GitLab

The best way to prevent sensitive data from being printed to the logs
is to avoid printing the value of *any* parameter. For instance, a
password parameter may have an unusual name, or it may be passed
through a general-purpose function like "strlen()".

Since parameter values are useful for debugging, we can still print
them when not in production mode (although with known password
params still scrubbed out).

Note this patch both scrubs likely password params, and hides their
scrubbed value. That's mostly because I'm lazy, but it also obscures
the password's actual length.

Change-Id: I4a1ab4c89a169c6b29a7b63384c2412cee761ab7
behatnotneeded: Can't test with behat

The warning is
PHP Fatal error:  Class 'Session' not found in htdocs/lib/errors.php on line 128

behatnotneeded

Change-Id: I8ebbc6d427d59e7a3515b09ee5b1f67c14957122
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

Bug 1575969. In PHP7 some errors throw an Error object (to
the exception handler) instead of generating an error
(handled by the error handler). The official way to make
an exception handler that will work in PHP 5 & 7, is to
leave off the parameter's type declaration.

Change-Id: I5fc1c3765d5a311eb499d62915e676f8d9ee07a0
behatnotneeded: Covered by existing tests

Rather than having an increasing list of specific parameters
that we know to have passwords, this patch censors the content
of any parameter with a name that contains the string "password"
or "pw".

behatnotneeded: Can't test with Behat

Change-Id: Ifaa2ec10cf749c173b1a8d0928c6cc052124a83f

Some of these files aren't loaded on any pages, some (ie. debug.js)
are no longer necessary with modern debugging tools, and some have
been replaced by Bootstrap functionality

behatnotneeded: should be functionally identical

Change-Id: I6d1b3874de5d42ccc00a8c0d2bb0e8bc162747d4

To allow us to show a more detailed error message if site admin (not
belonging to the group) goes to review an objectionable group page
or group forum topic that has already been sorted out.

Change-Id: If4785528bfe29736542972adce7609cdb0522248
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

Change-Id: Ia83d2cd8b5f7b971098daf580839bd61f08be354
Signed-off-by: Yuliya Bozhko <yuliya.bozhko@totaralms.com>

Change-Id: I13de527f16370f4c37e95421750d625fab636fe4
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

Scrub the password from the error output and turn it into stars

Change-Id: Ie3cbf485ea2173e74364ae8505615a74b8f1c248
Signed-off-by: Son Nguyen <son.nguyen@catalyst.net.nz>

Bug 1268746: In PHP 5.4 E_ALL changed to include E_STRICT, causing Mahara to throw
a lot of strict standards errors. This should silence most of them.

HOWEVER, because most strict standards happen at compile-time, this will have no
effect on strict standards errors caused in the files that have already been
loaded by the time we call error_reporting() and set_error_handler(), which includes:
 - The file invoked directly by the URL
 - init.php
 - errors.php
 - config.php
 - config-defaults.php

Change-Id: I7a7fdf7facb1f30e186a0e8a27f1c3b7473200da

- have updated copyright for the pages that had existing copyright
notices (except for the lib/pieforms/ section as i'm not too sure if
that needs changing as it is a different Catalyst IT product)

Change-Id: I11c65ad26cb9cd856cf16b1dccbd4223ba086645
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>
Signed-off-by: Aaron Wells <aaronw@catalyst.net.nz>

Bug 1168213

Change-Id: Ic5a1d6a630341955477b0544293173bcb8d57435

see also https://mahara.org/interaction/forum/topic.php?id=4404

Change-Id: Iab8524b3f1f86ceacb9854d57cdd00e62aa5e32f
Signed-off-by: Gregor Anzelj <gregor.anzelj@gmail.com>
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>
Signed-off-by: Aaron Wells <aaronw@catalyst.net.nz>

Spelling corrected only for strings that appear
in Mahara code. Third-party code has not been
touched.

Change-Id: Ic3556fb19aa14a231f30a91d810134ed0e4e2889
Signed-off-by: Kristina D.C. Hoeppner <kristina@catalyst.net.nz>

When a page at a user subdomain such as http://bob.example.com/my-page
is requested by a logged out user, ensure that the user is redirected
to a login page that works, rather than to http://example.com/my-page.

Because the existing get_full_script_path() function is currently
unused, this function is modified to call get_requested_host_name(),
and then used in the AccessDeniedException for the login form
redirect.

Change-Id: I182adeb1a83363512dfde638f2aad23b1d69bcb4
Signed-off-by: Richard Mansfield <richard.mansfield@catalyst.net.nz>

Bug #1006634, part 3

Replaces a bunch of hardcoded group/view.php urls with calls to
group_homepage_url, in a few cases where it is obvious that the urlid
property is already part of the group object available at that point.

