1. 09 Nov, 2017 1 commit
  2. 27 Oct, 2017 1 commit
    • Cecilia Vela Gurovic's avatar
      Security Bug 1701978: fix session cookie issues · d02855fc
      Cecilia Vela Gurovic authored
      1. when a user logs in it clears any obsolete
         usr_session cookies for the user
      2. recording the user-agent of the session
         and if it changes to prompt the user to
         login again
      3. when self adding / editing email address(es)
         send 2 emails
      	- one to the new email address asking user to confirm address
      	- and one to the primary email address to alert user
      	that a new email is being added to their account and
      	if this is bad how to contact their admin about the problem.
      Change-Id: Ia44b66cf831abd553b72aa8b1d58d2a2634863b8
  3. 24 Oct, 2017 1 commit
  4. 21 Sep, 2017 1 commit
  5. 18 Sep, 2017 1 commit
  6. 13 Sep, 2017 1 commit
  7. 10 Sep, 2017 1 commit
  8. 27 Mar, 2017 1 commit
  9. 15 Feb, 2017 1 commit
  10. 01 Feb, 2017 1 commit
  11. 26 Jan, 2017 1 commit
  12. 16 Jan, 2017 1 commit
  13. 26 Oct, 2016 1 commit
  14. 11 Oct, 2016 2 commits
  15. 26 Sep, 2016 1 commit
    • Aaron Wells's avatar
      Bug 1533377: Browserid end-of-life migration script · cfef0ff9
      Aaron Wells authored
      This patch removes all authentication functionality
      from the browserid auth plugin. It adds a script,
      accessible through the plugin's configuration page,
      to migrate user accounts from browserid to
      internal auth.
      Also includes changes to allow users to be searched
      by authtype, and to prevent non-useable plugins
      from being enabled on the plugin config page.
      Change-Id: I4e8bd9fc4d2fb2ccaa1845fda533c9373ec251bd
      behatnotneeded: Can't test with behat
  16. 01 Aug, 2016 1 commit
    • Jono Mingard's avatar
      Purge MochiKit from mahara.js (Bug #1323920) · 174ca581
      Jono Mingard authored and Aaron Wells's avatar Aaron Wells committed
      Replace all MochiKit function calls with either jQuery or rewritten
      versions. Also remove some old functions which aren't needed or
      weren't being used
      behatnotneeded: should be functionally identical
      Change-Id: Ie48032009b14adddfecbe8c381f4ff692afafe70
  17. 07 Jul, 2016 1 commit
    • Robert Lyon's avatar
      Bug 1580399: Stop users logging in to suspended/expired institutions · c10a36bc
      Robert Lyon authored
      Moving the code from LiveUser->login() to
      ensure_user_account_is_active() so that internal and external logins
      can use the same code. This means the check now will fall after
      LiveUser->authenticate() so a user's lastlogin values will be updated.
      but that should be ok as the login was successful, it's just they
      can't go any further as their institution is not active.
      Change-Id: Ie78a60978d5936f78af5a962ca3efdcdee148b93
      Signed-off-by: Robert Lyon's avatarRobert Lyon <robertl@catalyst.net.nz>
  18. 06 Jul, 2016 1 commit
    • Aaron Wells's avatar
      Bug 1597957: Handle language select form on non-public pages · 61448e52
      Aaron Wells authored
      By moving the language select form's handler into
      a Pieforms submit method, we ensure that the form
      can be properly handled on any page that displays it.
      behatnotneeded: Can't test multi-language with behat yet
      Change-Id: I04aea40b9ba1000f75fc08ef7015fd00de3bc9da
  19. 14 Jun, 2016 1 commit
  20. 08 Jun, 2016 1 commit
    • Aaron Wells's avatar
      Bug 1590293: Correcting inconsistencies in session expiration · 4bed19a1
      Aaron Wells authored
      1. Add some documentation to session.php explaining what
      the session.gc_maxlifetime ini setting does.
      2. If we can't access $CFG->session_timeout, use a timeout of
      an hour instead of the PHP default of 24 minutes.
      3. Limit $CFG->session_timeout to 30 days, because we're already
      enforcing that limit in session.php
      4. Add "usr_session.mtime" column so that we can delete old sessions
      based on inactivity instead of creation date.
