1. 02 Oct, 2015 2 commits
  2. 20 Nov, 2014 1 commit
    • Robert Lyon's avatar
      Session is not invalidating after password change (Bug #1363873) · 26095d3c
      Robert Lyon authored
      Scenario/testing:
      
      - Create an account, say User A and logout as admin.
      - In one browser login (this will be the hacker user)
      - In another browser reset pass via forgotten pass link
      
      What should happen:
      User in browser two should be able to reset pass then navigate about
      as when normally logged in. User in browser one should be forced to
      login again as their user sessionid is not valid anymore.
      
      Before patch:
      malicious user still has access until $USER->logout_time time expires
      
      After patch:
      malicious user foreced to re-login straight away on next page load
      
      Change-Id: I42ad907e5ffa7c128742a159116cf20dc6cd9b8a
      Signed-off-by: Robert Lyon's avatarRobert Lyon <robertl@catalyst.net.nz>
      26095d3c
  3. 30 Jul, 2014 1 commit
  4. 10 Apr, 2014 1 commit
  5. 09 Apr, 2014 1 commit
  6. 25 Mar, 2014 1 commit
  7. 18 Mar, 2014 1 commit
  8. 12 Mar, 2014 1 commit
  9. 07 Mar, 2014 1 commit
  10. 09 Feb, 2014 1 commit
  11. 24 Jan, 2014 1 commit
    • Robert Lyon's avatar
      Allow site_content to be institution specific (bug #1254299) · d268d11b
      Robert Lyon authored
      Changes include:
      - added an institution column to the site_content table
      - added an 'Edit site pages' page under Admin -> Institutions
      that is accessibe by institution admins
      - added an 'institution' option to the edit site pages form - this is
      a hidden field if user can edit only one institution.
      
      On upgrade it updates the site_content table to give current data the
      institution on 'mahara' (incl. local site pages) and for each
      institution it replicates the data already in the db for the default site (excl.
      local site pages) so that every site has their own versions, which can
      be adjusted as one sees fit.
      
      On creation of new institution it creates the rows in site_content
      table but with the default strings (like what you see when you first
      install a mahara) but sets the sitepages column in institution table
      to default (mahara). On deletion of institution it removes the rows in
      site_content.
      
      A user on login sees the institution site page based on what
      institution theme they see.
      
      On logout the 'lastinstitution' cookie is set allowing for them to see
      institution specific site pages.
      
      The 'No institution' (mahara) site pages can only be edited through
      Configure site -> Edit site pages.
      
      Also allow for an institution site page to be viewed if 'institution'
      variable is passed to it eg terms.php?institution=testing allowing for
      another way to access info when logged out.
      
      Change-Id: I2ed30b63c15bf676d83eb2231f48c4ca23ce8b53
      Signed-off-by: Robert Lyon's avatarRobert Lyon <robertl@catalyst.net.nz>
      d268d11b
  12. 21 Jan, 2014 1 commit
  13. 19 Dec, 2013 1 commit
  14. 15 Dec, 2013 1 commit
  15. 21 Nov, 2013 1 commit
  16. 17 Oct, 2013 1 commit
    • Robert Lyon's avatar
      Allowing pieform error text to not be escaped if needed (Bug 1239539) · bf3d14a3
      Robert Lyon authored
      Currently if there is html in an error message used by pieforms it
      escapes the html so the link becomes not usable.
      
      I have made a change where you can tell pieforms not to escape the
      error message.
      
      So instead of using:
      $form->set_error($field, $message);
      
      you can use:
      $form->set_error($field, $message, false);
      
      Where false means do not escape the message.
      
      As the terms and conditions are displayed on the page already I've
      updated the link to jump to the terms section
      
      Change-Id: Ia8650a9f2284fb007cbe81a4a94223f127c4f6cd
      Signed-off-by: Robert Lyon's avatarRobert Lyon <robertl@catalyst.net.nz>
      bf3d14a3
  17. 14 Oct, 2013 1 commit
  18. 24 Sep, 2013 1 commit
  19. 02 Sep, 2013 1 commit
    • Aaron Wells's avatar
      Changing PluginAuth API to specifically indicate whether Auth requires remote username · 20512fdb
      Aaron Wells authored
      Bug 1160093: This adds a few new methods to the Auth class, which represents an auth instance:
      
       - is_parent_authority(): Indicates whether this auth instance is a parent authority or not
       - get_parent_authority(): Gets the ID of this auth instance's parent authority
       - needs_remote_username(): Indicates whether this auth instance needs the user to have a
            remote username setting (in auth_remote_user table)
      
      I've also updated the SAML and XMLRPC auth types, which are the only ones that use remote username.
      And I've updated create_user() to automatically populate auth_remote_user() for auth
      instances that use it.
      
