GitLab

The default block title will then be called the
same as the block to avoid confusion.

Change-Id: I9db493f541a0f894e4ff68f3e556cceb712a8dd6
Signed-off-by: Kristina D.C. Hoeppner <kristina@catalyst.net.nz>

This adds a configuration option to the group edit page which allows
those who can admin the group to enable participation reports. The
default setting is off to avoid cluttering the menu for those who
don't care.

Change-Id: I2339d7c1693c44bf13b54b66d6563e93b12a1358
Signed-off-by: Melissa Draper <melissa@catalyst.net.nz>

These field will be used to enable collections in group and institution.
See also Bug#886080

Change-Id: I208ee9ee518a9d28e72930cdb0cf1dc4647eaf2f
Signed-off-by: Son Nguyen <son.nguyen@catalyst.net.nz>

Change-Id: Ifdc7dbaf2ec7c3ebaa40cb557e0a093423c5c71d
Signed-off-by: Hugh Davenport <hugh@catalyst.net.nz>

Change-Id: Ie0d96d6caa5b6aff66bdb49e14940ab349046147
Signed-off-by: Hugh Davenport <hugh@catalyst.net.nz>

Copied from the mahara.org registration table. It stores each registration field
in a local database with a timestamp of when the data was obtained.

This storage is done whether or not the data is actually sent to mahara.org.

Change-Id: Ib8478b0caa97c5cc5f04a7d5b44f2a9ac11f9ce8
Signed-off-by: Hugh Davenport <hugh@catalyst.net.nz>

Change-Id: I3841a74d47bf7f53a1e4f648cb95b71b0d1a9cff
Signed-off-by: Richard Mansfield <richard.mansfield@catalyst.net.nz>

Bug #1006634, part 1

These columns will hold the portions of a full page url which relate
to users, groups, and views respectively.

Change-Id: I50e19f822ef2b8e2f0116db81f27cb4d3bb1bd53
Signed-off-by: Richard Mansfield <richard.mansfield@catalyst.net.nz>

When a user clicks on "BrowserID Login", one of three things will happen
1- If they have an account, they will login
2- If they don't but there is one authinstance with browserid is present
    AND it has weautocreateusers enabled, then they will get an account
    in that institution, and login
3- If none of the above is true, they will get redirected to a register
    page, which follows same self registration pattern as the internal
    authentication with the "confirm email" step removed.

Change-Id: Idde3166e0664bf2acdc1da32271125e91d43af9c
Signed-off-by: Hugh Davenport <hugh@catalyst.net.nz>

When a new user registers for an institution that requires approval,
allow the institutional admin assign staff permissions during the
approval process, based on the user's (confirmed) email address.

This is done by adding an 'extra' field to usr_registration containing
serialised data, so that more user settings can be added to the
approval form in future.

Change-Id: Ie381f1341e43109340479f06f448ece11ebb561d
Signed-off-by: Richard Mansfield <richard.mansfield@catalyst.net.nz>

We have just committed to master a database upgrade with a version
number less than the current version number of the 1.5 branch.  This
means that an upgrade from the current 1.5 to master will not add the
safeiframe tables.

This patch changes the version number on master to ensure the upgrade
is applied.

This occurred because the 1.5_STABLE branch's version leapfrogged over
the master version during the release candidate stage.  This will be
fixed in the release script (see bug #988682).

Change-Id: Ic2929fa9f17719a6068494ab63e7f00558c2fdcc
Signed-off-by: Richard Mansfield <richard.mansfield@catalyst.net.nz>

Because iframe code generated in the external media block is now
filtered by htmlpurifier, voki.com should be added to the default list
of safe iframe sources.

Change-Id: I60e8a0312d8a940b7e74baeb58fd73e6088a0b84
Signed-off-by: Richard Mansfield <richard.mansfield@catalyst.net.nz>

Builds the htmlpurifier safe iframe regexp from a list of sites stored
in the database, instead of a hardcoded array.

Each site in the safe iframe list is associated with a name.  This
will allow several regexp items to be grouped together under the same
name when they're matching urls from the same site.

Additionally, the domain part of each site is stored in a second list
along with the names, so that it will be easy to fetch the favicon for
display in places such as the external media block configuration form.

Change-Id: I7fd2bfefbff0881e70b94beb9e8d3efb43f0f9e7
Signed-off-by: Richard Mansfield <richard.mansfield@catalyst.net.nz>

The new HTML.SafeIframe setting in HTML Purifier 4.4.0 allows us
to remove our fragile custom filters.

The regular expressions are not quite as tight, but they are
restricted to the src attribute and HTML Purifier will hopefully
apply the right filters.

