Commits · 539f7b806af910e0c6c4ea6f03b545b8e4e44bee · mahara / mahara

17 Nov, 2011 1 commit

Add button to delete current public key · 539f7b80

Hugh Davenport authored Nov 16, 2011



This will delete the current mnet key and regenerate a new one

Bug #890583

Change-Id: Ic07fc3f2e772fc26c959cd00a74bd88da9277a92
Signed-off-by: Hugh Davenport <hugh@catalyst.net.nz>

539f7b80

15 Nov, 2011 4 commits
- Merge "Fix error about missing retainview in institution sharing" · 08f7826d
  Hugh Davenport authored Nov 15, 2011
  
  08f7826d
- Fix error about missing retainview in institution sharing · de027f1f
  Hugh Davenport authored Nov 15, 2011
```
Bug #890528

Change-Id: Ie2197d6d77e3125247f40a16809b1f6e1dc61d6d
Signed-off-by: Hugh Davenport <hugh@catalyst.net.nz>
```
  de027f1f
- Merge "Add admin warning for entropy_length (bug #888424)" · 1665b419
  Hugh Davenport authored Nov 15, 2011
  
  1665b419
- Add admin warning for entropy_length (bug #888424) · c7a0ed9a
  Francois Marier authored Nov 11, 2011
```
This is based on an OWASP recommendation and corresponds to 128
bits of entropy.

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Session_ID_Properties



Change-Id: Ie47779d586c39bc339728e4772467407fac90ee4
Signed-off-by: Francois Marier <francois@catalyst.net.nz>
```
  c7a0ed9a
14 Nov, 2011 3 commits

Merge changes Ica2d2736,Ib92e18fe,Ib0d20cf5,Ibe40c6f3 · bb88eaa7

Richard Mansfield authored Nov 14, 2011

* changes:
  Replace "parent folder" text in file browser with an up arrow (bug #889975)
  Up arrow icon for parent folder in the files area (bug #889975)
  Allow files to be dropped on folder names in the navigation (bug #889975)
  Move folder navigation below the create folder form (bug #889975)

bb88eaa7

Merge changes I4738d809,I151fe4f9,Ic3571a96 · 852c9aa7

Francois Marier authored Nov 14, 2011

* changes:
  Sanitize personal details coming from LDAP server (bug #888840)
  Refactor firstname, lastname, email validation into functions
  Remove lies in comment

852c9aa7

Sanitize personal details coming from LDAP server (bug #888840) · 46189cc1

Richard Mansfield authored Nov 11, 2011



Change-Id: I4738d80982c7c0679e165c8ae930c7783ea218a3
Signed-off-by: Richard Mansfield <richard.mansfield@catalyst.net.nz>

46189cc1

13 Nov, 2011 4 commits

Replace "parent folder" text in file browser with an up arrow (bug #889975) · 23060b2f
Richard Mansfield authored Nov 11, 2011
```
Change-Id: Ica2d2736db0a0ed4f5ed635ecc1a45ecb84984e9
Signed-off-by: Richard Mansfield <richard.mansfield@catalyst.net.nz>
```
23060b2f

Up arrow icon for parent folder in the files area (bug #889975) · 26cdc28f

Evonne Cheung authored Nov 11, 2011



Change-Id: Ib92e18fe0d7de9e588c835a0fb7d1d690287174c
Signed-off-by: Richard Mansfield <richard.mansfield@catalyst.net.nz>

26cdc28f

Allow files to be dropped on folder names in the navigation (bug #889975) · 77e6ca38

Richard Mansfield authored Nov 14, 2011



This allows files and folders to be moved up more than one level in a
single action.

Change-Id: Ib0d20cf5030a127dc113e35d7690be911ddbe0ae
Signed-off-by: Richard Mansfield <richard.mansfield@catalyst.net.nz>

77e6ca38

Move folder navigation below the create folder form (bug #889975) · e712a3e1

Richard Mansfield authored Nov 14, 2011



Improves usability by making the navigation appear more as a heading
above the list of files contained in it.

Change-Id: Ibe40c6f3d65c98b4245598f0e128ec5fff2c1258
Signed-off-by: Richard Mansfield <richard.mansfield@catalyst.net.nz>

e712a3e1

11 Nov, 2011 4 commits

Merge "Use secure cookies when the site is served over HTTPS" · ed48acb7
Hugh Davenport authored Nov 11, 2011

ed48acb7

Use secure cookies when the site is served over HTTPS · 203e12e0

Francois Marier authored Nov 11, 2011



This prevents cookies from being stolen by tricking browsers into
sending them unencrypted.

