Commits · d40695aebf9733e0df13163cc4b14682d8bb7b5b · mahara / mahara

02 May, 2016 1 commit
- Putting "Final release" note for 1.10 on README · d40695ae
  Aaron Wells authored May 02, 2016
```
Change-Id: I812036e85e7cdd7d2ff2fc211d167972be295fda
```
  d40695ae
01 May, 2016 1 commit

Bug 1575955: fixing function signatures for PHP7 · c7106c83

Robert Lyon authored Apr 28, 2016



They need to  be consistent in PHP7 and include the parameter types.

behatnotneeded - existing tests are ok

Change-Id: I5d94ee53962a92db6faf3718e5a54f48ea31e367
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

c7106c83

29 Apr, 2016 1 commit

PHP7 changes the type required for exception handler · ede1f0b9

Aaron Wells authored Apr 28, 2016

Bug 1575969. In PHP7 some errors throw an Error object (to
the exception handler) instead of generating an error
(handled by the error handler). The official way to make
an exception handler that will work in PHP 5 & 7, is to
leave off the parameter's type declaration.

Change-Id: I5fc1c3765d5a311eb499d62915e676f8d9ee07a0
behatnotneeded: Covered by existing tests
(cherry picked from commit c3d7f4f6)

ede1f0b9

28 Apr, 2016 1 commit

Bug 1503103: Making sure the correct quota is set · 2a30b1ce

Robert Lyon authored Nov 17, 2015



behatnotneeded

Change-Id: I1aa52a076843ff0dc4dcaf86a01e76b9673885b5
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>
(cherry picked from commit 0a6860a9)

2a30b1ce

22 Apr, 2016 1 commit

Bug 1567100: In Mahara we deal with username in a case insensitive way · c144fcfa

Robert Lyon authored Apr 07, 2016



In other places we check the LOWER(username) but for some reason
in find_by_username() we don't. We should do it here as well for
consistency.

behatnotneeded

Change-Id: Ie692aeace0c8aa2f6989683e094ac6625f153b98
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>
(cherry picked from commit fb330e38)

c144fcfa

21 Apr, 2016 2 commits

Bug 1567186: More thorough checking for passwords in stacktraces · b77bd347

Aaron Wells authored Apr 14, 2016

Rather than having an increasing list of specific parameters
that we know to have passwords, this patch censors the content
of any parameter with a name that contains the string "password"
or "pw".

behatnotneeded: Can't test with Behat

Change-Id: Ifaa2ec10cf749c173b1a8d0928c6cc052124a83f
(cherry picked from commit ae452377)

b77bd347

Bug 1570640: Ignore plugins with bad auth config · 4859621d

Robert Lyon authored Apr 15, 2016



When looping through all auth to see if a user can login

behatnotneeded

Change-Id: I51693fac3c650ff529ccfc98586c50f4d185f591
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>
(cherry picked from commit 4993ce1c)

4859621d

13 Apr, 2016 1 commit

Remove session.referer_check (Bug 1566366) · 90242956

Aaron Wells authored Apr 12, 2016

This setting kills your Mahara session whenever you navigate
to Mahara from a link or redirect on another page. This totally
prevents SAML and other redirect-based auth methods from working,
makes it annoying to use links in email, and while it is mentioned
on the PHP manual's "Securing Sessions" page, it's only
recommended there if you also have "session.use_trans_id" enabled,
which we do not.

Change-Id: I8b3b14bae8043c5004cc8f36766f2db9422eac1c
behatnotneeded: Can't be tested by behat
(cherry picked from commit 91807920)
(cherry picked from commit c9b8ff02)
(cherry picked from commit bcdd15ea)

90242956

05 Apr, 2016 1 commit
- Another Eclipse file for .gitignore · a18d3816
  Aaron Wells authored Apr 05, 2016
```
Change-Id: I2bea376b7d403171a306c31fdc69e26a4aa1644b
```
  a18d3816
31 Mar, 2016 2 commits
- Merge "Make session more secure. Bug 1508721" into 1.10_STABLE · c3036dbe
  Robert Lyon authored Mar 31, 2016
  
  c3036dbe
- Bug 1560633 : Increase column event_log.data to "longtext" · 8c985731
  David Ligne authored Mar 22, 2016
```
behatnotneeded: Changes on database columns types only.

Change-Id: I0e80fe7b4ca7552c854f3496db6496e984bbdd53
```
  8c985731
30 Mar, 2016 1 commit

Make session more secure. Bug 1508721 · 46ad1553

Son Nguyen authored Oct 22, 2015

see more at http://php.net/manual/en/session.security.php

behatnotneeded

Change-Id: I70b427daa1ee29c233339ba245f56a02c1a8b3a5
(cherry picked from commit 38bfb5cf)

46ad1553

23 Mar, 2016 9 commits

Version bump for 1.10.10testing · 254f4409
Son Nguyen authored Mar 24, 2016
```
Signed-off-by: Son Nguyen <son.nguyen@catalyst.net.nz>
```
254f4409
Version bump for 1.10.9 · 5643d630
Son Nguyen authored Mar 24, 2016
```
Signed-off-by: Son Nguyen <son.nguyen@catalyst.net.nz>
```
5643d630
Bug 1558361: Remove window.opener() from institution auth config · 21d79193
Aaron Wells authored Mar 21, 2016
```
behatnotneeded - should be covered by existing tests

Change-Id: Ia4592c9bd261c978dc911999e81f906fa0b13450
```
21d79193

Bug 1558361: Remove "_blank" from note block · bdd98def

Aaron Wells authored Mar 21, 2016

Also setting the note block's form change checker state to
"dirty" by default, so that users will get a warning before
navigating away to the other page.

