Commits · 21.04_DEV · mahara / mahara

01 Nov, 2022 1 commit
- Version bump for 21.04.8testing · 61591269
  Gold authored Nov 01, 2022
```
Signed-off-by: Gold <gold@catalyst.net.nz>
```
  61591269
31 Oct, 2022 10 commits

Merge "Security bug 1979575: Add the -dSAFER flag to ghostscript calls" into 21.04_DEV · ec2d0f58
Gold authored Nov 01, 2022

ec2d0f58

Merge changes I6d9009ec,Ib01f9768,I91a8c879,If9520833,I3b900b78, ... into 21.04_DEV · f45c62d9

Gold authored Nov 01, 2022

* changes:
  Security bug 1991157: require_once(view.php)
  Security bug 1991157: Expand files handled
  Security bug 1991157: Fixup block owner check
  Security bug 1991157: Prevent embedded images can be accessed without login
  Security bug 1991157: Update text block afe key
  Security bug 1991157: Profile intro text embedded item add rows to view_artefact table
  Security bug 1991157: Résumé embedded items add rows to view_artefact table

f45c62d9

Security bug 1991157: require_once(view.php) · bca33b0c

Gold authored Nov 01, 2022 and

Robert Lyon committed Nov 01, 2022



Looks like view.php may already be required in init.php.

Signed-off-by: Gold <gold@catalyst.net.nz>
Change-Id: I6d9009ec404c9440e1ec76d4772bdc36eafe1e4d

bca33b0c

Security bug 1979575: Add the -dSAFER flag to ghostscript calls · 76746650

Robert Lyon authored Aug 30, 2022



To avoid potential remote shell execution in Ubuntu 18.04 servers
The -dSAFER restricts what file operations the job can perform

Change-Id: I3fcdc54e2febd05a460d85196e3ebd08ac36716a
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

76746650

Security bug 1991157: Expand files handled · 6da6afcc

Gold authored Nov 01, 2022 and

Robert Lyon committed Nov 01, 2022



Also adding code tidyups.

Signed-off-by: Gold <gold@catalyst.net.nz>
Change-Id: Ib01f9768f93e9d985c4fad4916b5b1e20fb95d12

6da6afcc

Security bug 1991157: Fixup block owner check · 992ee7bd

Robert Lyon authored Oct 31, 2022



Change-Id: I91a8c879f644d1a224a3a2ccfba2c872feffc535
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

992ee7bd

Security bug 1991157: Prevent embedded images can be accessed without login · 758dcd22

Gold authored Sep 29, 2022 and

Robert Lyon committed Oct 31, 2022



Adding Access Control.

Additional: group_get_homepage_view() now throws ViewNotFoundException
if the group homepage is not found.

Signed-off-by: Gold <gold@catalyst.net.nz>
Change-Id: If9520833b62ae365a89262c79831c669e83efe01

758dcd22

Security bug 1991157: Update text block afe key · bb88a825

Gold authored Oct 19, 2022 and

Robert Lyon committed Oct 31, 2022



Replacing 'instructions' with 'textinstructions'

The upgrade with update block_instances and there is a tidyup sql that
will remove the left over resourcetype 'instructions' form the
artefact_file_embedded table.

Signed-off-by: Gold <gold@catalyst.net.nz>
Change-Id: I3b900b78655d0188dcba6d46f56a87fb63b468cd

bb88a825

Security bug 1991157: Profile intro text embedded item add rows to view_artefact table · 7e8c1ae4

Robert Lyon authored Oct 07, 2022



Currently does
- upgrade: change profileintotext embedded item to
use value that matches their artefacttype value
- upgrade: resave profileinfo blocks for those people that have something
embedded

- saves info to view_artefact when 'profileinfo' block is saved
- saves info to view_artefact when 'introduction' artefact is saved
and there exists any profileinfo blocks for this person

Change-Id: Ic1e833046eb264e114d7805f5ed8df85882882e2
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

