Bug 1286935

Seeing as we check the url against FILTER_VALIDATE_URL and that only
site admins can add to the 'allowed iframe sources' that should be
enough without having to add the / to the end of the url.

Change-Id: I82e3623d3df2fa03012278d334994224c51a092e
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

By doing two things:

1) Getting the embedded SWF object to set the
 allowscriptaccess = "never" and allownetworking = "never"

2) By forcing a 'download file' link to actually download file
- this goes for all files now that don't have embedded=1
in their url.

I've done it this way, having the embedded item have extra url param
so that if a user tries to manipulate a url by removing params it
will default to force download.

I've merged the changes I'd done here https://reviews.mahara.org/#/c/3522/2


and I've also cleaned up places where the download=1 was used as that is
not needed now. Now if there are places where we need to embed rather
than download we add the embedded=1 to the url.

Change-Id: If5290a7c571d06d4178ef2ae5c4c09ed287403b4
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

Bug #1422232

Change-Id: Ia8fd7d074db3be027e1318a07d062a9ed1bb2ad8
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

Robert Lyon authored Jul 25, 2014 and Aaron Wells committed Apr 16, 2015

Users who are logged in on the suspended institution's auth method
are logged out.

Change-Id: I10e1dec465a4363a076e92f4d90ec663ff8a822e
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

Do correct string/variable comparison

Change-Id: I98c5c1360891699e439108789b2015d7587222ca
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

Son Nguyen authored Apr 02, 2015 and Robert Lyon committed Apr 16, 2015

Change-Id: I45bdbbaeedf2e6bced74da0a8d7eebed753d4595
Signed-off-by: Son Nguyen <son.nguyen@catalyst.net.nz>

Son Nguyen authored Mar 31, 2015 and Aaron Wells committed Apr 15, 2015

Change-Id: I0ae87e94bd7ad723a19045598280a6c4880aa3d8
Signed-off-by: Son Nguyen <son.nguyen@catalyst.net.nz>

Robert Lyon authored Apr 07, 2015 and Aaron Wells committed Apr 15, 2015

And this ends up breaking the 'more' link in the inbox.

Normally we don't expect the url to contain the full path so we need
strip it off as it's added back in via the template.

Change-Id: Ibf22f361aaf7697e9903a2374f15d4fb031d01ef
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

A person can alter the viewid passed to the watchlist ajax update and
so a user can end up watching a view they have no access to

Change-Id: I21d00963ac3d9d53e337bcb0a7162bd2a1da1802
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

Son Nguyen authored Mar 05, 2015 and Robert Lyon committed Mar 30, 2015

Change-Id: I643a825a3ff878cb8573e96cb2741c0dee0cb29f
Signed-off-by: Son Nguyen <son.nguyen@catalyst.net.nz>

To test see bug report

Change-Id: I88069adce01c77a1009ac49bf61966524532ca44
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

Change-Id: I2030a8222ff7691952f9351b297298484f102ac5
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

To test - see bug report

Change-Id: I74b9d35eb8be34af90ee46714f9b4ad19bc340d5
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

Yuliya Bozhko authored Feb 25, 2015 and Robert Lyon committed Feb 25, 2015

Change-Id: I4536536d254d9dc85c9eb8405bd6ab61c0ae26e9
Signed-off-by: Yuliya Bozhko <yuliya.bozhko@totaralms.com>

Son Nguyen authored Nov 28, 2014 and Robert Lyon committed Feb 24, 2015

Bug 1390833

This will update all attachments to the artefact

Change-Id: Idc06d5ce35b2427575b44d53f4aa56dfc7b01cf8
Signed-off-by: Son Nguyen <son.nguyen@catalyst.net.nz>

Currently it checks lowercase username against the same username

But we need to compare apples wuith apples so the subquery also needs
to return lowercase username.

