When the site is an https site

behatnotneeded

Change-Id: Ic10204bc19f0dd729ac7a884423be4783a59749e
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

behatnotneeded

Enables Mahara to save files to an external file system
- object storage (such as AWS's S3) -
which can reduce the cost of storage

Change-Id: I76822612f2922ba0ef2a0b7a4efb9cd2b96979a6

Some string IDs changed so that they are
picked up by the translators while others
aren't changed when they are just changes
for English.

behatnotneeded

Change-Id: I9afb8980492937f361e6e35361245c689b5a4413

mysql php module is not supported any more.
mysqli should be used instead and show an error if not.

behatnotneeded

Change-Id: I018b5117f33ed6788be45a756b045870156833da

The best way to prevent sensitive data from being printed to the logs
is to avoid printing the value of *any* parameter. For instance, a
password parameter may have an unusual name, or it may be passed
through a general-purpose function like "strlen()".

Since parameter values are useful for debugging, we can still print
them when not in production mode (although with known password
params still scrubbed out).

Note this patch both scrubs likely password params, and hides their
scrubbed value. That's mostly because I'm lazy, but it also obscures
the password's actual length.

Change-Id: I4a1ab4c89a169c6b29a7b63384c2412cee761ab7
behatnotneeded: Can't test with behat

behatnotneeded

Change-Id: Ia73346aa5a71952ee01d4955b864c7f2573d4a03

The session init code relies on $CFG->session_timeout, which is
normally defined in the config table. So, we need to start the
session after opening the database connection.

(In the event that there's an earlier session start, for instance
due to an error message, this will cause the session for that
page load to disregard any database config values. But that's not
a show-stopper, and there's no easy way to fix it.)

Change-Id: Iffbeebc8e92929970a558ff0fbc726719bb92741
behatnotneeded: Covered by existing tests

When trying to start behat test without setting behat config vars

behatnotneeded

Change-Id: I47b4e741aacbfe794339ef6771b0c0aee948fe45
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

1) Allowing $CFG to accept json encoded strings and to be decoded back to php
2) Making the $cfg->openbadgedisplayer_source a json encoded string
3) Allowing the openbadges have the defaults only on one place and warn when they are missing

behatnotneeded

Change-Id: Ica0349d6343d9f608b2272117d7412b288799278
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

This patch does 2 things:

1. It loads the session much earlier during init.php. We wind
up creating one on *every* script load anyway, due to LiveUser's
constructor. Sometimes it gets created earlier if other code
tries to use it before then, which adds some unpredictability
to things. Moving it up to the top of init.php reduces that
unpredictability.

2. It turns out that in PHP 5.3, using header_remove('Set-Cookie')
to only doesn't remove session headers. But header_remove()
(with no params) to remove *all* cookies does remove them. So
I'm changing remove_duplicate_cookies() to use that instead.

3. Also in PHP 5.3, session headers are visible in headers_list().
In situations where your session id changes (due to session_destroy()
and session_regenerate_id()), our use of array_unique() meant we
would preserve the old and new session IDs and send both back
to the browser. This patch makes remove_duplicate_cookies() aware
of the current session ID, and it only preserves that one.

Change-Id: I7a90b8692a5f97429415aa9a17451a44cd2109dd
behatnotneeded: Covered by existing tests

Add behat tests

Change-Id: I905af729d2cda76d5c6ff31b29b9d21c3dc67505

X-XSS-Protection: Tells the browser not to disable XSS protection

X-Content-Type-Options: Tells the browser not to try to guess at
mimetypes of downloads

X-Permitted-Cross-Domain-Policies: Tells Flash & PDF not to trust
alternate crossdomain.xml files (which set the permissions on whether
this site allows itself to be accessed by scripts in Flash & PDF).
Prevents an attacker from uploading a more permissive crossdomain.xml

X-Powered-By: PHP by default sends this header with the current full
PHP version.

behatnotneeded: Selenium can't examine HTTP response headers

Change-Id: Ia2a6de971fc62b7d8806ad010aa0fbe37c1a7357

Fix behat step definitions, features

Change-Id: I2bf4e94804b9e86c4e54e5f9e66af233b3f86abf

This reverts commit a8289074.

Change-Id: I36b8754a592c98b0b1a81964028870283931029c

behatnotnedded

Change-Id: Iaffc0dca9c98ee96c38c1ad9ecb060faa543f76d

Bug 1526076: I believe the initial intent was that
Mahara core, and/or each plugin, could add a value
to its version.php file indicating "disablelogin"
true or false. And in this way, an upgrade could
indicate whether it was a small enough upgrade that
users did not need to log out for it.

However, in practice this is not practical because
we don't know what version of Mahara the user is
upgrading from, and that is what determines whether
or not it's a "stable" upgrade.

Additionally, the core disablelogin has been set to true
for the past 7 years, and the plugin disablelogin
setting no longer has any effect.

