1. 21 Apr, 2016 1 commit
    • Robert Lyon's avatar
      Bug 1565546: Allowing $cfg setting to be json · af64abec
      Robert Lyon authored
      1) Allowing $CFG to accept json encoded strings and to be decoded back to php
      2) Making the $cfg->openbadgedisplayer_source a json encoded string
      3) Allowing the openbadges have the defaults only on one place and warn when they are missing
      Change-Id: Ica0349d6343d9f608b2272117d7412b288799278
      Signed-off-by: Robert Lyon's avatarRobert Lyon <robertl@catalyst.net.nz>
  2. 18 Apr, 2016 1 commit
    • Aaron Wells's avatar
      Bug 1570744: Fixing session bugs · 83ec33f2
      Aaron Wells authored
      This patch does 2 things:
      1. It loads the session much earlier during init.php. We wind
      up creating one on *every* script load anyway, due to LiveUser's
      constructor. Sometimes it gets created earlier if other code
      tries to use it before then, which adds some unpredictability
      to things. Moving it up to the top of init.php reduces that
      2. It turns out that in PHP 5.3, using header_remove('Set-Cookie')
      to only doesn't remove session headers. But header_remove()
      (with no params) to remove *all* cookies does remove them. So
      I'm changing remove_duplicate_cookies() to use that instead.
      3. Also in PHP 5.3, session headers are visible in headers_list().
      In situations where your session id changes (due to session_destroy()
      and session_regenerate_id()), our use of array_unique() meant we
      would preserve the old and new session IDs and send both back
      to the browser. This patch makes remove_duplicate_cookies() aware
      of the current session ID, and it only preserves that one.
      Change-Id: I7a90b8692a5f97429415aa9a17451a44cd2109dd
      behatnotneeded: Covered by existing tests
  3. 21 Mar, 2016 1 commit
  4. 28 Feb, 2016 1 commit
    • Aaron Wells's avatar
      Adding some HTTP headers for security (Bug 1531987) · 29656f03
      Aaron Wells authored
      X-XSS-Protection: Tells the browser not to disable XSS protection
      X-Content-Type-Options: Tells the browser not to try to guess at
      mimetypes of downloads
      X-Permitted-Cross-Domain-Policies: Tells Flash & PDF not to trust
      alternate crossdomain.xml files (which set the permissions on whether
      this site allows itself to be accessed by scripts in Flash & PDF).
      Prevents an attacker from uploading a more permissive crossdomain.xml
      X-Powered-By: PHP by default sends this header with the current full
      PHP version.
      behatnotneeded: Selenium can't examine HTTP response headers
      Change-Id: Ia2a6de971fc62b7d8806ad010aa0fbe37c1a7357
  5. 18 Feb, 2016 1 commit
  6. 10 Jan, 2016 2 commits
  7. 15 Dec, 2015 1 commit
    • Aaron Wells's avatar
      Removing obsolete "disablelogin" setting · 0284f9ab
      Aaron Wells authored
      Bug 1526076: I believe the initial intent was that
      Mahara core, and/or each plugin, could add a value
      to its version.php file indicating "disablelogin"
      true or false. And in this way, an upgrade could
      indicate whether it was a small enough upgrade that
      users did not need to log out for it.
      However, in practice this is not practical because
      we don't know what version of Mahara the user is
      upgrading from, and that is what determines whether
      or not it's a "stable" upgrade.
      Additionally, the core disablelogin has been set to true
      for the past 7 years, and the plugin disablelogin
      setting no longer has any effect.
