Commits · 539d323f04ef95301ac6bce1d269d25d1e048aa8 · mahara / mahara

08 Jul, 2015 1 commit
- HTML-escape page title in watchlist JSON response (Bug 1472439) · 539d323f
  Aaron Wells authored Jul 08, 2015
```
Change-Id: I445c763b09928ce03ae8561605e593bc23bba122
```
  539d323f
07 Jul, 2015 1 commit
- Prevent HTTP iframes on an HTTPS site · 7a7f066d
  Aaron Wells authored Jun 10, 2015
```
Bug 1463629

Change-Id: I99f4df8b5ce51a58db5f122f44717ae6d12a6d72
```
  7a7f066d
01 Jul, 2015 1 commit

Bug 1460368: stopping anonymous comments on artefacts · 1be3956b

Robert Lyon authored Jun 02, 2015

When anonymous comments is turned off

Change-Id: Id2ed84cb3b532da6ec8e117ef13c283bd64af302
(cherry picked from commit 3046c5c7)

1be3956b

28 May, 2015 3 commits

Version bump for 1.9.7testing · 86335be6

Son Nguyen authored May 29, 2015



Change-Id: I7e18e0b19d0f5ccdecd25f310f0493956e56e3fd
Signed-off-by: Son Nguyen <son.nguyen@catalyst.net.nz>

86335be6

Version bump for 1.9.6 · 45ad9175

Son Nguyen authored May 29, 2015



Change-Id: I1ea800f468cb8177b6e78b0de9f129cd032bbae5
Signed-off-by: Son Nguyen <son.nguyen@catalyst.net.nz>

45ad9175

Escape institution_display_name correctly (Bug #1447377) · c2cb5932

Hugh Davenport authored Apr 28, 2015



Institution names were not being escaped properly in the
accesslist.

This patch escapes them properly as well as clearing the
compiled cache for the templates where this problem occurs.

Change-Id: I2e675af0b84a3a7106e0245a5faa6ee2095a7e06
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

c2cb5932

27 May, 2015 2 commits
- Updating mahara-flashplayer README to indicate the new URL for its source code · faad51b5
  Aaron Wells authored May 28, 2015
```
Change-Id: I3ba68797512dd0d30087c62b17386b8417575ceb
```
  faad51b5
- Adding the ADDITIONALHTML* to the micro templates (Bug #1458703) · 02060a66
  Robert Lyon authored May 26, 2015
```
Change-Id: Ida23b4b8d58cad2455e0fcb32efe6cad59fa5ce5
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>
(cherry picked from commit e5b5ee67)
```
  02060a66
07 May, 2015 2 commits

Merge "Stop the dwoo loader error (Bug #1193177)" into 1.9_STABLE · d0e7a04f
Robert Lyon authored May 08, 2015

d0e7a04f

Group admin of no institution was unable to update group (Bug #1420590) · 6c123cea

Robert Lyon authored Mar 02, 2015



It was wanting to check if the user was in the correct institution to
edit the group - but was wailing if the user was in group 'mahara' or
no institution.

Change-Id: Ia77cb601774bdde6a2a176a0ed26760e4ccd8ea8
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

6c123cea

23 Apr, 2015 1 commit

Stop the dwoo loader error (Bug #1193177) · eaa54f90

Robert Lyon authored Apr 24, 2015



The fix for this exists in Dwoo 1.2 so backporting it to older branches

Change-Id: Idafa654ea5e71118d8fdd1512e9a32cf1f4c39cd
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

eaa54f90

21 Apr, 2015 1 commit

Updating .gitignore · 5453e437

Aaron Wells authored Apr 21, 2015

This should make it easier when switching between master
and older branches.

Change-Id: I5be0afc3338fc66a05750b334f4742f7d17f4225

5453e437

20 Apr, 2015 6 commits

Version bump for 1.9.6testing · f1607234
Aaron Wells authored Apr 20, 2015
```
Signed-off-by: Aaron Wells <aaronw@catalyst.net.nz>
```
f1607234
Version bump for 1.9.5 · c7cbe046
Aaron Wells authored Apr 20, 2015
```
Signed-off-by: Aaron Wells <aaronw@catalyst.net.nz>
```
c7cbe046

Use different strptime params for BSD compatibility · ec31ef4e

Brian King authored Feb 13, 2015

Bug 1414628: The "tm_yday" (day of the year) param is not supplied by
strptime by default on BSD systems such as Mac OS X.
It works just as well to use "tm_mday" (day of the month) param instead,
and it also makes more sense!

