Commits · ff97447cdafdad82030f3291b0f2fbc563a9ef34 · mahara / mahara

16 Apr, 2015 6 commits

Allow prefixes that end in / to try ? and # as well · ff97447c

Robert Lyon authored Apr 16, 2015



Bug 1286935

Seeing as we check the url against FILTER_VALIDATE_URL and that only
site admins can add to the 'allowed iframe sources' that should be
enough without having to add the / to the end of the url.

Change-Id: I82e3623d3df2fa03012278d334994224c51a092e
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

ff97447c

Merge "Double-check the viewid when setting up watchlist viewing (Bug 1429647)" into 1.9_STABLE · 02ae18d6
Robert Lyon authored Apr 17, 2015

02ae18d6

Stopping SWF files XSS exploitation (Bug #1190788) · 91f15848

Robert Lyon authored Feb 18, 2015

By doing two things:

1) Getting the embedded SWF object to set the
 allowscriptaccess = "never" and allownetworking = "never"

2) By forcing a 'download file' link to actually download file
- this goes for all files now that don't have embedded=1
in their url.

I've done it this way, having the embedded item have extra url param
so that if a user tries to manipulate a url by removing params it
will default to force download.

I've merged the changes I'd done here https://reviews.mahara.org/#/c/3522/2


and I've also cleaned up places where the download=1 was used as that is
not needed now. Now if there are places where we need to embed rather
than download we add the embedded=1 to the url.

Change-Id: If5290a7c571d06d4178ef2ae5c4c09ed287403b4
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

91f15848

Stopping the elasticsearch cron running at same time as reset index · 11734cf6

Robert Lyon authored Feb 17, 2015



Bug #1422232

Change-Id: Ia8fd7d074db3be027e1318a07d062a9ed1bb2ad8
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

11734cf6

Getting suspended institutions to keep their user out. (Bug 1348024) · 847f49ef

Robert Lyon authored Jul 25, 2014



Users who are logged in on the suspended institution's auth method
are logged out.

Change-Id: I10e1dec465a4363a076e92f4d90ec663ff8a822e
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

847f49ef

Allowing the skin underline setting to work (Bug #1429871) · 973fb7cc

Robert Lyon authored Apr 16, 2015



Do correct string/variable comparison

Change-Id: I98c5c1360891699e439108789b2015d7587222ca
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

973fb7cc

15 Apr, 2015 4 commits

Update the block configdata for attachments. Bug 1439194 · 57173d77

Son Nguyen authored Apr 02, 2015



Change-Id: I45bdbbaeedf2e6bced74da0a8d7eebed753d4595
Signed-off-by: Son Nguyen <son.nguyen@catalyst.net.nz>

57173d77

Merge "Checking the remoteusername for parent auth better (Bug #1364170)" into 1.9_STABLE · d12b6cc8
Robert Lyon authored Apr 16, 2015

d12b6cc8

Fix bugs when changing view layout. Bug 1432641 · 7d793f27

Son Nguyen authored Mar 31, 2015



Change-Id: I0ae87e94bd7ad723a19045598280a6c4880aa3d8
Signed-off-by: Son Nguyen <son.nguyen@catalyst.net.nz>

7d793f27

The accepting friend notification contains full url (Bug #1440908) · 6049db95

Robert Lyon authored Apr 07, 2015



And this ends up breaking the 'more' link in the inbox.

Normally we don't expect the url to contain the full path so we need
strip it off as it's added back in via the template.

Change-Id: Ibf22f361aaf7697e9903a2374f15d4fb031d01ef
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

6049db95

13 Apr, 2015 1 commit

Double-check the viewid when setting up watchlist viewing (Bug 1429647) · 900003c5

Robert Lyon authored Apr 02, 2015



A person can alter the viewid passed to the watchlist ajax update and
so a user can end up watching a view they have no access to

Change-Id: I21d00963ac3d9d53e337bcb0a7162bd2a1da1802
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

900003c5

29 Mar, 2015 3 commits

Extract description in 'summary' entry when Leap import. Bug 1428266 · 48560325
Son Nguyen authored Mar 05, 2015
```
Change-Id: I643a825a3ff878cb8573e96cb2741c0dee0cb29f
Signed-off-by: Son Nguyen <son.nguyen@catalyst.net.nz>
```
48560325