Removing disablelogin should hopefully make our
maze of init.php auth_setup() login stuff a little
bit easier to follow.

behatnotneeded: Covered by existing tests

Change-Id: I5f8a2b4faa95b9225bb926de6a54a622ea1a9618

Bug 1526101: This should help make it clearer what's going
on in init.php and the related auth code, by making the
distinction between $CFG->siteclosed and $CFG->siteclosedbyadmin
clearer.

behatnotneeded: Covered by existing tests

Change-Id: I8bc728622ae965ce25b55ee4b55278771fc1eedc

Phpunit tests cannot run if Mahara is not installed but doesn't give
any warning to this fact

Change-Id: Ie8aecf35fef730adbb42856da13ff712ed8505d5
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

Set the state of the libxml entity loader & use internal
errors settings, back to what they were before we called
them, as a workaround to https://bugs.php.net/bug.php?id=64938,
which causes them to be shared by all threads in a single
process.

behatnotneeded

Change-Id: I0720146b1e91c24095a18636e09981830ef4ce8f
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

Some of these files aren't loaded on any pages, some (ie. debug.js)
are no longer necessary with modern debugging tools, and some have
been replaced by Bootstrap functionality

behatnotneeded: should be functionally identical

Change-Id: I6d1b3874de5d42ccc00a8c0d2bb0e8bc162747d4

Change-Id: I5c147bf0ab19e02718666d16ee52f58a74e926b7
behatnotneeded: Covered by existing tests

Change-Id: Iae1f93c0129c1396aca633756b271fb41360836f

Bug 1465107: Use Bootstrap CSS Framework
EG:  '10.0.19'  <  '5.0.25'  evaluates as false

Change string check to check float value instead.

Change-Id: I27809e38a176e0f6b5182f878904c28a772cda6e

Bug 1465107: Use Bootstrap CSS Framework

Change-Id: I9441f1f0fd89623e1cf5c84d888b0d4b5358e20c

Bug 1465107: Use Bootstrap CSS Framework

Change-Id: I1f631d6f2637b22e00ea9e0972f0447a52304f4c

Bug 1465107: Use Bootstrap CSS Framework

Change-Id: I2b5928352dc8675162e6f5e00b3424b82456e382

In case the site has port specified in its server['HOST'].

Change-Id: Ia033270487a14a537dada5697b8c2d3848d490fa
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

- Cron doesn't need to run auth_setup()
- Don't run cron when site is closed for upgrade
- Get rid of forcelocalupgrade() option because it's no longer needed

Change-Id: I1718b13337c50fadc0573d04f5b3d6b20bc842c2

We seem to be calling it on every page load - so for a page with lots
of blocks it means a lot of calls.

When really we should call it once when a user first arrives as they
won't be switching devices during their session.

Change-Id: Id939ad83c5acfdbcdd358691def25bd2e5f5a592
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

Changing the value from postgres7 to postgres as we are really only
supporting postgres 8.3+

Also updated the list of reserved keywords to contain all the reserved keywords
that exist in postgres 8.3.
And added new postgres 9.3 reserved words to end of list

Change-Id: Ia233b8f21bff9983cf6918691283886467a607e4
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

Change-Id: I7a1f7d42d9739a9ab1507d56aaf3a51ee0e7ef1a

Bug 1387903

Change-Id: I369d58f85c944f4be2bc2965c080b2c4c86dadc1

Bug 1346926: This bug replicates the functionality of the
newly enhanced (in bug 1328310) local/theme directory. I'm
updating the documentation of local/theme at the same time,
to try to avoid this kind of replication in future.

Change-Id: Ia36442ac264f5e0740278592e734ddc0838bb80f

Bug 1268746

Change-Id: I438629b7bb03590b4f5875c07381f500569c80d1

Bug 547932: The module bootstrap code relies on the existence of the
module_installed table, which isn't present until after you upgrade.

Change-Id: I34075dec8e4d8671b71b3023774b44343a5d50ca

Change-Id: I5558449a0d5c4911bfaec166d185ebd1da863f1c
Signed-off-by: Valerii Kuznetsov <valerii.kuznetsov@totaralms.com>

As vetted in the May 2014 dev meeting
http://meetbot.mahara.org/mahara-dev/2014/mahara-dev.2014-05-01-08.01.log.html

Change-Id: I353ed74d69a5346fbe4e8e521e5c349dbe8dcbac

- TO DO: will need to make sure that the results returned by public
search are allowed to be seen by the public

Change-Id: I1787bd1ba0f26d5f7ea86d5d7f1562987f98381c
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

This reverts commit 1cdc0486.

The JSDetector class has caused three regressions so far (Bug 1270846,
Bug 1261610, and Bug 1268788). Since it's been buggy and it's not
actively in use anywhere in the site, I think we should revert it.

Change-Id: If32d5adf8733ce3f455aab09a5d138c7707ae95d

Bug 1268746: In PHP 5.4 E_ALL changed to include E_STRICT, causing Mahara to throw
a lot of strict standards errors. This should silence most of them.

HOWEVER, because most strict standards happen at compile-time, this will have no
effect on strict standards errors caused in the files that have already been
loaded by the time we call error_reporting() and set_error_handler(), which includes:
 - The file invoked directly by the URL
 - init.php
 - errors.php
 - config.php
 - config-defaults.php

Change-Id: I7a7fdf7facb1f30e186a0e8a27f1c3b7473200da