Change-Id: I1484dcde4dbd8199f578a4eb5a58a9f78de45635

ec31ef4e

Merge "Using the new format for plugin configs. Bug 1410953" into 1.9_STABLE · 27d1f4f8
Aaron Wells authored Apr 20, 2015

27d1f4f8

IMAP language string for 'Port' is missing (Bug #1360050) · 8a705256

Ghada El-Zoghbi authored Aug 22, 2014



Add missing language string for IMAP Port field.

Change-Id: I9fccdd890bc186971fa1b7e90f965a7b34a25615
Signed-off-by: Ghada El-Zoghbi <ghada@catalyst-au.net>

8a705256

Using the new format for plugin configs. Bug 1410953 · 01dd4847

Son Nguyen authored Jan 15, 2015



The old format caused a strict standards warning in PHP 5.5

Change-Id: I3014aae0bbdca131c63735a5daade299d11a265b
Signed-off-by: Son Nguyen <son.nguyen@catalyst.net.nz>

01dd4847

16 Apr, 2015 6 commits

Allow prefixes that end in / to try ? and # as well · ff97447c

Robert Lyon authored Apr 16, 2015



Bug 1286935

Seeing as we check the url against FILTER_VALIDATE_URL and that only
site admins can add to the 'allowed iframe sources' that should be
enough without having to add the / to the end of the url.

Change-Id: I82e3623d3df2fa03012278d334994224c51a092e
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

ff97447c

Merge "Double-check the viewid when setting up watchlist viewing (Bug 1429647)" into 1.9_STABLE · 02ae18d6
Robert Lyon authored Apr 17, 2015

02ae18d6

Stopping SWF files XSS exploitation (Bug #1190788) · 91f15848

Robert Lyon authored Feb 18, 2015

By doing two things:

1) Getting the embedded SWF object to set the
 allowscriptaccess = "never" and allownetworking = "never"

2) By forcing a 'download file' link to actually download file
- this goes for all files now that don't have embedded=1
in their url.

I've done it this way, having the embedded item have extra url param
so that if a user tries to manipulate a url by removing params it
will default to force download.

I've merged the changes I'd done here https://reviews.mahara.org/#/c/3522/2


and I've also cleaned up places where the download=1 was used as that is
not needed now. Now if there are places where we need to embed rather
than download we add the embedded=1 to the url.

Change-Id: If5290a7c571d06d4178ef2ae5c4c09ed287403b4
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

91f15848

Stopping the elasticsearch cron running at same time as reset index · 11734cf6

Robert Lyon authored Feb 17, 2015



Bug #1422232

Change-Id: Ia8fd7d074db3be027e1318a07d062a9ed1bb2ad8
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

11734cf6

Getting suspended institutions to keep their user out. (Bug 1348024) · 847f49ef

Robert Lyon authored Jul 25, 2014



Users who are logged in on the suspended institution's auth method
are logged out.

Change-Id: I10e1dec465a4363a076e92f4d90ec663ff8a822e
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

847f49ef

Allowing the skin underline setting to work (Bug #1429871) · 973fb7cc

Robert Lyon authored Apr 16, 2015



Do correct string/variable comparison

Change-Id: I98c5c1360891699e439108789b2015d7587222ca
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

973fb7cc

15 Apr, 2015 4 commits

Update the block configdata for attachments. Bug 1439194 · 57173d77

Son Nguyen authored Apr 02, 2015



Change-Id: I45bdbbaeedf2e6bced74da0a8d7eebed753d4595
Signed-off-by: Son Nguyen <son.nguyen@catalyst.net.nz>

57173d77

Merge "Checking the remoteusername for parent auth better (Bug #1364170)" into 1.9_STABLE · d12b6cc8
Robert Lyon authored Apr 16, 2015

d12b6cc8

Fix bugs when changing view layout. Bug 1432641 · 7d793f27

Son Nguyen authored Mar 31, 2015



Change-Id: I0ae87e94bd7ad723a19045598280a6c4880aa3d8
Signed-off-by: Son Nguyen <son.nguyen@catalyst.net.nz>

7d793f27

The accepting friend notification contains full url (Bug #1440908) · 6049db95

Robert Lyon authored Apr 07, 2015



And this ends up breaking the 'more' link in the inbox.