Bug #922360 (also fixes bug #885066)

Change-Id: Ifaa9f13ae77b28e18df640103e205a94bc3af2d7
Signed-off-by: Francois Marier <francois@catalyst.net.nz>

The upgrade of stored passwords is slow when there are a lot of users
in the database.  Increasing the script timeout helps to ensure the
upgrade will finish.  Periodically logging the number of passwords
that have been rehashed gives the admin more confidence that the
upgrade has not stalled.

Change-Id: Iffcce42507cc23999dfa3db540492dd885c51a97
Signed-off-by: Richard Mansfield <richard.mansfield@catalyst.net.nz>

This salt is used to add an extra layer of salting that
isn't visible from the database. This requires attackers
to obtain both the database, and the config.php file to
get the true salt value that is passed to crypt.

Bug #843568

See http://docs.moodle.org/20/en/Password_salting



Change-Id: Iaa575a4724e387104f9e436c07b336ef8c7ebef5
Signed-off-by: Hugh Davenport <hugh@catalyst.net.nz>
Signed-off-by: Francois Marier <francois@catalyst.net.nz>

This changes the internal authentication plugin to use
bcrypt instead of sha1.

It also introduces a fast hash (SHA512) for bulk operations.
This hash is updated on user login to the bcrypt hash.

Bug #843568

See https://wiki.mahara.org/index.php/Developer_Area/Specifications_in_Development/Improve_Password_Storage



Change-Id: Ibf2f71bb5b5a5279dbc16ccda781ad99e81c59b8
Signed-off-by: Hugh Davenport <hugh@catalyst.net.nz>

The unread message counts are expensive to query in postgres when
notification_internal_activity gets big.  This results in very slow
logins (the first time the query is run).  This patch adds a new
column for each user to store the unread message count.

The counts are updated using a trigger on insert, update and delete
of the notification_internal_activity table.

Change-Id: Ifb24c6892567658584f45825437bb7a8f20cc310
Signed-off-by: Richard Mansfield <richard.mansfield@catalyst.net.nz>

Bug #897631

This is a small modification to allow group_member table to have
a new field called method. Method can be used to indicate how
that user was added to the group.

It can be useful to implement syncro with other systems.

Change-Id: I92cd64e1fcf72927f16b496a5e17fa5da992a329
Signed-off-by: Juan Segarra Montesinos <juan.segarra@si.uji.es>

New watchlist and taggedposts blocks will now be installed once
the update has run.

Change-Id: I0324892549bb99381d6a1abbcd66aa1d68270db8
Signed-off-by: Melissa Draper <melissa@catalyst.net.nz>

Change-Id: I0fd7dfdc9540abb1359a78e2c4ac9cc099cc9576
Signed-off-by: Hugh Davenport <hugh@catalyst.net.nz>

The values of artefact,usr columns of the table are not necessarily
unique.  Perhaps a better option would be to create an id column.
This primary key was added in a3f6fbfe

.

Change-Id: Ib151a14f0943d799d45a7697abc00f117883cd95
Signed-off-by: Richard Mansfield <richard.mansfield@catalyst.net.nz>

Bug #845948

Change-Id: I447f82e2296d20197e138f3f619798fdf16417da
Signed-off-by: Hugh Davenport <hugh@catalyst.net.nz>

To deter brute-forcing of passwords (and prevent ensuing DoS attacks),
this patch temporarily lock accounts after 5 tries, and every 5 minutes
counts above 0 get reset.

Change-Id: Iee9739a69b95b906b6f485f7d90041b50968dcc6
Signed-off-by: Melissa Draper <melissa@catalyst.net.nz>

Bug #597479

Blocktype plugin that allows the user to select a tag, which then
displays: all blog posts, from all blogs, owned by this user, tagged
with the selected tag.
Update: moved from main blocktype area to artefact/blog/blocktype

Change-Id: I28ddeb7181188c1441c7a6fb55aa3200192fe112
Signed-off-by: Chris Wharton <chrisw@catalyst.net.nz>

Bug #697837

Added a database entry to blocks to enable reordering of tabs.
This sort field can be used as a weighting but must be unique.
other tabbed structures should also have a field as such to allow
admins to change the order on the fly.

Patch by Sean Brennan, cleaned and rebased by Hugh Davenport

Change-Id: I269d3f00288b5470b8e612a54527ae7f22aa747c
Signed-off-by: Hugh Davenport <hugh@catalyst.net.nz>

When 'invitefriends' is enabled, all members of the group get a
button on the group homepage which allows them to send membership
invitations to anyone on their friends list.  The 'suggestfriends'
setting allows group members to spam their friends with suggestions
that they join the group.

Part of https://wiki.mahara.org/index.php/Developer_Area/Specifications_in_Development/Groups_revamp



Change-Id: Ifaf91ea59d569255de861efdcab97745f3feaa3a
Signed-off-by: Richard Mansfield <richard.mansfield@catalyst.net.nz>

This creates groups in which members can't search for each other.
Group admins can get to the member listing, but tutors cannot: the
stated use case is anonymous reviewer groups.