Bug #843573

Change-Id: I5dfe45e3721fc85ad2d289cea59c5ad1f4eae91b
Signed-off-by: Francois Marier <francois@catalyst.net.nz>

203e12e0

Refactor firstname, lastname, email validation into functions · 22386183

Francois Marier authored Nov 11, 2011



This will standardize the way that Mahara sanitizes these personal
details.

PHPMailer is no longer necessary since in PHP 5.2, it's just a
call to filter_var().

Change-Id: I151fe4f91c9731cfa24b5a6e9d0cebeabfcd1a77
Signed-off-by: Francois Marier <francois@catalyst.net.nz>

22386183

Remove lies in comment · b1a57065

Francois Marier authored Nov 11, 2011



Change-Id: Ic3571a960228078af2bd3a600c5320146f5824aa
Signed-off-by: Francois Marier <francois@catalyst.net.nz>

b1a57065

10 Nov, 2011 3 commits

MNet: Remove unnecessary SSL certificate checks (bug #888436) · cd47920e

Francois Marier authored Nov 10, 2011



These CA checks prevent the use of self-signed certificates with
MNet despite the fact that we wrap everything inside public key
crypto.

This change makes the Mahara implementation match the way that this
is done in Moodle.

Change-Id: Ia190cd4d40da5e7a5acf3c0fe2104f80c6df9f78
Signed-off-by: Francois Marier <francois@catalyst.net.nz>

cd47920e

Merge "Fixed Youtube html filter." · 204ca1c4
Richard Mansfield authored Nov 10, 2011

204ca1c4

Fixed Youtube html filter. · 7db9b13d

Christopher Tombleson authored Nov 08, 2011



The html filter will now parse links with dashes in them.
Also will now parse links with parameters in them.

Bug #882499
Bug #884438

Change-Id: I96c17381e67488bb2b2eefc4106474b454fa40fd
Signed-off-by: Christopher Tombleson <christopher@catalyst.net.nz>

7db9b13d

09 Nov, 2011 1 commit

typos in blocktype/googleapps · 57c55f74

Rich Trott authored Nov 09, 2011



Bug #888255

Change-Id: I2aa2e9c37695fe6f5c1f4794a06eea4a52c9b815
Signed-off-by: Rich Trott <rtrott@gmail.com>

57c55f74

08 Nov, 2011 3 commits

Cache undefined config values in get_config_plugin (bug #887400) · 3d2ccd76

Richard Mansfield authored Nov 08, 2011



When a plugin config value has not been set, multiple calls to
get_config_plugin always trigger a db query.  But if it's already
queried once and found a null result, it should remember that for
next time.

Change-Id: Id955e0953131b83eba4e36face26bfb4ef828d26
Signed-off-by: Richard Mansfield <richard.mansfield@catalyst.net.nz>

3d2ccd76

Read entire _config table on call to get_config_plugin (bug #887400) · b2e34870

Richard Mansfield authored Nov 08, 2011

get_config_plugin only pulls in records from the given plugin, but it
might as well read the entire (tiny) table, so that for example the
following two calls result in one query rather than two:
get_plugin_config('artefact', 'internal', 'profilemandatory')
get_plugin_config('artefact', 'file', 'defaultquota')

Change-Id: I28d74179330178a40d4787bdb9e8e4ed1e0a0e60
Signed-off-by: Richard Mansfield <richard.mansfield@catalyst.net.nz>

b2e34870

Merge "Check value of static variable in group_current_group (bug #887002)" · f4a0e178
Richard Mansfield authored Nov 08, 2011

f4a0e178

07 Nov, 2011 3 commits

Merge "auth/xmlrpc: Don't redirect to jumpurl when session expires" · 90c14f3a
Hugh Davenport authored Nov 08, 2011

90c14f3a

auth/xmlrpc: Don't redirect to jumpurl when session expires · d94537b9

Hugh Davenport authored Nov 03, 2011



Bug #885545

Change-Id: Ieb255923f5b8796109afa060cbffd31c9603f0cc
Signed-off-by: Hugh Davenport <hugh@catalyst.net.nz>

d94537b9

Check value of static variable in group_current_group (bug #887002) · 79cf0eb2

Richard Mansfield authored Nov 07, 2011



The $dying variable mentioned in the comment being deleted in this
patch is not necessary because checking the value of $group stops
a 2nd exception being thrown.

The return value of group_current_group is only checked in the smarty
function to stop a "Trying to get property of non-object" warning
from being logged.

Change-Id: Ic78458bbe6ebe52fc4cb82cc661949d97ed450b4
Signed-off-by: Richard Mansfield <richard.mansfield@catalyst.net.nz>

79cf0eb2

05 Nov, 2011 1 commit

Blog block pagination bug prevents images from being displayed · ff849221

Iñaki Arenaza authored Oct 29, 2011



Bug #886581

As the viewid is not added to the URL for the images, images are
considered not published and we don't have permission to see them.
In fact, if we right click on the image place holder and click
on 'Display image' (or equivalent browser option), we are presented
with a login screen, even if we are logged in.

