Skip to content

GitLab

Switch branch/tag
  1. 02 Oct, 2015 2 commits
  3. 20 Nov, 2014 1 commit
    • Robert Lyon's avatar
      Session is not invalidating after password change (Bug #1363873) · 26095d3c
      Robert Lyon authored 
      

Scenario/testing:

- Create an account, say User A and logout as admin.
- In one browser login (this will be the hacker user)
- In another browser reset pass via forgotten pass link

What should happen:
User in browser two should be able to reset pass then navigate about
as when normally logged in. User in browser one should be forced to
login again as their user sessionid is not valid anymore.

Before patch:
malicious user still has access until $USER->logout_time time expires

After patch:
malicious user foreced to re-login straight away on next page load

Change-Id: I42ad907e5ffa7c128742a159116cf20dc6cd9b8a
Signed-off-by: Robert Lyon's avatarRobert Lyon <robertl@catalyst.net.nz>
      26095d3c
  5. 30 Jul, 2014 1 commit
  7. 10 Apr, 2014 1 commit
  9. 09 Apr, 2014 1 commit
  11. 25 Mar, 2014 1 commit
  13. 18 Mar, 2014 1 commit
  15. 12 Mar, 2014 1 commit
  17. 07 Mar, 2014 1 commit
  19. 09 Feb, 2014 1 commit
  21. 24 Jan, 2014 1 commit
    • Robert Lyon's avatar
      Allow site_content to be institution specific (bug #1254299) · d268d11b
      Robert Lyon authored 
      

Changes include:
- added an institution column to the site_content table
- added an 'Edit site pages' page under Admin -> Institutions
that is accessibe by institution admins
- added an 'institution' option to the edit site pages form - this is
a hidden field if user can edit only one institution.

On upgrade it updates the site_content table to give current data the
institution on 'mahara' (incl. local site pages) and for each
institution it replicates the data already in the db for the default site (excl.
local site pages) so that every site has their own versions, which can
be adjusted as one sees fit.

On creation of new institution it creates the rows in site_content
table but with the default strings (like what you see when you first
install a mahara) but sets the sitepages column in institution table
to default (mahara). On deletion of institution it removes the rows in
site_content.

A user on login sees the institution site page based on what
institution theme they see.

On logout the 'lastinstitution' cookie is set allowing for them to see
institution specific site pages.

The 'No institution' (mahara) site pages can only be edited through
Configure site -> Edit site pages.

Also allow for an institution site page to be viewed if 'institution'
variable is passed to it eg terms.php?institution=testing allowing for
another way to access info when logged out.

Change-Id: I2ed30b63c15bf676d83eb2231f48c4ca23ce8b53
Signed-off-by: Robert Lyon's avatarRobert Lyon <robertl@catalyst.net.nz>
      d268d11b
  23. 21 Jan, 2014 1 commit
  25. 19 Dec, 2013 1 commit
  27. 15 Dec, 2013 1 commit
  29. 21 Nov, 2013 1 commit
  31. 17 Oct, 2013 1 commit
    • Robert Lyon's avatar
      Allowing pieform error text to not be escaped if needed (Bug 1239539) · bf3d14a3
      Robert Lyon authored 
      

Currently if there is html in an error message used by pieforms it
escapes the html so the link becomes not usable.

I have made a change where you can tell pieforms not to escape the
error message.

So instead of using:
$form->set_error($field, $message);

you can use:
$form->set_error($field, $message, false);

Where false means do not escape the message.

As the terms and conditions are displayed on the page already I've
updated the link to jump to the terms section

Change-Id: Ia8650a9f2284fb007cbe81a4a94223f127c4f6cd
Signed-off-by: Robert Lyon's avatarRobert Lyon <robertl@catalyst.net.nz>
      bf3d14a3
  33. 14 Oct, 2013 1 commit
  35. 24 Sep, 2013 1 commit
  37. 02 Sep, 2013 1 commit
    • Aaron Wells's avatar
      Changing PluginAuth API to specifically indicate whether Auth requires remote username · 20512fdb
      Aaron Wells authored 
      Bug 1160093: This adds a few new methods to the Auth class, which represents an auth instance:

 - is_parent_authority(): Indicates whether this auth instance is a parent authority or not
 - get_parent_authority(): Gets the ID of this auth instance's parent authority
 - needs_remote_username(): Indicates whether this auth instance needs the user to have a
      remote username setting (in auth_remote_user table)

I've also updated the SAML and XMLRPC auth types, which are the only ones that use remote username.
And I've updated create_user() to automatically populate auth_remote_user() for auth
instances that use it.