      Note that an auth instance of ANY type will need a remote username if it's the parent to another
      authority (the parent feature allows a user to log in via the parent or the child auth instance;
      so it's quite possible for the user to have different usernames in the two of them. Currently
      only XMLRPC uses the parent auth feature.)
      
      Lastly, also updated the documentation of LiveUser->create_user() to indicate that it only
      uses the $remoteauth parameter as a boolean (which was true even before my code changes).
      
      Change-Id: I39b1b74e68cdbc9c2632b886655caaaece1bd312
      20512fdb
  20. 15 Aug, 2013 1 commit
  21. 23 Jun, 2013 1 commit
    • Son Nguyen's avatar
      Email address in the 'Required profile fields' form must be validated · 032b155d
      Son Nguyen authored
      (bug #1045563)
      
      When an user complete the required profile field,
      1. Check if the email address has been taken
      2. Send a validation email to this address
      
      3. If an email has been sent, display the status message.
      
      When an user validate his/her email address
      4. if it is the primary email, update the email field of the table
      'usr' in DB
      
      Change-Id: Ie3f8268bee9890c7f568a399da4332bb5ab44447
      Signed-off-by: Robert Lyon's avatarRobert Lyon <robertl@catalyst.net.nz>
      032b155d
  22. 17 Jan, 2013 1 commit
  23. 16 Jan, 2013 1 commit
  24. 15 Jan, 2013 1 commit
    • Ali Kaye's avatar
      Bug #1097564 Include contact information · 731e8115
      Ali Kaye authored
      Modified mahara.php and lib.php so that when
       a user with an expired account tries to log in
      they are told 'Sorry, your account has expired.
      You can contact the site administrator to have
      the account reactivated,' with a link to the
      'Contact Us' page.
      
      Change-Id: I6b461d40e37a88ac513649a1d4a6d83c5d3711a4
      Signed-off-by: default avatarAli Kaye <alexandrakaye.student@wegc.school.nz>
      731e8115
  25. 19 Nov, 2012 1 commit
  26. 10 Sep, 2012 1 commit
  27. 06 Sep, 2012 1 commit
  28. 03 Sep, 2012 1 commit
  29. 29 Aug, 2012 1 commit
  30. 31 Jul, 2012 1 commit
  31. 30 Jul, 2012 1 commit
  32. 25 Jul, 2012 1 commit
  33. 12 Jul, 2012 1 commit
  34. 23 May, 2012 2 commits
  35. 18 May, 2012 1 commit
    • Richard Mansfield's avatar
      Add local hooks for registration and user initialisation (bug #1001064) · 5d737aa5
      Richard Mansfield authored
      Three new hooks are added:
      
      local_init_user() - called after $USER is initialised.  This is useful
      for changing the user's theme before $THEME is initialised.
      
      local_register_submit() - called when the registration form is
      successfully submitted, but before the submitted values are saved to
      usr_registration.  This is useful for remembering the properties or
      preferences of the logged-out user when the form was submitted.
      
      local_post_register() - called after a user has successfully been
      created and logged in during registration.  This is useful when
      properties of the user (which may have been saved to usr_registration
      by local_register_submit()) need to be transferred to the newly
      registered user.
      
      Change-Id: Ifcb19737bdcecb550185624f2fd78e541690a337
      Signed-off-by: default avatarRichard Mansfield <richard.mansfield@catalyst.net.nz>
      5d737aa5
  36. 15 May, 2012 1 commit
    • Hugh Davenport's avatar
      Add ability to register with a BrowserID (bug #986004) · a5a97f21
      Hugh Davenport authored
      When a user clicks on "BrowserID Login", one of three things will happen
      1- If they have an account, they will login
      2- If they don't but there is one authinstance with browserid is present
          AND it has weautocreateusers enabled, then they will get an account
          in that institution, and login
      3- If none of the above is true, they will get redirected to a register
          page, which follows same self registration pattern as the internal
          authentication with the "confirm email" step removed.
      
      Change-Id: Idde3166e0664bf2acdc1da32271125e91d43af9c
      Signed-off-by: default avatarHugh Davenport <hugh@catalyst.net.nz>
      a5a97f21
  37. 01 May, 2012 2 commits