Change-Id: Icbe65e12d415be6f943399185c828166ed8a98d4
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

Son Nguyen authored Jan 05, 2015 and Robert Lyon committed Feb 09, 2015

Change-Id: I0dffc63f0ea10409c9ae18b9194a13a2287e0a7c
Signed-off-by: Son Nguyen <son.nguyen@catalyst.net.nz>

Bug 1417364: This check causes too many false positives and doesn't catch
actual problems often enough.

Change-Id: I659cafd3dcdbcf254d66a72bcb4f2f6a1ba2ddba

Aaron Wells authored Jan 29, 2015 and Robert Lyon committed Jan 30, 2015

Bug 1415709

Change-Id: Ib6758dfe1d10884f69261179687d5ffde7ff81f9

To test - create an institution and give it the custom theme.
Add user to institution and log in with that user.

Between each test you will need to re-save the institution so that the
custom theme data in the db gets updated by the template change.

Change-Id: I21d97c77896d872cbfc335473fbf510999b5187b
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

- Use render_self() in full detail option
- Remove calls of $artefact->get() in template file

Change-Id: I6be321adfda07c7f3e7cb3ac4026894b081e131f
Signed-off-by: Son Nguyen <son.nguyen@catalyst.net.nz>

Son Nguyen authored Jan 09, 2015 and Robert Lyon committed Jan 12, 2015

- Filter out draft posts when editing the blogpost block
- Don't display the post's content if it is unpublished

Change-Id: Iaaf92f29383e2f3997e214b052dd116005a971dd
Signed-off-by: Son Nguyen <son.nguyen@catalyst.net.nz>

Change-Id: I76f8965e7309940b11d3ba95839375bce92b3d3c

Bug 1399311

Change-Id: I8d66b266d6de3dedb9069f852c5540a139ebb1e5

Yuliya Bozhko authored Dec 09, 2014 and Aaron Wells committed Dec 11, 2014

Change-Id: I63c4c566504492abb947202f8cf3ba5838770c9f
Signed-off-by: Yuliya Bozhko <yuliya.bozhko@totaralms.com>

Darren James Harkness authored Dec 01, 2014 and Aaron Wells committed Dec 04, 2014

Requires https now - used to work with http but no longer

Change-Id: I4aae1d36c532dcdfc96b5a4a673910b654ea9a2c
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

Bug 1394820

Change-Id: I710098cb96ac7d0868926a95c4b4488df4753e4c

Bug 1387903

Change-Id: I369d58f85c944f4be2bc2965c080b2c4c86dadc1

Aaron Wells authored Oct 29, 2014 and Robert Lyon committed Nov 25, 2014

Bug 1385564: This doesn't provide much additional security, because if
the access cookies are still in your browser session, then the secret URL
itself is probably still in your browser history. But if someone goes to
the trouble of logging out *and* clearing their browser history, this
will ensure that it actually does end the secreturl access cookie like
they'd expect.

Change-Id: Ia75f58015ab2cb54c9184cdc8b5bf32dfe543733

Bug 1394330

In most places in mahara we specify that we want base 10 number
returned (or base 16 in case of a hexidecimal css colour)

But there are a few places where we don't specify the radix at all

It's best practice to always include the radix because for older
browsers it interprets leading 0 as octal by default.

Also makes it clearer to developers what type of number is expected to
be retrieved from the string.

Change-Id: Iaecc85cbed875f85b313188c4e96cc1b77c77b31
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

Change-Id: I042c1127f7601483e8723b2e31bf07683accf2c0
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

When upgrading, should only check if the cron job
'auth_clean_expired_password_requests' already exists
in the table - without all the other fields that need to be updated.
Otherwise, it will check on all the fields (i.e. minute, hour, etc).
If the admin updated them,
the check won't match and a duplicate error results.

Change-Id: I2d30ac97e9a82aaf0d538a834396fdc2d2757480
Signed-off-by: Ghada El-Zoghbi <ghada@catalyst-au.net>
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>