Skip to content
GitLab
Switch branch/tag
  1. 24 Jan, 2019 1 commit
  3. 18 Oct, 2018 1 commit
  5. 13 Sep, 2018 1 commit
  7. 31 Aug, 2018 1 commit
  9. 30 Aug, 2018 1 commit
  11. 18 Aug, 2018 1 commit
  13. 14 Aug, 2018 1 commit
  15. 07 Mar, 2018 1 commit
  17. 23 Feb, 2018 1 commit
    • Glenn Walbran's avatar
      Bug 1729079: Create a mechanism to build manual links · dbf1ef2b
      Glenn Walbran authored and Robert Lyon's avatar Robert Lyon committed 
      This commits adds a mechanism that will build links to the manual pages
such that:

- user's language is used if manual exists in that language, else en
- the manual for this mahara/series is used

The key -> manual page map will need to be populated and these links added to
pages.

Change-Id: Id7871395821dce660841341dda200f231e75de16
      dbf1ef2b
  19. 21 Feb, 2018 1 commit
  21. 26 Dec, 2017 1 commit
  23. 30 Nov, 2017 1 commit
  25. 19 Nov, 2017 1 commit
    • Ilya Tregubov's avatar
      Bug 1685049: Remote file system modification · 78c87713
      Ilya Tregubov authored 
      behatnotneeded

Enables Mahara to save files to an external file system
- object storage (such as AWS's S3) -
which can reduce the cost of storage

Change-Id: I76822612f2922ba0ef2a0b7a4efb9cd2b96979a6
      78c87713
  27. 30 Mar, 2017 1 commit
    • Kristina Hoeppner's avatar
      Bug 1677087: Various lang string updates · 1881391a
      Kristina Hoeppner authored and Robert Lyon's avatar Robert Lyon committed 
      Some string IDs changed so that they are
picked up by the translators while others
aren't changed when they are just changes
for English.

behatnotneeded

Change-Id: I9afb8980492937f361e6e35361245c689b5a4413
      1881391a
  29. 22 Dec, 2016 1 commit
  31. 08 Aug, 2016 1 commit
    • Aaron Wells's avatar
      Bug 1570221 Don't print parameter values to logs when in production mode · 9a297249
      Aaron Wells authored and Robert Lyon's avatar Robert Lyon committed 
      The best way to prevent sensitive data from being printed to the logs
is to avoid printing the value of *any* parameter. For instance, a
password parameter may have an unusual name, or it may be passed
through a general-purpose function like "strlen()".

Since parameter values are useful for debugging, we can still print
them when not in production mode (although with known password
params still scrubbed out).

Note this patch both scrubs likely password params, and hides their
scrubbed value. That's mostly because I'm lazy, but it also obscures
the password's actual length.

Change-Id: I4a1ab4c89a169c6b29a7b63384c2412cee761ab7
behatnotneeded: Can't test with behat
      9a297249
  33. 05 Jul, 2016 1 commit
  35. 08 Jun, 2016 1 commit
    • Aaron Wells's avatar
      Bug 1588613: Later session start so we can use DB config table · 12cb73cf
      Aaron Wells authored 
      The session init code relies on $CFG->session_timeout, which is
normally defined in the config table. So, we need to start the
session after opening the database connection.

(In the event that there's an earlier session start, for instance
due to an error message, this will cause the session for that
page load to disregard any database config values. But that's not
a show-stopper, and there's no easy way to fix it.)

Change-Id: Iffbeebc8e92929970a558ff0fbc726719bb92741
behatnotneeded: Covered by existing tests
      12cb73cf
  37. 12 May, 2016 1 commit
  39. 21 Apr, 2016 1 commit
    • Robert Lyon's avatar
      Bug 1565546: Allowing $cfg setting to be json · af64abec
      Robert Lyon authored 
      

1) Allowing $CFG to accept json encoded strings and to be decoded back to php
2) Making the $cfg->openbadgedisplayer_source a json encoded string
3) Allowing the openbadges have the defaults only on one place and warn when they are missing

behatnotneeded

Change-Id: Ica0349d6343d9f608b2272117d7412b288799278
Signed-off-by: Robert Lyon's avatarRobert Lyon <robertl@catalyst.net.nz>
      af64abec
  41. 18 Apr, 2016 1 commit
    • Aaron Wells's avatar
      Bug 1570744: Fixing session bugs · 83ec33f2
      Aaron Wells authored 
      This patch does 2 things:

1. It loads the session much earlier during init.php. We wind
up creating one on *every* script load anyway, due to LiveUser's
constructor. Sometimes it gets created earlier if other code
tries to use it before then, which adds some unpredictability
to things. Moving it up to the top of init.php reduces that
unpredictability.