7e8c1ae4

Security bug 1991157: Résumé embedded items add rows to view_artefact table · 011f1532

Robert Lyon authored Oct 06, 2022



Currently does
- upgrade: change resumeinterest / resumecoverletter embedded items to
use value that matches their artefacttype value
- upgrade: resave resume blocks for those people that have something
embedded

- on saving a resumefield / entire resume block it works out what
embedded items are associated and adds them to view_artefact table
- on saving resume item (including composite resume item) it works out
what embedded / attached items are associated and if there are resume
blocks owned by the user it updates the view_artefact rows too
- added an EmbeddedImage::has_embedded_image() function that checks
html markup and returns true/false if the markup contains an embedded
image

Change-Id: I1db7eea54e87477aba3f1c2a84434544af8fee51
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

011f1532

30 Oct, 2022 1 commit

Bug 1992312: Flexible URL replacements · 12d25871

Gold authored Oct 10, 2022 and

Robert Lyon committed Oct 31, 2022

This should now handle http://example.com, https://example.com

, and
protocolless //example.com.

We also now process static_page (site_content) and Wall Posts.

Signed-off-by: Gold <gold@catalyst.net.nz>
Change-Id: Ic35b0ab6ee7bd90223666f48597af269f6ecbacf
(cherry picked from commit e59c3e43)

12d25871

06 Oct, 2022 2 commits

Bug #1991864: Badgr token reset message fix · a1ef6abf
Mitsuhiro Yoshida authored Oct 06, 2022 and Robert Lyon committed Oct 07, 2022
```
Change-Id: Ib657aba35cb9d4e936a6bc33566977c437f11995
```
a1ef6abf

Bug 1988692: Fixing badgr API calls · fa90f1f6

Robert Lyon authored Sep 01, 2022



This patch
- updates the API calls
- records the refresh token and the expiry time
- handle refreshing tokens as a cron job

Change-Id: I4c2eb50cda031a107e5f01cda3348a5a23da589b
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>
(cherry picked from commit fb7ea62d)

fa90f1f6

19 Sep, 2022 1 commit

Bug 1987027: Correctly save MNet parent auth on account creation · 54c2cd60

Robert Lyon authored Aug 19, 2022



Change-Id: I666a76e14ba84a4a1c036aff448c480039203ddb
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>
(cherry picked from commit 38c8c5d0)

54c2cd60

05 Sep, 2022 1 commit

Bug #1985857: Fix for issue with disappearing theme when portfolio is shared and made copyable · a6dbd062

veronicavarsha authored Aug 31, 2022 and

Robert Lyon committed Sep 06, 2022



We need to better define when one can see / pick from
'userscanchooseviewthemes' dropdown

Signed-off-by: veronicavarsha <veronicavarsha@catalyst.net.nz>
Change-Id: Idf38ff852efa878cabfc8849a8e7ae1f668ba1c2

a6dbd062

30 Aug, 2022 1 commit
- Bug 1988005: lib/group.php Added collection deletion logic to group delete function. · 68a9e8d5
  Fergus Whyte authored Aug 26, 2022 and Robert Lyon committed Aug 30, 2022
```
Change-Id: If5ceb073e86b27bbc4a4987c9e0c824ff5894d45
(cherry picked from commit 330c4711)
```
  68a9e8d5
24 Aug, 2022 1 commit

