This makes it easy to tell when you are doing this on all pages - not just on pages where the sidebar is visible.
(cherry picked from commit ba080c55)

Fixed 'viewreleased{subject,message}' broken language strings in notifications. Part of the fix for #2271.
(cherry picked from commit 0a7f07f0)

There's no need to reveal this information, as the Mahara version is not revealed elsewhere.
(cherry picked from commit fb830d75)

(cherry picked from commit ea02642a)

Take into account the install subdirectory when redirecting users because of access denied. Fixes #2259.
(cherry picked from commit c93adecb)

The previous patch to that part of the code instead made it so you couldn't kick anyone out if the group ID equaled the group ID, which of course it always does.
(cherry picked from commit bec4d579)

(cherry picked from commit bfefe0b6)

Use the actual group ID on on the interaction delete page, rather than the interaction ID. Fixes #2241.

This was potentially a small security hole too - before, it would allow users who had permissions to delete a forum with an ID the same as an interaction they were allowed control over. But it's a terribly blind attack at the best of times.
(cherry picked from commit d265d0b2)

The XML extension is needed by the RSS blocktype to parse RSS feeds. To be honest, I'm surprised it wasn't needed before to parse the install.xml files.
(cherry picked from commit d49f1ab0)

Improved the wording for the Upload CSV page, especially in the case of institutional admins. Fixes #2214.

Previously, Institutional Admins were given links to pages they couldn't edit.

We haven't been clearing out session files since I first chose to make us hash the session directory back in 2006. Talk about a timebomb...

The cron job uses `find' and `xargs' to do the removing. These tools are required on debian (as part of findutils), and are installed in /usr/bin. I haven't bothered with a configuration directive for specifying a path to them for now, but that might be necessary later.
(cherry picked from commit 335d66a7)

Make usernames unique over their lowercase values, and put validation in everywhere so two users can't do this again.

Usernames _are_ meant to be case insensitive in the system. But at no point where users could be created (except for XMLRPC users), was this actually being enforced. So eventually someone actually did this, which caused login for both users to break.

Now, all entry points for new users are checked to make sure users can't claim names whose lowercase value is the same as another user. And on postgres, we now have a unique index over LOWER(username). This isn't possible in MySQL, so MySQL users miss out (yet again).

Allow usernames to contain many more characters than they do currently when using internal authentication.

The previous restrictions were unnecessarily strict. As per request from MyPortfolio.

Now we actually can has a Mjollnir`!
(cherry picked from commit 36a1ecfc)

Apache configuration and other scripts can override this. For example, thumb.php overrides this to cache thumbnail images for a while.

This prevents IE making assumptions that pages are cachable when they're clearly not.

We can't cache them for too long, because the user could change them at any time. But at least a short time is better than none, because they can be requested in batches quite a lot, for example when paging through search results.

On the profile page for the user, use 'profileiconbyid', which means that the correct image will always be shown, even when the user changes it.

This image can be sent with a long expires header, so given that it is on every page this makes sense.

Even if the user changes their profile icon, the image shown to them will still be correct, because it will be at a different URL now.

So far, they are only being sent on images that we know will never change, namely the profileiconbyid icons and thumbs for the blocktypes.

The following things are done:

1) If mod_deflate is available, use it to send text/html, text/css and application/x-javascript files gzipped
2) Remove ETags from all files. They can give benefits in some situations if configured correctly, but until they're investigated I'll just turn them off
3) Send expires headers for a bunch of the static stuff, mainly the stuff in /theme and /js

So far, this has resulted in reducing the size of the homepage from about 300K to 80K, and warm cache hits are only 2K in one request. These performance benefits apply similarly across the whole site.

If a user has checked out a language pack repository, they can add the path of it to a new configuration variable, 'langpacksearchpaths', which is an array of paths to search.

Helpfiles are not handled yet.

This can be tested by checking out the en_AR.utf8 language pack and adding it to langpacksearchpaths. You should get an option to use language 'Avast!'.

This was caused by two things:

1) Not re-getting the user data after firing the create user hook (thus not picking up that the user has the default quota)
2) Looking for, and attempting to place images in, the wrong folder. This was probably broken since 0.9, when the on-disk layout of files changed.