Stopping a block from being 'eaten' when changing layout (Bug #1432635) · d56f1ff5

Robert Lyon authored Mar 20, 2015



To test see bug report

Change-Id: I88069adce01c77a1009ac49bf61966524532ca44
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

d56f1ff5

Adding another filter/match for google spreadsheets (Bug #1435750) · 1b184140
Robert Lyon authored Mar 26, 2015
```
Change-Id: I2030a8222ff7691952f9351b297298484f102ac5
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>
```
1b184140

27 Mar, 2015 1 commit

Allowing for youtube-nocookie.com urls to work (Bug #1436841) · 86c3878d

Robert Lyon authored Mar 27, 2015



To test - see bug report

Change-Id: I74b9d35eb8be34af90ee46714f9b4ad19bc340d5
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

86c3878d

24 Feb, 2015 2 commits

Make sure submitted page cannot be deleted via URL (Bug #1425306) · 371490ae

Yuliya Bozhko authored Feb 25, 2015



Change-Id: I4536536d254d9dc85c9eb8405bd6ab61c0ae26e9
Signed-off-by: Yuliya Bozhko <yuliya.bozhko@totaralms.com>

371490ae

Add the method update_artefact_references() to HTML artefact (Note) · ab4302ad

Son Nguyen authored Nov 28, 2014



Bug 1390833

This will update all attachments to the artefact

Change-Id: Idc06d5ce35b2427575b44d53f4aa56dfc7b01cf8
Signed-off-by: Son Nguyen <son.nguyen@catalyst.net.nz>

ab4302ad

09 Feb, 2015 1 commit

Checking the remoteusername for parent auth better (Bug #1364170) · 9623f879

Robert Lyon authored Sep 02, 2014



Currently it checks lowercase username against the same username

But we need to compare apples wuith apples so the subquery also needs
to return lowercase username.

Change-Id: Icbe65e12d415be6f943399185c828166ed8a98d4
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

9623f879

08 Feb, 2015 1 commit

Display cleaned content of XML file. Bug 1404117 · c91bac68

Son Nguyen authored Jan 05, 2015



Change-Id: I0dffc63f0ea10409c9ae18b9194a13a2287e0a7c
Signed-off-by: Son Nguyen <son.nguyen@catalyst.net.nz>

c91bac68

03 Feb, 2015 1 commit

Removing the from/join check in minaccept · 70c938da

Aaron Wells authored Feb 03, 2015

Bug 1417364: This check causes too many false positives and doesn't catch
actual problems often enough.

Change-Id: I659cafd3dcdbcf254d66a72bcb4f2f6a1ba2ddba

70c938da

29 Jan, 2015 1 commit
- Fix deprecated warning in BBCode library · 387b2893
  Aaron Wells authored Jan 29, 2015
```
Bug 1415709

Change-Id: Ib6758dfe1d10884f69261179687d5ffde7ff81f9
```
  387b2893
26 Jan, 2015 1 commit

Fixing problem where custom subnav background not showing (Bug #1414474) · fa544b5e

Robert Lyon authored Jan 26, 2015



To test - create an institution and give it the custom theme.
Add user to institution and log in with that user.

Between each test you will need to re-save the institution so that the
custom theme data in the db gets updated by the template change.

Change-Id: I21d97c77896d872cbfc335473fbf510999b5187b
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

fa544b5e

12 Jan, 2015 2 commits

Refactor the tagged blogpost blocktype. Bug 1392700 · 0b68ff43

Son Nguyen authored Jan 09, 2015



- Use render_self() in full detail option
- Remove calls of $artefact->get() in template file

Change-Id: I6be321adfda07c7f3e7cb3ac4026894b081e131f
Signed-off-by: Son Nguyen <son.nguyen@catalyst.net.nz>

0b68ff43

Make sure draft post not visible. Bug 1387858 · 659664be

Son Nguyen authored Jan 09, 2015



- Filter out draft posts when editing the blogpost block
- Don't display the post's content if it is unpublished

Change-Id: Iaaf92f29383e2f3997e214b052dd116005a971dd
Signed-off-by: Son Nguyen <son.nguyen@catalyst.net.nz>

