Some older versions of Mahara didn't enforce a record in group_member for the owner. Take this into account when upgrading.

group_user_access reutrns the role that a given user has in a group.

Does not include roleinstances like we thought it would, it turns out they are unnecessary.

May need more testing with more data, but they don't cause errors any more.

Renamed setup_groups to a more descriptive name.

Took away the check that means group owners can't leave groups for a bit. The implementation of this will need revisiting.

This will be broken until I write a database patch. But the appropriate data is inserted into the group tables when a group is created now.

A directory structure has been added in lib/ for grouptypes, and the skeletons for the standard and course ones are in place.

The group creation page shows the dropdown used for selecting group type/join type. Although currently creation itself is broken.

Otherwise, the user sees the message no matter what when forced to change their password, which looks stupid.

Remove the last remnants of the myportfolio theme, and fix a bug that causes a crash when choosing themes without a config.php

Now it is expected that all themes have a config.php.
(cherry picked from commit ed48e680)

This at least gives admins the chance of doing this if they want to.

(cherry picked from commit 879f456e)

It's much less ambiguous. Should help with users confused as to what it does.
(cherry picked from commit 15cfe974)

This makes it easy to tell when you are doing this on all pages - not just on pages where the sidebar is visible.
(cherry picked from commit ba080c55)

Fixed 'viewreleased{subject,message}' broken language strings in notifications. Part of the fix for #2271.
(cherry picked from commit 0a7f07f0)

There's no need to reveal this information, as the Mahara version is not revealed elsewhere.
(cherry picked from commit fb830d75)

(cherry picked from commit ea02642a)

Take into account the install subdirectory when redirecting users because of access denied. Fixes #2259.
(cherry picked from commit c93adecb)

The previous patch to that part of the code instead made it so you couldn't kick anyone out if the group ID equaled the group ID, which of course it always does.
(cherry picked from commit bec4d579)

(cherry picked from commit bfefe0b6)

Use the actual group ID on on the interaction delete page, rather than the interaction ID. Fixes #2241.

This was potentially a small security hole too - before, it would allow users who had permissions to delete a forum with an ID the same as an interaction they were allowed control over. But it's a terribly blind attack at the best of times.
(cherry picked from commit d265d0b2)

The XML extension is needed by the RSS blocktype to parse RSS feeds. To be honest, I'm surprised it wasn't needed before to parse the install.xml files.
(cherry picked from commit d49f1ab0)

Improved the wording for the Upload CSV page, especially in the case of institutional admins. Fixes #2214.

Previously, Institutional Admins were given links to pages they couldn't edit.

We haven't been clearing out session files since I first chose to make us hash the session directory back in 2006. Talk about a timebomb...

The cron job uses `find' and `xargs' to do the removing. These tools are required on debian (as part of findutils), and are installed in /usr/bin. I haven't bothered with a configuration directive for specifying a path to them for now, but that might be necessary later.
(cherry picked from commit 335d66a7)

Make usernames unique over their lowercase values, and put validation in everywhere so two users can't do this again.

Usernames _are_ meant to be case insensitive in the system. But at no point where users could be created (except for XMLRPC users), was this actually being enforced. So eventually someone actually did this, which caused login for both users to break.

Now, all entry points for new users are checked to make sure users can't claim names whose lowercase value is the same as another user. And on postgres, we now have a unique index over LOWER(username). This isn't possible in MySQL, so MySQL users miss out (yet again).

Allow usernames to contain many more characters than they do currently when using internal authentication.

The previous restrictions were unnecessarily strict. As per request from MyPortfolio.

Now we actually can has a Mjollnir`!
(cherry picked from commit 36a1ecfc)

Apache configuration and other scripts can override this. For example, thumb.php overrides this to cache thumbnail images for a while.

This prevents IE making assumptions that pages are cachable when they're clearly not.

We can't cache them for too long, because the user could change them at any time. But at least a short time is better than none, because they can be requested in batches quite a lot, for example when paging through search results.

On the profile page for the user, use 'profileiconbyid', which means that the correct image will always be shown, even when the user changes it.