1. 28 Apr, 2015 1 commit
  2. 15 Apr, 2015 2 commits
    • Robert Lyon's avatar
      Stopping SWF files XSS exploitation (Bug #1190788) · 8df9bdfa
      Robert Lyon authored
      By doing two things:
      1) Getting the embedded SWF object to set the
       allowscriptaccess = "never" and allownetworking = "never"
      2) By forcing a 'download file' link to actually download file
      - this goes for all files now that don't have embedded=1
      in their url.
      I've done it this way, having the embedded item have extra url param
      so that if a user tries to manipulate a url by removing params it
      will default to force download.
      I've merged the changes I'd done here https://reviews.mahara.org/#/c/3522/2
      and I've also cleaned up places where the download=1 was used as that is
      not needed now. Now if there are places where we need to embed rather
      than download we add the embedded=1 to the url.
      Change-Id: If5290a7c571d06d4178ef2ae5c4c09ed287403b4
      Signed-off-by: Robert Lyon's avatarRobert Lyon <robertl@catalyst.net.nz>
    • Aaron Wells's avatar
      Explicitly tell the template to use the AJAX block loader · 29053d1b
      Aaron Wells authored
      Bug 1444229: It was hacky to rely on the block content being empty
      to signal the AJAX block loader. We should tell it to do so explicitly.
      Change-Id: I9816c43c96ffed85282ac0d874fa5bfe1ca62e00
  3. 13 Apr, 2015 1 commit
  4. 07 Apr, 2015 1 commit
  5. 01 Apr, 2015 1 commit
  6. 31 Mar, 2015 1 commit
  7. 26 Mar, 2015 1 commit
  8. 24 Mar, 2015 1 commit
  9. 23 Mar, 2015 2 commits
  10. 19 Mar, 2015 3 commits
  11. 18 Mar, 2015 3 commits
  12. 17 Mar, 2015 2 commits
  13. 16 Mar, 2015 1 commit
  14. 13 Mar, 2015 1 commit
    • Ghada El-Zoghbi's avatar
      Annotation artefact: Bug 1397759 · 389df353
      Ghada El-Zoghbi authored
      A new artefact similar to the comment artefact but with less
      functionality (i.e. no attached files, etc).
      It's an explenation of why a particular evidence meets a
      particular standard.
      If an annotation is created and added to a page, when the user
      deletes it from the page, the instance is deleted along with the
      annotation and its feedback.
      1. Imports seem to be working.
      Can get all comments to import and display.
      Needs some serious testing.
      2. Made changes for broken images but another bug was reported and is
      currently being worked on. So, may not need the fixes in here. Changes in:
      - htdocs/artefact/file/download.php
      To completely fix the broken images for all artefacts, changes are also required
      in htdocs/lib/embeddedimage.php to delete based on resourceid instead of fileid.
      Change-Id: Ibdb2e1c6500862645bac741bf61cff37e5a5b35c
  15. 11 Mar, 2015 1 commit
  16. 10 Mar, 2015 1 commit
  17. 09 Mar, 2015 1 commit
  18. 08 Mar, 2015 8 commits
  19. 05 Mar, 2015 1 commit
  20. 04 Mar, 2015 1 commit
  21. 03 Mar, 2015 2 commits
    • Robert Lyon's avatar
      Adding ids to the edit access and secret url edit buttons · 769d117f
      Robert Lyon authored
      Bug #1427845
      the ids are in the form of:
       editaccess_{id of view}
       secreturl_{id of view}
      eg for view id=10 it will be editaccess_10 and secreturl_10
      Signed-off-by: Robert Lyon's avatarRobert Lyon <robertl@catalyst.net.nz>
      Change-Id: I9b86a39db9a56d295d659203a9c8c1b4b4ba5e5e
    • Nigel Cunningham's avatar
      (Bug1352028) Add a JSON progress bar for bulk operations. · 55a8deb8
      Nigel Cunningham authored
      This patch adds a JSON progress meter (I'll call it that to avoid confusion
      with progress bars) to the bulk uploading of users, groups and group
      memberships and the bulk export and import of users (LEAP), so the user can see
      the progress of the operation and not just the submit button changed to
      'Processing..' and whatever indication their browser gives while waiting for
      The bulk export and import are minor rewrites, replacing the old iframe based
      progress bar and the associated multiple pages and additional template file in
      the case of the bulk export, and the recursive redirect-to-self of the bulk
      To accomplish the display of the progress bar during the operation, we make the
      PHP session be closed (read only) except when changes need to be made. This is
      for the most part a straightforward change in session.php as it's the only
      direct accessor. In other places, we replace direct accessing of the session
      variable ($_SESSION) with use of the session class ($SESSION) so that it can
      reopen the session, make the change and close the session again.
      There is one more aspect to all of this: with previous behaviour, multiple
      requests for the same session would queue, taking the session lock in turn.
      After this patch is applied, they can proceed in parallel, allowing greater
      throughput. There is no additional locking requirement because the issues are
      the same as those already dealt with in allowing multiple PHP threads to
      process requests from different sessions at the same time.
      I have sought to make the progress meter nice and generic, so it can be used in
      the other bulk imports and exports too.
      Paradoxically, these changes don't just make the import seem to be faster, it
      actually is.. at least in the case of users and groups.
      Times for importing 1000 users, groups and memberships, averaged over 3 runs
      each (Wall time, not CPU time - but the relationship is the same).
                      Without Progress     With Progress
      Users                166s               155s
      Groups                85s                78s
      Memberships           20s                19s
      Change-Id: Iec15c57db32c77994edb80c71d65591de51a95e4
      Signed-off-by: default avatarNigel Cunningham <nigelc@catalyst-au.net>
  22. 01 Mar, 2015 1 commit
  23. 26 Feb, 2015 3 commits