Note that an auth instance of ANY type will need a remote username if it's the parent to another
authority (the parent feature allows a user to log in via the parent or the child auth instance;
so it's quite possible for the user to have different usernames in the two of them. Currently
only XMLRPC uses the parent auth feature.)

Lastly, also updated the documentation of LiveUser->create_user() to indicate that it only
uses the $remoteauth parameter as a boolean (which was true even before my code changes).

Change-Id: I39b1b74e68cdbc9c2632b886655caaaece1bd312
      20512fdb
  39. 15 Aug, 2013 1 commit
  41. 23 Jun, 2013 1 commit
    • Son Nguyen's avatar
      Email address in the 'Required profile fields' form must be validated · 032b155d
      Son Nguyen authored 
      

(bug #1045563)

When an user complete the required profile field,
1. Check if the email address has been taken
2. Send a validation email to this address

3. If an email has been sent, display the status message.

When an user validate his/her email address
4. if it is the primary email, update the email field of the table
'usr' in DB

Change-Id: Ie3f8268bee9890c7f568a399da4332bb5ab44447
Signed-off-by: Robert Lyon's avatarRobert Lyon <robertl@catalyst.net.nz>
      032b155d
  43. 17 Jan, 2013 1 commit
  45. 16 Jan, 2013 1 commit
  47. 15 Jan, 2013 1 commit
    • Ali Kaye's avatar
      Bug #1097564 Include contact information · 731e8115
      Ali Kaye authored 
      

Modified mahara.php and lib.php so that when
 a user with an expired account tries to log in
they are told 'Sorry, your account has expired.
You can contact the site administrator to have
the account reactivated,' with a link to the
'Contact Us' page.

Change-Id: I6b461d40e37a88ac513649a1d4a6d83c5d3711a4
Signed-off-by: default avatarAli Kaye <alexandrakaye.student@wegc.school.nz>
      731e8115
  49. 19 Nov, 2012 1 commit
  51. 10 Sep, 2012 1 commit
  53. 06 Sep, 2012 1 commit
  55. 03 Sep, 2012 1 commit
  57. 29 Aug, 2012 1 commit
  59. 31 Jul, 2012 1 commit
  61. 30 Jul, 2012 1 commit
  63. 25 Jul, 2012 1 commit
  65. 12 Jul, 2012 1 commit
  67. 23 May, 2012 2 commits
  69. 18 May, 2012 1 commit
    • Richard Mansfield's avatar
      Add local hooks for registration and user initialisation (bug #1001064) · 5d737aa5
      Richard Mansfield authored 
      

Three new hooks are added:

local_init_user() - called after $USER is initialised.  This is useful
for changing the user's theme before $THEME is initialised.

local_register_submit() - called when the registration form is
successfully submitted, but before the submitted values are saved to
usr_registration.  This is useful for remembering the properties or
preferences of the logged-out user when the form was submitted.

local_post_register() - called after a user has successfully been
created and logged in during registration.  This is useful when
properties of the user (which may have been saved to usr_registration
by local_register_submit()) need to be transferred to the newly
registered user.

Change-Id: Ifcb19737bdcecb550185624f2fd78e541690a337
Signed-off-by: default avatarRichard Mansfield <richard.mansfield@catalyst.net.nz>
      5d737aa5
  71. 15 May, 2012 1 commit
    • Hugh Davenport's avatar
      Add ability to register with a BrowserID (bug #986004) · a5a97f21
      Hugh Davenport authored 
      

When a user clicks on "BrowserID Login", one of three things will happen
1- If they have an account, they will login
2- If they don't but there is one authinstance with browserid is present
    AND it has weautocreateusers enabled, then they will get an account
    in that institution, and login
3- If none of the above is true, they will get redirected to a register
    page, which follows same self registration pattern as the internal
    authentication with the "confirm email" step removed.

Change-Id: Idde3166e0664bf2acdc1da32271125e91d43af9c
Signed-off-by: default avatarHugh Davenport <hugh@catalyst.net.nz>
      a5a97f21
  73. 01 May, 2012 2 commits