Change-Id: I20f586781df63e942a7a1c82e5e74fd5214c233f

bdd98def

Removing target="blank" links created via MochiKit · eba99dc1
Aaron Wells authored Mar 18, 2016
```
Bug 1558361

behatnotneed

Change-Id: Idc3f0a010fef76a0908f65ce88bf52ae870170d3
```
eba99dc1
Remove use of window.open() into new window · 3f5b8930
Aaron Wells authored Mar 17, 2016
```
Bug 1558361

Change-Id: Ifb0dba0d91a0ea2ba2b2dfc2daeda39b679c0397
```
3f5b8930
Removing target="_blank" links from cookieconsent library · 00cec135
Aaron Wells authored Mar 23, 2016
```
Bug 1558361

behatnotneeded

Change-Id: Ic7186f35eb38cf79e76dcd8347df18178ccc5a32
```
00cec135
Removing straightfoward instances of target="_blank" · 6cbb5799
Aaron Wells authored Mar 18, 2016
```
Bug 1558361

behatnotneeded

Change-Id: Idc139a671137cbde6958fdc8406bc56f8c395f08
```
6cbb5799

Remove "target" attribute from links in user-edited text · 97d5846a

Aaron Wells authored Mar 17, 2016

Bug 1558361: TinyMCE will filter them out on the editing
side, and HTMLPurifier will filter them out on the display
side.

behatnotneeded: Would require non-trivial new Behat step to
check whether links have "target" attribute.

Change-Id: If27462b2ca1a382ceeaadb374aade1f795f261bd

97d5846a

22 Mar, 2016 1 commit

Bug 1499572: Avoid array to string conversion in ADODB errors · 3798c105

Gary Leydon authored Sep 30, 2015



behatnotneeded: error appears in error log

Change-Id: Ic816248ee56bcae7daa1f13c768afdab92c95b23
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

3798c105

21 Mar, 2016 1 commit

Adding some HTTP headers for security (Bug 1531987) · ef64adaa

Aaron Wells authored Feb 04, 2016

X-XSS-Protection: Tells the browser not to disable XSS protection

X-Content-Type-Options: Tells the browser not to try to guess at
mimetypes of downloads

X-Permitted-Cross-Domain-Policies: Tells Flash & PDF not to trust
alternate crossdomain.xml files (which set the permissions on whether
this site allows itself to be accessed by scripts in Flash & PDF).
Prevents an attacker from uploading a more permissive crossdomain.xml

X-Powered-By: PHP by default sends this header with the current full
PHP version.

behatnotneeded: Selenium can't examine HTTP response headers

Change-Id: Ia2a6de971fc62b7d8806ad010aa0fbe37c1a7357
(cherry picked from commit 29656f03)

ef64adaa

18 Mar, 2016 1 commit

Use $CFG->cacheversion for HTMLPurifier cache version · 1c654e04

Aaron Wells authored Mar 17, 2016

Bug 1558387

With this, we don't have to remember to bump HTML.DefinitionRev in
html_clean(), or clear the htmlpurifier directory in dataroot.

behatnotneeded: API change only

Change-Id: I15cd291fd8e5d7d5c357f1595a89f34f44236e7d

1c654e04

16 Mar, 2016 1 commit

Bug 1529753: Passing through the preferred name value · 23210afc

Robert Lyon authored Mar 15, 2016



When displaying names for adding group members to groups

behatnotneeded

Change-Id: I0fb09eb1a17bd94c58533b8272db38e439897cbe
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>
(cherry picked from commit 564caacd)

23210afc

14 Mar, 2016 1 commit

Fix bug in xmlrpc + $cfg->usersuniquebyusername · d22c3042

Robert Lyon authored Mar 03, 2016

Bug 1556692: When used together, these can cause problems when
the ID field from Moodle gets truncated to the default
get_new_username() length of "30", when being inserted into
usr.username in Mahara.

behatnotneeded: Can't test Mnet in Behat

Change-Id: Icdeb78b5298e7d63a0610987b0d8fad34e58d036

d22c3042

08 Mar, 2016 1 commit

Bug 1528993: Allowing the '&objectionable=1' work with clean urls · 1735487b

Robert Lyon authored Feb 11, 2016



behatnotneeded

Change-Id: I88af0659d0140fc9595b15ee3d0771e819e0dee1
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>
(cherry picked from commit cce545b7)