Change-Id: Id2550e574b55ceeb43958475340e967de16850f1
Signed-off-by: Richard Mansfield <richard.mansfield@catalyst.net.nz>

Site & institutional admins & staff can check a 'hide membership'
checkbox on the edit group page.  Non-members cannot access the
membership lists of these groups, and when they view the group,
both the members block and members tab are hidden.  Site admins
and staff can still access the members page directly.

Also filters the my friends block by changing that block to use
group_get_user_groups rather than group_get_associated_groups.

See http://mahara.org/interaction/forum/topic.php?id=2229



Change-Id: Iaa907484c5d395cdf3869565fcf1c47c2faec733
Signed-off-by: Richard Mansfield <richard.mansfield@catalyst.net.nz>

Adds a 'hidden' checkbox on the group edit form for site &
institutional admins & staff.  Hidden groups are filtered out of
searches on the find groups page, unless the logged-in user is
already a member.

Adds a new 'Visibility' section to the edit group page.

Change-Id: I25e32623f150cb393f126dccdad50d705684b59e
Signed-off-by: Richard Mansfield <richard.mansfield@catalyst.net.nz>

Admins can set the 'locked' property on a group view, and this will
stop non-admin members from editing the view, regardless of the view
editing permissions given to roles within the group.

Change-Id: I56c113a9d4e8fcab5463fa1c54bf456f7fc2364b
Signed-off-by: Richard Mansfield <richard.mansfield@catalyst.net.nz>

Passphrases are better than passwords. Make it possible to have a
passphrase longer than 40 characters. 255 varying characters ought
to be enough for anybody.

Change-Id: I9f9b78259abf029118ce804d95f04f42c3136a21
Signed-off-by: Melissa Draper <melissa@catalyst.net.nz>

The roles which have edit permissions on group views is set for each
grouptype.  This changes the setting to be per-group.

Partially addresses bug #547362, bug #631189

Change-Id: I3f51f0ed44b7f479a094a2c5b2e2ee4807722e34
Signed-off-by: Richard Mansfield <richard.mansfield@catalyst.net.nz>

View submission was previously enabled on all (and only) course
grouptype groups (those groups with tutors).  After this change
view submission can be turned on and off on any group, and if a
group has no tutors (standard grouptype), then only the group
admins will be allowed to assess submitted views.

Change-Id: I6df7f9dfc1b9fadbe39887ead4c1aa5c7a9eaed6
Signed-off-by: Richard Mansfield <richard.mansfield@catalyst.net.nz>

The four existing jointypes, 'open', 'controlled', 'request' and
'invite' are mutually exclusive, but they don't need to be so strict.
This patch introduces more flexibility in the way groups allow new
members to join.

* Group admins can always send membership invitations to a group, even
  if it's open or controlled
* Membership requests can be enabled for any group unless it has open
  membership.
* The grouptype now determines the set of roles available to a group,
  but no longer restricts the available join types.

The db upgrade will preserve existing behaviour apart from enabling
invitations on open, request, and controlled groups.

Change-Id: I8bb0940a37f3c0c36366c1d5b8d27e8b9914a7e3
Signed-off-by: Richard Mansfield <richard.mansfield@catalyst.net.nz>

Part of bug #807278

Add new site setting to force logged-in access to profile pages

Change-Id: I7e1634cba16759923e3aa4c64d129d1f5280665f
Signed-off-by: Eugene Venter <eugene@catalyst.net.nz>

Bug #547803

Change-Id: I625e90b780505ebf3a42d4ab2419321d444c1cbd
Signed-off-by: Hugh Davenport <hugh@catalyst.net.nz>

Part of bug #807278

Enable the ability for users to share their views/collections with
the institutions they are members of.

Change-Id: Id647672141610cced579dbf199690292a249e7b7
Signed-off-by: Eugene Venter <eugene@catalyst.net.nz>

The html artefact must be installed before the textbox content is
upgraded to use html artefacts.  Moving the upgrade from the internal
artefact into the blocktype will make it happen in the correct order.

Change-Id: I56da7296f39f3a1807ba9b71867ce69fec5cc186
Signed-off-by: Richard Mansfield <richard.mansfield@catalyst.net.nz>

Because text boxes will create and display html artefacts, they should
really live inside the internal artefact plugin.

Contains a couple of whitespace/coding style fixes to ensure that new
lines from the copied files pass the minaccept test.

Change-Id: I9520f1d32eaaa7735b168f35ccc6af37e8c9e2c6
Signed-off-by: Richard Mansfield <richard.mansfield@catalyst.net.nz>