e57e2bd7199ca1accb423922390e5
Signed-off-by: Kristina D.C. Hoeppner <kristina@catalyst.net.nz>

Adds settings for license metadata on the site, institution and user levels.

Change-Id: I8e684ec1befdd66cbf1d3ed87092bfe785582f86
Signed-off-by: Jiri Baum <jiri@catalyst-au.net>

Log events, including both user IDs when masquerading is in progress. The log
can be configured to log all events or only those while masquerading is in
progress or none. The log is expired after a configurable delay.

Note that this logs all events (or all masquerading events) even though this
feature only includes one report of one type of event.

Change-Id: I7a59d98b84b0527a55363b4d01448b9b1809aa9e
Signed-off-by: Jiri Baum <jiri@catalyst-au.net>

Masquerading (aka Loginas) is a useful and sometimes indispensable function.
However, previously it was rather too powerful, because admins can do anything
as the target user, with no indication that it is not the user themselves doing
so.

This feature adds some auditability to masquerading, by logging and reporting
who, when, why and (partially) what, as well as notifying the affected user.

See also bugs: #900983 and #1027574

This commit changes the masquerading feature itself to request a reason from
the admin masquerading, notify the user, and emit an event (for logging by the
next commit).

Change-Id: I066e9fdeb4d2e00679b2aa9b0b839cb4b78629a8
Signed-off-by: Jiri Baum <jiri@catalyst-au.net>

Added 'Default registration expiry lifetime' and
relevant dropdown box to 'Account settings', plus
adding how long the administrator has to approve
registration to the email alert.

Change-Id: Ic2df962730b10e6df4ccccaa539e415640f024b8
Signed-off-by: Ali Kaye <alexandrakaye.student@wegc.school.nz>

Bug #1057238
CVE-2012-2244

When a site administrator can manipulate the path for the
clamav scanner, they could produce either a reverse shell,
or allow any user to execute arbitrary remote commands by
setting it to an uploaded reverse shell, or to /bin/bash
respectively.

Other executable paths, namely pathtozip, and pathtounzip
are only set via config.php, and not through the site admin
interface. This option, pathtoclam, should follow the same
design.

Change-Id: I7d4822c9f54eda80682d6631699c1ab40f1dc896
Signed-off-by: Hugh Davenport <hugh@catalyst.net.nz>

Also add a few theme changes that allow some more
features on small devices.
- Printing links
- Settings link in top right corner
- Create/copy page/collection link
- Edit/delete buttons
- Remove group members button
- Help icons
- Administration link

Also made the admin link show in full

The items that are disabled when device detection is on
and user is on a mobile device are:
- TinyMCE editor
- Adding new blocks to pages, this is now a non-js version
- Dropdown menu's
- Export functionality

Bug #1052060

Change-Id: I5a8fe3cf136bb0c3e76e50a2b3bc48179c675b6a
Signed-off-by: Hugh Davenport <hugh@catalyst.net.nz>

Allows administrators to let institution staff view statistics for
their institution

Change-Id: I6da1da44e91494f943cc5f3f9197cf48f769d975
Signed-off-by: Hugh Davenport <hugh@catalyst.net.nz>

Part of bug #793308

If a user has the 'theme' property set in their account preferences,
this is used instead of the site or institution's theme.

The LiveUser::reset_institutions() function, which recalculates the
institution theme, is now called in place of LiveUser::update_theme()
whenever a user's institutions have changed.  reset_institutions() now
calls update_theme() if the user is a LiveUser.

Change-Id: I75b36da85a5aa249c3098078b8588b8a20ac9b48
Signed-off-by: Richard Mansfield <richard.mansfield@catalyst.net.nz>

Some language strings need fixing that were beyond the
minor language string updates. Except for the strings in
install.php they all needed new strings to be picked up
by the translators.

Change-Id: I9cc6fe169a2b7b287a63df0bac1c52ea2c56c633
Signed-off-by: Kristina D.C. Hoeppner <kristina@catalyst.net.nz>

Adds a new "User reports" page to the admin section, accessible by
admins, which produces a list of all the pages owned by a given set of
users, and a list of who is on the access list for each page.

The users are selected using the checkboxes on the admin user search
page, and the page is reachable from admin user search using a new
"View reports" button on that page.

The CSV download that previously appeared on the Bulk actions page is
more appropriate on a reports page, so CSV download is also moved from
Bulk actions to User reports.  Email and remoteuser fields are only
displayed to site and institution administrators.

Because some sites will not want to allow staff to see the page access
lists of all users in their institutions, access to this page by staff
is controlled by a new "Staff report access" site setting.

Change-Id: Id02b58416e3dfb28fd39c1170426ddefe6669efe
Signed-off-by: Richard Mansfield <richard.mansfield@catalyst.net.nz>