Just make sure the viewid is passed to ArtefactTypeBlogpost::get_posts()
too as part of the configdata, to include it in the image access URL.

Change-Id: I23138180fbd771755407c39a9669860e4ecef762
Signed-off-by: Iñaki Arenaza <iarenaza@mondragon.edu>

ff849221

03 Nov, 2011 5 commits
- Add sanitize_url() and apply to XSS vulns in rss parser · c7159839
  Melissa Draper authored Nov 01, 2011
```
It is currently possible for URLs in the rss parser to be
exploited with XSS. sanitize_url has been added to sanitize
RSS URL values before they are published.

Change-Id: Idacecbce0c3fc33dd2921df9b580acd1251929e6
Signed-off-by: Richard Mansfield <richard.mansfield@catalyst.net.nz>
```
  c7159839
- Fix messaging privelege escalation (bug #798128) · 90b3e3ae
  Ruslan Kabalin authored Jun 16, 2011
```
Change-Id: I4f0ea5d4818f66937c5fb2c36edd7b49b338b84b
Signed-off-by: Ruslan Kabalin <ruslan.kabalin@luns.net.uk>
```
  90b3e3ae
- Estimate memory usage before resizing images (bug #784978) · dc1bc017
  Richard Mansfield authored Sep 13, 2011
```
Change-Id: I473d816454baec0dc4a4304fcabdb917eca5f3b7
Signed-off-by: Richard Mansfield <richard.mansfield@catalyst.net.nz>
```
  dc1bc017
- Merge "auth/xmlrpc: Remove leading slashes from wantsurl" · 6a70bcc8
  Hugh Davenport authored Nov 03, 2011
  
  6a70bcc8
- Merge "Add sanitize_url function and clean URLs before display" · 8e053170
  Hugh Davenport authored Nov 03, 2011
  
  8e053170
02 Nov, 2011 2 commits

auth/xmlrpc: Remove leading slashes from wantsurl · 524d8d8a

Hugh Davenport authored Nov 02, 2011



When landing from another application, if being redirected to a
page in mahara, remove the leading slashes as the wwwroot already has
a trailing slash.

Change-Id: I34f8cc290c5819f79a9fe15dc4a87d43f479ece1
Signed-off-by: Hugh Davenport <hugh@catalyst.net.nz>

524d8d8a

auth/xmlrpc: Check HTTP_REFERER is set before reading · 8a7de70d

Hugh Davenport authored Nov 02, 2011



Change-Id: Ic9cd7011225cb235e4d3ca039519506be154cfa4
Signed-off-by: Hugh Davenport <hugh@catalyst.net.nz>

8a7de70d

01 Nov, 2011 4 commits
- Merge "Use display_name in the masquerading as banner" · 70971319
  Hugh Davenport authored Nov 02, 2011
  
  70971319
- Add sanitize_url function and clean URLs before display · 1ecbd46a
  Melissa Draper authored Oct 27, 2011
```
URLs should be checked before use to prevent misbehaviour. This
patch adds a function for that purpose. None of these fixes
are believed to be exploitable.

Change-Id: Idaf8da739c344b925c7ea3644591a230589eb6e3
Signed-off-by: Melissa Draper <melissa@catalyst.net.nz>
```
  1ecbd46a
- Merge "Use a more appropriate sanitiser for the height variable" · 94a17f53
  Francois Marier authored Nov 01, 2011
  
  94a17f53
- Use a more appropriate sanitiser for the height variable · c2b78c65
  Melissa Draper authored Oct 28, 2011
```
Change-Id: I2a2ba2a54de22fb82c36ffd8ca807f7e237ceff1
Signed-off-by: Melissa Draper <melissa@catalyst.net.nz>
```
  c2b78c65
31 Oct, 2011 2 commits

Prevent masquerading users from jumping as others · 3fb9009f

Francois Marier authored Nov 01, 2011

As described in bug #884223, if an administator is masquerading as another
user, they should be prevented from jumping as that other user.

Change-Id: Ie07f3b807a61bbbb94c9051fb7c4b8df03d19f24
Signed-off-by: Andrew Robert Nicols <andrew.nicols@luns.net.uk>
Signed-off-by: Francois Marier <francois@catalyst.net.nz>

3fb9009f

Use display_name in the masquerading as banner · 6545b748

Andrew Robert Nicols authored Oct 31, 2011



Change-Id: I49e29567840682838a2b759c806023106dcdc9ce
Signed-off-by: Andrew Robert Nicols <andrew.nicols@luns.net.uk>

6545b748