Bug 1969548: Export not working with MySQL8 · b40251ae

veronicavarsha authored Aug 24, 2022 and

Robert Lyon committed Aug 25, 2022



Signed-off-by: veronicavarsha <veronicavarsha@catalyst.net.nz>
Change-Id: I9499e3fd5b17a1876ac6a7811a4032dc82e62d9a
(cherry picked from commit 01e58608)
(cherry picked from commit 4b27326a)

b40251ae

17 Aug, 2022 2 commits

Merge changes I3f908ebe,Ibbdc7bc3,I33ea544d into 21.04_DEV · ee840fe7

Robert Lyon authored Aug 17, 2022

* changes:
  Bug 1978425: Create categories for the registered data
  Bug 1978425: Adjust event log option 'masq' to 'masquerade'
  Bug 1978425: External -> Plugins page to show title / version

ee840fe7

Bug 1978425: Create categories for the registered data · e046e667

Robert Lyon authored Jun 14, 2022



For displaying better in Admin home -> Register

Also move the html generation out to a .tpl file

Change-Id: I3f908ebe610548f7dfea155bfd59c94a74845779
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

e046e667

16 Aug, 2022 3 commits

Bug 1978425: Adjust event log option 'masq' to 'masquerade' · 457c2c67

Robert Lyon authored Jun 15, 2022



To make things easier to read in registration data

Change-Id: Ibbdc7bc3e53f29712b571401de6b3ca1bd59463a
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

457c2c67

Bug 1978425: External -> Plugins page to show title / version · 825f87ee

Robert Lyon authored Jun 14, 2022



- Currently also displaying the old plugin string to help with title
diagnosis

- To change the title on a blocktype you need to add the
'get_plugin_display_name' function to the blocktype,

eg for watchlist you need to add

    public static function get_plugin_display_name() {
        return get_string('pluginname', 'blocktype.watchlist');
    }

Inside the PluginBlocktypeWatchlist class

Change-Id: I33ea544d6cfee22b2e7fecb7fa99a485aea6a8f2
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

825f87ee

Bug 1979921: Allow for checking if $group id is integer · 1c626c90

Robert Lyon authored Jun 27, 2022



Currently we only check if string or class when calling
View::get_artefactchooser_artefacts() and dealing with group
information.

Change-Id: Ifd3bcbd46db87ccdd44ce257b8a40a300702fe4d
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>
(cherry picked from commit 56dfed7f)

1c626c90

04 Aug, 2022 1 commit

Bug 1958297: Submission list for deleted people · 76b24cb1

Robert Lyon authored Jan 19, 2022



Not allow actions on deleted people

Change-Id: I928fc465be44ce05ba7245f4f34158cdd7e1592b
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>
(cherry picked from commit 013bfbdd)

76b24cb1

02 Aug, 2022 1 commit

Bug 1983308: Public group homepage access · b2350c38

Robert Lyon authored Aug 02, 2022



Change-Id: I293a339a7b23776d1f3128fc42609f5b4aed895d
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

b2350c38

22 Jul, 2022 1 commit

Bug 1982520: Error with old block configdata · 7ff7755b

Dianne Tennent authored Jul 22, 2022 and

Robert Lyon committed Jul 22, 2022

Ensure $configdata['instructions'] exists before trying to rewrite it

Change-Id: I21f9643a778ccd80f52910b27f711d287fce005b
(cherry picked from commit 1f32844b)

7ff7755b

17 Jun, 2022 1 commit

Bug 1978300: Fix SQL syntax in db upgrade step · 9b329156

Bruno Malaval authored Jun 16, 2022 and

Dianne Tennent committed Jun 17, 2022

22.04 upgrade was failing due to
missing use of dbprefix syntax (curly braces)

Needs cherry-picking onto 20.10, 21.04, 21.10 and 22.04

Change-Id: I5f7c0adba793fc0f610e01f9fcd23f7e70564b3b
(cherry picked from commit 38122cfc)

9b329156

16 Jun, 2022 2 commits

Version bump for 21.04.7testing · 4735bf98
Gold authored Jun 16, 2022
```
Signed-off-by: Gold <gold@catalyst.net.nz>
```
4735bf98

Security Bug 1978520: Only allow images to be served by thumb.php · 73789944

Robert Lyon authored Jun 14, 2022



And make sure we have rights to see them too

Change-Id: I37960f5802cb482a2ab677f7452e0cc110764549
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>
(cherry picked from commit 66f34fd0)
(cherry picked from commit 9612692b)
(cherry picked from commit 0ab444ce)