2. It turns out that in PHP 5.3, using header_remove('Set-Cookie')
to only doesn't remove session headers. But header_remove()
(with no params) to remove *all* cookies does remove them. So
I'm changing remove_duplicate_cookies() to use that instead.

3. Also in PHP 5.3, session headers are visible in headers_list().
In situations where your session id changes (due to session_destroy()
and session_regenerate_id()), our use of array_unique() meant we
would preserve the old and new session IDs and send both back
to the browser. This patch makes remove_duplicate_cookies() aware
of the current session ID, and it only preserves that one.

Change-Id: I7a90b8692a5f97429415aa9a17451a44cd2109dd
behatnotneeded: Covered by existing tests
      83ec33f2
  43. 21 Mar, 2016 1 commit
  45. 28 Feb, 2016 1 commit
    • Aaron Wells's avatar
      Adding some HTTP headers for security (Bug 1531987) · 29656f03
      Aaron Wells authored 
      X-XSS-Protection: Tells the browser not to disable XSS protection

X-Content-Type-Options: Tells the browser not to try to guess at
mimetypes of downloads

X-Permitted-Cross-Domain-Policies: Tells Flash & PDF not to trust
alternate crossdomain.xml files (which set the permissions on whether
this site allows itself to be accessed by scripts in Flash & PDF).
Prevents an attacker from uploading a more permissive crossdomain.xml

X-Powered-By: PHP by default sends this header with the current full
PHP version.

behatnotneeded: Selenium can't examine HTTP response headers

Change-Id: Ia2a6de971fc62b7d8806ad010aa0fbe37c1a7357
      29656f03
  47. 18 Feb, 2016 1 commit
  49. 10 Jan, 2016 2 commits
  51. 15 Dec, 2015 1 commit
    • Aaron Wells's avatar
      Removing obsolete "disablelogin" setting · 0284f9ab
      Aaron Wells authored 
      Bug 1526076: I believe the initial intent was that
Mahara core, and/or each plugin, could add a value
to its version.php file indicating "disablelogin"
true or false. And in this way, an upgrade could
indicate whether it was a small enough upgrade that
users did not need to log out for it.

However, in practice this is not practical because
we don't know what version of Mahara the user is
upgrading from, and that is what determines whether
or not it's a "stable" upgrade.

Additionally, the core disablelogin has been set to true
for the past 7 years, and the plugin disablelogin
setting no longer has any effect.

Removing disablelogin should hopefully make our
maze of init.php auth_setup() login stuff a little
bit easier to follow.

behatnotneeded: Covered by existing tests

Change-Id: I5f8a2b4faa95b9225bb926de6a54a622ea1a9618
      0284f9ab
  53. 14 Dec, 2015 1 commit
    • Aaron Wells's avatar
      Rename $CFG->siteclosed to $CFG->siteclosedforupgrade · 1404fe80
      Aaron Wells authored 
      Bug 1526101: This should help make it clearer what's going
on in init.php and the related auth code, by making the
distinction between $CFG->siteclosed and $CFG->siteclosedbyadmin
clearer.

behatnotneeded: Covered by existing tests

Change-Id: I8bc728622ae965ce25b55ee4b55278771fc1eedc
      1404fe80
  55. 12 Dec, 2015 1 commit
  57. 25 Nov, 2015 1 commit
  59. 11 Nov, 2015 1 commit
    • Jono Mingard's avatar
      Remove unused and superfluous JavaScript (Bug #1323920) · a4dc90b3
      Jono Mingard authored 
      Some of these files aren't loaded on any pages, some (ie. debug.js)
are no longer necessary with modern debugging tools, and some have
been replaced by Bootstrap functionality

behatnotneeded: should be functionally identical

Change-Id: I6d1b3874de5d42ccc00a8c0d2bb0e8bc162747d4
      a4dc90b3
  61. 23 Sep, 2015 1 commit
  63. 20 Jun, 2015 1 commit
  65. 15 Jun, 2015 4 commits
  67. 19 May, 2015 1 commit
  69. 27 Mar, 2015 1 commit
    • Aaron Wells's avatar
      Bug 1427901: Performance improvements for cron · b4c1755f
      Aaron Wells authored 
      - Cron doesn't need to run auth_setup()
- Don't run cron when site is closed for upgrade
- Get rid of forcelocalupgrade() option because it's no longer needed

Change-Id: I1718b13337c50fadc0573d04f5b3d6b20bc842c2
      b4c1755f
  71. 02 Mar, 2015 1 commit