Normally we don't expect the url to contain the full path so we need
strip it off as it's added back in via the template.

Change-Id: Ibf22f361aaf7697e9903a2374f15d4fb031d01ef
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

6049db95

13 Apr, 2015 1 commit

Double-check the viewid when setting up watchlist viewing (Bug 1429647) · 900003c5

Robert Lyon authored Apr 02, 2015



A person can alter the viewid passed to the watchlist ajax update and
so a user can end up watching a view they have no access to

Change-Id: I21d00963ac3d9d53e337bcb0a7162bd2a1da1802
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

900003c5

29 Mar, 2015 3 commits

Extract description in 'summary' entry when Leap import. Bug 1428266 · 48560325
Son Nguyen authored Mar 05, 2015
```
Change-Id: I643a825a3ff878cb8573e96cb2741c0dee0cb29f
Signed-off-by: Son Nguyen <son.nguyen@catalyst.net.nz>
```
48560325

Stopping a block from being 'eaten' when changing layout (Bug #1432635) · d56f1ff5

Robert Lyon authored Mar 20, 2015



To test see bug report

Change-Id: I88069adce01c77a1009ac49bf61966524532ca44
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

d56f1ff5

Adding another filter/match for google spreadsheets (Bug #1435750) · 1b184140
Robert Lyon authored Mar 26, 2015
```
Change-Id: I2030a8222ff7691952f9351b297298484f102ac5
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>
```
1b184140

27 Mar, 2015 1 commit

Allowing for youtube-nocookie.com urls to work (Bug #1436841) · 86c3878d

Robert Lyon authored Mar 27, 2015



To test - see bug report

Change-Id: I74b9d35eb8be34af90ee46714f9b4ad19bc340d5
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

86c3878d

24 Feb, 2015 2 commits

Make sure submitted page cannot be deleted via URL (Bug #1425306) · 371490ae

Yuliya Bozhko authored Feb 25, 2015



Change-Id: I4536536d254d9dc85c9eb8405bd6ab61c0ae26e9
Signed-off-by: Yuliya Bozhko <yuliya.bozhko@totaralms.com>

371490ae

Add the method update_artefact_references() to HTML artefact (Note) · ab4302ad

Son Nguyen authored Nov 28, 2014



Bug 1390833

This will update all attachments to the artefact

Change-Id: Idc06d5ce35b2427575b44d53f4aa56dfc7b01cf8
Signed-off-by: Son Nguyen <son.nguyen@catalyst.net.nz>

ab4302ad

09 Feb, 2015 1 commit

Checking the remoteusername for parent auth better (Bug #1364170) · 9623f879

Robert Lyon authored Sep 02, 2014



Currently it checks lowercase username against the same username

But we need to compare apples wuith apples so the subquery also needs
to return lowercase username.

Change-Id: Icbe65e12d415be6f943399185c828166ed8a98d4
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

9623f879

08 Feb, 2015 1 commit

Display cleaned content of XML file. Bug 1404117 · c91bac68

Son Nguyen authored Jan 05, 2015



Change-Id: I0dffc63f0ea10409c9ae18b9194a13a2287e0a7c
Signed-off-by: Son Nguyen <son.nguyen@catalyst.net.nz>

c91bac68

03 Feb, 2015 1 commit

Removing the from/join check in minaccept · 70c938da

Aaron Wells authored Feb 03, 2015

Bug 1417364: This check causes too many false positives and doesn't catch
actual problems often enough.

Change-Id: I659cafd3dcdbcf254d66a72bcb4f2f6a1ba2ddba

70c938da

29 Jan, 2015 1 commit
- Fix deprecated warning in BBCode library · 387b2893
  Aaron Wells authored Jan 29, 2015
```
Bug 1415709

Change-Id: Ib6758dfe1d10884f69261179687d5ffde7ff81f9
```
  387b2893
26 Jan, 2015 1 commit

Fixing problem where custom subnav background not showing (Bug #1414474) · fa544b5e

Robert Lyon authored Jan 26, 2015



To test - create an institution and give it the custom theme.
Add user to institution and log in with that user.

Between each test you will need to re-save the institution so that the
custom theme data in the db gets updated by the template change.

Change-Id: I21d97c77896d872cbfc335473fbf510999b5187b
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

fa544b5e