Change-Id: I7475d378d406a55e30c597442117dfbe58ffdc00
Signed-off-by: Richard Mansfield <richard.mansfield@catalyst.net.nz>

In strings outside the admin area, the user should usually see the
site name rather than 'Mahara', because they don't care what the
software's called.

Change-Id: Ic876a2cd4971315bc4ac8dd62a9ae1272b89d8e9
Signed-off-by: Richard Mansfield <richard.mansfield@catalyst.net.nz>

When an exception occurs in a command line upgrade, the message should
be output as text rather than an html page, to make it easier to read.

Change-Id: I458ba57c05fff2f76b42a73d021058c0feee5f47
Signed-off-by: Richard Mansfield <richard.mansfield@catalyst.net.nz>

This is a combination of Penny Leach's work and my fixes to integrate
the phpunit unit testing framework into Mahara

Change-Id: Id3328a3cb4cd505a67e7fd521b92c424543ee960
Signed-off-by: Penny Leach <penny@mjollnir.org>
Signed-off-by: Andrew Robert Nicols <andrew.nicols@luns.net.uk>

The four existing jointypes, 'open', 'controlled', 'request' and
'invite' are mutually exclusive, but they don't need to be so strict.
This patch introduces more flexibility in the way groups allow new
members to join.

* Group admins can always send membership invitations to a group, even
  if it's open or controlled
* Membership requests can be enabled for any group unless it has open
  membership.
* The grouptype now determines the set of roles available to a group,
  but no longer restricts the available join types.

The db upgrade will preserve existing behaviour apart from enabling
invitations on open, request, and controlled groups.

Change-Id: I8bb0940a37f3c0c36366c1d5b8d27e8b9914a7e3
Signed-off-by: Richard Mansfield <richard.mansfield@catalyst.net.nz>

If a missing file is found during export, instead of failing, just skip
the artefact and continue, displaying a message when the export file is
served.

Change-Id: I37d3410e7e8fb9acf4bf07d8bc901f2c6dc8fc0f
Signed-off-by: Richard Mansfield <richard.mansfield@catalyst.net.nz>

These closing tags are unnecessary and against our coding
guidelines. Let's get rid of them all in one go.

Change-Id: Ia94f103e525185597ee3780a3839d7577cdd0c29
Signed-off-by: Francois Marier <francois@catalyst.net.nz>

Signed-off-by: Richard Mansfield <richard.mansfield@catalyst.net.nz>

Set LOG_TARGET_FILE default in errors.php; remove misleading dataroot reference from config-defaults (bug #738265)
Signed-off-by: Richard Mansfield <richard.mansfield@catalyst.net.nz>

Martyn Smith is apparently the only one who's ever used the
copy of firebug-lite that's built into Mahara.

It no longer seems all that useful now that all browsers
(incl. IE) have proper Firebug-like functionality.
Signed-off-by: Francois Marier <francois@catalyst.net.nz>

Signed-off-by: Dan Marsden <dan@catalyst.net.nz>

Ignore exceptions thrown by smarty() calls in the middle of exception handling. Avoids some 'exception thrown without a stack frame' errors.
Signed-off-by: Richard Mansfield <richardm@catalyst.net.nz>

This is necessary as lots of places in Mahara throw exceptions with no
messages, as none are required, for example AccessDeniedException.
Signed-off-by: Penny Leach <penny@mjollnir.org>

Signed-off-by: Penny Leach <penny@mjollnir.org>

Signed-off-by: Andrew Robert Nicols <andrew.nicols@luns.net.uk>

I left the $exporter object as the first argument though in case we add
one later.
Signed-off-by: Penny Leach <penny@mjollnir.org>

It currently non discriminately calls ->cleanup on its first argument,
the importer object, which may not actually be set yet
Signed-off-by: Penny Leach <penny@mjollnir.org>

This will prevent notices every request on PHP 5.1.
Signed-off-by: Nigel McNie <nigel@catalyst.net.nz>

Missing these meant we were missing a whole class of errors, most
notably, when type hints were being ignored.
Signed-off-by: Nigel McNie <nigel@catalyst.net.nz>

integrating dwoo into mahara, includes many small templates changes, smarty plugins ported to dwoo syntax as well as the custom mahara resource types ported to dwoo templates
Signed-off-by: Jordi Boggiano <j.boggiano@seld.be>

This isn't enabled by default, but might help some people. Also, the
importer can use it to log debugging output.
Signed-off-by: Nigel McNie <nigel@catalyst.net.nz>