      5. Make the cron delete old session files as soon as they've expired,
      rather than padding that an additional two days.
      Change-Id: I9da2b26217774566b1131e997724359715edb2fe
      behatnotneeded: Covered by existing tests
  21. 27 Apr, 2016 1 commit
  22. 18 Apr, 2016 1 commit
    • Aaron Wells's avatar
      Bug 1570744: Fixing session bugs · 83ec33f2
      Aaron Wells authored
      This patch does 2 things:
      1. It loads the session much earlier during init.php. We wind
      up creating one on *every* script load anyway, due to LiveUser's
      constructor. Sometimes it gets created earlier if other code
      tries to use it before then, which adds some unpredictability
      to things. Moving it up to the top of init.php reduces that
      2. It turns out that in PHP 5.3, using header_remove('Set-Cookie')
      to only doesn't remove session headers. But header_remove()
      (with no params) to remove *all* cookies does remove them. So
      I'm changing remove_duplicate_cookies() to use that instead.
      3. Also in PHP 5.3, session headers are visible in headers_list().
      In situations where your session id changes (due to session_destroy()
      and session_regenerate_id()), our use of array_unique() meant we
      would preserve the old and new session IDs and send both back
      to the browser. This patch makes remove_duplicate_cookies() aware
      of the current session ID, and it only preserves that one.
      Change-Id: I7a90b8692a5f97429415aa9a17451a44cd2109dd
      behatnotneeded: Covered by existing tests
  23. 14 Apr, 2016 1 commit
  24. 21 Mar, 2016 1 commit
    • Robert Lyon's avatar
      Bug 1539262: Removing unnecessary $smarty PAGEHEADING lines · e82c0fcb
      Robert Lyon authored
      As they are set to TITLE we can just assign TITLE to PAGEHEADING in
      the smarty function call.
      We can later override the PAGEHRADING with
      $smarty->assign('PAGEHEADING', string); if we need to.
      Have also updated a few files where TITLE was not defined.
      behatnotneeded - everything should work as before
      Change-Id: I3ea592cd37344e68c6e90a3c64947cf99db59471
      Signed-off-by: Robert Lyon's avatarRobert Lyon <robertl@catalyst.net.nz>
  25. 09 Dec, 2015 2 commits
  26. 19 Oct, 2015 1 commit
  27. 07 Oct, 2015 1 commit
  28. 02 Oct, 2015 1 commit
    • Aaron Wells's avatar
      Remove unnecessary cached form from the session · e2d001a8
      Aaron Wells authored and Robert Lyon's avatar Robert Lyon committed
      Bug 1495200 & Bug 1496681
      behatnotneeded: Well, we could test this, but it would
      require a 60-second wait for the session to timeout (since
      the least you can set the session timeout via the UI
      is 1 minute)
      Change-Id: Ia5c861c16b6c893ada9d5eb2111f0b6a9aee49ad
      (cherry picked from commit aee374c0)
      (cherry picked from commit 784dbf9d)
  29. 01 Oct, 2015 1 commit
  30. 24 Sep, 2015 1 commit
  31. 20 Sep, 2015 1 commit
  32. 11 Sep, 2015 1 commit
  33. 07 Sep, 2015 1 commit
    • Pat Kira's avatar
      Block detail links - comment, add comment, detail links (BUG 1465107) · 17894563
      Pat Kira authored
      Minor fixes - style login panel,
      display block without content,
      remove some styling on block heading,
      remove get link function for wall block it was duplicated
      Style SSO and Persona login buttons
      behatnotneeded: styling only
      Task 22787, 23057, 22661
      Change-Id: I280947a17727eb1518551bfbb8ad05a0fb2fea80
  34. 14 Aug, 2015 1 commit
    • Pat Kira's avatar
      FIX manage collection pages · 93ac36d9
      Pat Kira authored
      And a small class change on auth/lib.php for Evonne
      Change-Id: I2cfab3e5797598ed1d11693a79a139fbd2ba5927
  35. 11 Aug, 2015 1 commit
  36. 30 Jul, 2015 2 commits
  37. 16 Jul, 2015 1 commit