      Removing disablelogin should hopefully make our
      maze of init.php auth_setup() login stuff a little
      bit easier to follow.
      behatnotneeded: Covered by existing tests
      Change-Id: I5f8a2b4faa95b9225bb926de6a54a622ea1a9618
  8. 14 Dec, 2015 1 commit
    • Aaron Wells's avatar
      Rename $CFG->siteclosed to $CFG->siteclosedforupgrade · 1404fe80
      Aaron Wells authored
      Bug 1526101: This should help make it clearer what's going
      on in init.php and the related auth code, by making the
      distinction between $CFG->siteclosed and $CFG->siteclosedbyadmin
      behatnotneeded: Covered by existing tests
      Change-Id: I8bc728622ae965ce25b55ee4b55278771fc1eedc
  9. 12 Dec, 2015 1 commit
  10. 25 Nov, 2015 1 commit
  11. 11 Nov, 2015 1 commit
    • Jono Mingard's avatar
      Remove unused and superfluous JavaScript (Bug #1323920) · a4dc90b3
      Jono Mingard authored
      Some of these files aren't loaded on any pages, some (ie. debug.js)
      are no longer necessary with modern debugging tools, and some have
      been replaced by Bootstrap functionality
      behatnotneeded: should be functionally identical
      Change-Id: I6d1b3874de5d42ccc00a8c0d2bb0e8bc162747d4
  12. 23 Sep, 2015 1 commit
  13. 20 Jun, 2015 1 commit
  14. 15 Jun, 2015 4 commits
  15. 19 May, 2015 1 commit
  16. 27 Mar, 2015 1 commit
    • Aaron Wells's avatar
      Bug 1427901: Performance improvements for cron · b4c1755f
      Aaron Wells authored
      - Cron doesn't need to run auth_setup()
      - Don't run cron when site is closed for upgrade
      - Get rid of forcelocalupgrade() option because it's no longer needed
      Change-Id: I1718b13337c50fadc0573d04f5b3d6b20bc842c2
  17. 02 Mar, 2015 1 commit
  18. 04 Dec, 2014 1 commit
  19. 03 Dec, 2014 1 commit
  20. 30 Oct, 2014 1 commit
  21. 15 Oct, 2014 1 commit
    • Aaron Wells's avatar
      Removing the redundant new local function for style overrides · 20da6bf8
      Aaron Wells authored
      Bug 1346926: This bug replicates the functionality of the
      newly enhanced (in bug 1328310) local/theme directory. I'm
      updating the documentation of local/theme at the same time,
      to try to avoid this kind of replication in future.
      Change-Id: Ia36442ac264f5e0740278592e734ddc0838bb80f
  22. 22 Jul, 2014 1 commit
  23. 30 Jun, 2014 1 commit
  24. 16 Jun, 2014 1 commit
  25. 04 Jun, 2014 1 commit
  26. 29 Jan, 2014 1 commit
  27. 21 Jan, 2014 1 commit
  28. 13 Jan, 2014 1 commit
    • Aaron Wells's avatar
      Silence most E_STRICT errors · 8d17e071
      Aaron Wells authored
      Bug 1268746: In PHP 5.4 E_ALL changed to include E_STRICT, causing Mahara to throw
      a lot of strict standards errors. This should silence most of them.
      HOWEVER, because most strict standards happen at compile-time, this will have no
      effect on strict standards errors caused in the files that have already been
      loaded by the time we call error_reporting() and set_error_handler(), which includes:
       - The file invoked directly by the URL
       - init.php
       - errors.php
       - config.php
       - config-defaults.php
      Change-Id: I7a7fdf7facb1f30e186a0e8a27f1c3b7473200da
  29. 15 Dec, 2013 1 commit
  30. 12 Nov, 2013 1 commit
  31. 06 Nov, 2013 1 commit
  32. 14 Oct, 2013 1 commit
  33. 23 Sep, 2013 1 commit
  34. 18 Jun, 2013 1 commit
    • Aaron Wells's avatar
      Making links to directory index.php files more explicit · 1c56a922
      Aaron Wells authored
      Bug #1150831: Some links to directory index.php files left off the
      trailing slash,
      i.e. "{$WWWROOT}/view". This caused unnecessary redirects and greater
      potential for
      errors in users' web server setups. While I was at it, for all links to
      other than $WWWROOT itself, I changed them to be explicitly links to
      Also fixed the Windows-style line endings in homeinfo.tpl
      Fix all implicit links
      Change-Id: I87b285713e5cb1cfe785ceedd2702e5c2578058b
  35. 01 May, 2013 1 commit
  36. 15 Apr, 2013 1 commit