73789944

24 May, 2022 1 commit
- Bug 1970693: module_submissions: Missing language string · f481b6bc
  Tim Lock authored Apr 28, 2022 and Robert Lyon committed May 24, 2022
```
Change-Id: Ic10d66ce3cf78e6b4c520e5c149728a0b17f102e
(cherry picked from commit 6f8485f8)
```
  f481b6bc
23 May, 2022 1 commit

Bug 1971639: Need to check lowercase on both ends · 17cd2e19

Robert Lyon authored May 05, 2022



In case older sites have entered username or email address into the
system as camelcase we need to check our value vs supplied value both
as lowercase

Change-Id: Ib605db75f16d62f53f843b966aebc41814381971
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>
(cherry picked from commit 2fb4d305)

17cd2e19

02 May, 2022 1 commit
- Version bump for 21.04.6testing · b0f9d2d6
  Dianne Tennent authored May 02, 2022
```
Signed-off-by: Dianne Tennent <dianne.tennent@catalyst.net.nz>
```
  b0f9d2d6
01 May, 2022 1 commit

Bug 1971110: Error with title underscore · dc06635a

Robert Lyon authored May 02, 2022



Needs to URl encoded

Change-Id: I229335f5c06f54019ec6eb5dae7f8a3291993bb4
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>
(cherry picked from commit 771dab63)

dc06635a

28 Apr, 2022 1 commit

Bug 1970680: Only update if lti_assessment table exists · 6e6738f5

Gold authored Apr 28, 2022 and

Robert Lyon committed Apr 29, 2022



Testing:

Install an older Mahara without LTI 1.1, the 'lti' module installed.
Update to the latest version with this patchset included.

Change-Id: Ib08878373eba41c238d60b2718c44bd3cb6fd8a6
Signed-off-by: Gold <gold@catalyst.net.nz>

6e6738f5

26 Apr, 2022 6 commits
- Version bump for 21.04.5testing · 75839610
  Dianne Tennent authored Apr 27, 2022
```
Signed-off-by: Dianne Tennent <dianne.tennent@catalyst.net.nz>
```
  75839610
- Merge "Bug 1967000: Make skin use the processed viewskin value provided by... · ec34c862
  Robert Lyon authored Apr 27, 2022
```
Merge "Bug 1967000: Make skin use the processed viewskin value provided by object, rather than pull the value out of the database directly." into 21.04_DEV
```
  ec34c862
- Merge "Security Bug 1922226: Groups search list after first page" into 21.04_DEV · 8bf0cc1d
  Robert Lyon authored Apr 27, 2022
  
  8bf0cc1d
- Security Bug 1961856: Upgrade markedjs from 2.1.3 to 4.0.12 · f0e8efc1
  Dianne Tennent authored Feb 23, 2022
```
Change-Id: I52df433b13705b35b888d1e4caefb7b6fd9e3787
```
  f0e8efc1
- Bug 1940890: Update MarkedJS to 2.1.3 · 21f2b2aa
  Doris Tam authored Aug 24, 2021 and Dianne Tennent committed Apr 27, 2022
```
Change-Id: I7539b55c45d8a856e5dfa00a838e285467e1e8e9
(cherry picked from commit 5bdd698e)
```
  21f2b2aa
- Security Bug 1922226: Groups search list after first page · e058d0c1
  Andreas Schenkel authored Feb 28, 2022 and Dianne Tennent committed Apr 27, 2022
```
For sites with isolated institutions enabled searches for Groups returns
a suitably filtered list of results. After the first page though, all
results are shown regardless of institution.

Change-Id: Ic3809589573ef5a828beaee16fdf729dacfcddf1
Signed-off-by: Gold <gold@catalyst.net.nz>
(cherry picked from commit 15bfe15b)
```
  e058d0c1