1735487b

03 Mar, 2016 1 commit

Bug 1528351: Fixing block order drift in database · 142faacc

Robert Lyon authored Dec 22, 2015



Due to a mistake in how blocks were ordered in the system

behatnotneeded - existing tests should be ok

Change-Id: Iac857c85d60e5948b6f95ddccee7a2e8cf43b1b4
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

142faacc

10 Feb, 2016 1 commit

Adding 'allowfullscreen' to iframe elements in htmlpurifier · c742ead0

Dale Smith authored Jan 13, 2016

Bug 1534081

  * This alters the default allowed attributes for iframe and adds:
    - allowfullscreen
    - mozallowfullscreen
    - webkitallowfullscreen
    All are allowed 0, 1 or empty values.
  * This resolves issues with vimeo and youtube, who require these attributes before
    showing the fullscreen icon: https://developer.vimeo.com/player/embedding

behatnotneeded: Can't test Flash with behat

Change-Id: Ie57c3c3968c4f7cd58a544135351ef506aa6be11

c742ead0

18 Dec, 2015 1 commit

Bug 1523719: Allowing blocks to order right · eae645a9

Robert Lyon authored Dec 08, 2015



When moving them downwards in a column from a non-first position to a
non-last position with a jump greater than one place

behatnotneeded

Change-Id: Ie9bacc4a1a4ef77efd4e481c9ab3713885821dc1
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>
(cherry picked from commit a8750346)

eae645a9

11 Dec, 2015 2 commits

minaccept: Syntax-checker on changed files only (Bug 1524601) · 3a32d3a9
Aaron Wells authored Dec 10, 2015
```
behatnotneeded: Not a change to Mahara's front end

Change-Id: I379b2192c3518690ee1d39c0997b599d9dc91f7a
```
3a32d3a9

PHPUnit improvements and fixes · 5833d32b

Yuliya Bozhko authored Nov 27, 2014



Change-Id: Ia83d2cd8b5f7b971098daf580839bd61f08be354
Signed-off-by: Yuliya Bozhko <yuliya.bozhko@totaralms.com>

5833d32b

10 Dec, 2015 6 commits

Bug 1520011: Notifications displaying incorrectly · fbc076c9

Robert Lyon authored Nov 27, 2015



If we have special chars like " or > in a feedback message they get
saved to db as htmlspecialchars like &quot; or $gt;

When we go to display them we turn the & part into a specialchar again
leading to bad display.

behatnotneeded

Change-Id: Ie66dd599029f0939938f0d1d829c4156b5db6d56
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

fbc076c9

Merge "Updating outdated links in the Mahara source code" into 1.10_STABLE · cae3d7a6
Robert Lyon authored Dec 11, 2015

cae3d7a6
Merge "Make sure the parameter 'values' is an array. Bug 1394056" into 1.10_STABLE · 829261ab
Robert Lyon authored Dec 11, 2015

829261ab

Updating outdated links in the Mahara source code · dbc2403e

Aaron Wells authored Dec 09, 2015

Bug 1523499: Old wiki.mahara.org links without the "/wiki",
and HTTP links that should be HTTPS.

Also updated the installer release notes link to point to
the base "Release_Notes" page in the wiki, because we no
longer maintain separate wiki pages for each release.

behatnotneeded: Covered by existing tests

Change-Id: I02e80eb4d8df5adddee88e77156e8e103ca24c51
(cherry picked from commit 4c046f3d)

dbc2403e

Make sure the parameter 'values' is an array. Bug 1394056 · 50315cc0

Son Nguyen authored Nov 19, 2014



in the calls of the dml function: get_record_sql()

behatnotneeded

Change-Id: I28d6d03258c6141e9cdca21bf201228522d8b809
Signed-off-by: Son Nguyen <son.nguyen@catalyst.net.nz>

50315cc0

Bug 1510082: fatal error missing function format_notification_whitespace() · 604f6528

Jitendra Rana authored Oct 29, 2015



Just need to require once 'activity.php'

behatnotneeded

Change-Id: Ie1de5b2b50f3de1c367bfa33f8bf4c412c40b0c8
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>
(cherry picked from commit 079a9d6c)

604f6528

30 Nov, 2015 1 commit

Make get_record warn instead of dying, by default · 59b55846

Aaron Wells authored Nov 24, 2015

Bug 1515929: Usually when we use get_record(), we're
querying against a record that has a uniqueness constraint
guaranteeing that it is unique, in which case the PHP
code that dies on non-uniqueness is redundant.

In the remaining cases, we're dealing with records
that for some reason can't have a uniqueness constraint,
and the dying just causes the site to entirely stop
working, when it would be more useful to have it continue
to work but throw a warning message to the logs.

behatnotneeded: Covered by existing test cases

Change-Id: I264f72e3a8904293d78909410f68b29f2c78db3c

59b55846

26 Nov, 2015 1 commit
- Version bump for 1.10.9testing · 1b2423a1
  Robert Lyon authored Nov 27, 2015
```
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>
```
  1b2423a1