659664be

06 Jan, 2015 1 commit
- Updating test/versioncheck.php with latest from master · 259550c9
  Aaron Wells authored Jan 07, 2015
```
Change-Id: I76f8965e7309940b11d3ba95839375bce92b3d3c
```
  259550c9
14 Dec, 2014 1 commit
- Fix MySQL syntax error in cron task · 36345b8e
  Aaron Wells authored Dec 12, 2014
```
Bug 1399311

Change-Id: I8d66b266d6de3dedb9069f852c5540a139ebb1e5
```
  36345b8e
10 Dec, 2014 1 commit
- Fix page error on form cancel after validation fails (Bug #1400511) · f89e0976
  Yuliya Bozhko authored Dec 09, 2014
```
Change-Id: I63c4c566504492abb947202f8cf3ba5838770c9f
Signed-off-by: Yuliya Bozhko <yuliya.bozhko@totaralms.com>
```
  f89e0976
04 Dec, 2014 1 commit

Using https for flickr request url (Bug #1397068) · 20810e89

Darren James Harkness authored Dec 01, 2014



Requires https now - used to work with http but no longer

Change-Id: I4aae1d36c532dcdfc96b5a4a673910b654ea9a2c
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

20810e89

25 Nov, 2014 8 commits
- Version bump for 1.9.5testing · c3440ace
  Robert Lyon authored Nov 26, 2014
```
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>
```
  c3440ace
- Version bump for 1.9.4 · b0e58576
  Robert Lyon authored Nov 26, 2014
```
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>
```
  b0e58576
- Limit CURL to only HTTP & HTTPS · c6365685
  Aaron Wells authored Nov 24, 2014
```
Bug 1394820

Change-Id: I710098cb96ac7d0868926a95c4b4488df4753e4c
```
  c6365685
- Merge "Group members to always have access to their files (Bug #1267686)" into 1.9_STABLE · f8c29ac3
  Robert Lyon authored Nov 26, 2014
  
  f8c29ac3
- Merge "Session is not invalidating after password change (Bug #1363873)" into 1.9_STABLE · a8ee38a4
  Robert Lyon authored Nov 26, 2014
  
  a8ee38a4
- Make sure CLI scripts are only being run from the CLI · 232a1af8
  Aaron Wells authored Oct 31, 2014
```
Bug 1387903

Change-Id: I369d58f85c944f4be2bc2965c080b2c4c86dadc1
```
  232a1af8
- Merge "Stopping the 'key' param being leaked (Bug #1333096)" into 1.9_STABLE · 2270018d
  Robert Lyon authored Nov 26, 2014
  
  2270018d
- Clear secreturl access cookies on logout · 78e8b108
  Aaron Wells authored Oct 29, 2014
```
Bug 1385564: This doesn't provide much additional security, because if
the access cookies are still in your browser session, then the secret URL
itself is probably still in your browser history. But if someone goes to
the trouble of logging out *and* clearing their browser history, this
will ensure that it actually does end the secreturl access cookie like
they'd expect.

Change-Id: Ia75f58015ab2cb54c9184cdc8b5bf32dfe543733
```
  78e8b108
24 Nov, 2014 3 commits

Always specify what base type we want returned from parseInt() · ab89e765

Robert Lyon authored Nov 20, 2014



Bug 1394330

In most places in mahara we specify that we want base 10 number
returned (or base 16 in case of a hexidecimal css colour)

But there are a few places where we don't specify the radix at all

It's best practice to always include the radix because for older
browsers it interprets leading 0 as octal by default.

Also makes it clearer to developers what type of number is expected to
be retrieved from the string.

Change-Id: Iaecc85cbed875f85b313188c4e96cc1b77c77b31
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

ab89e765

Fixing type checking on min/max values (Bug #1394732) · dc706458

Robert Lyon authored Nov 21, 2014



Change-Id: I042c1127f7601483e8723b2e31bf07683accf2c0
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

dc706458

Clean expired passwords causes error when upgrading (bug 1369370) · b8abf335

Robert Lyon authored Nov 24, 2014



When upgrading, should only check if the cron job
'auth_clean_expired_password_requests' already exists
in the table - without all the other fields that need to be updated.
Otherwise, it will check on all the fields (i.e. minute, hour, etc).
If the admin updated them,
the check won't match and a duplicate error results.

Change-Id: I2d30ac97e9a82aaf0d538a834396fdc2d2757480
Signed-off-by: Ghada El-Zoghbi <ghada@catalyst-au.net>
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

b8abf335

23 Nov, 2014 1 commit
- Merge "Getting the accept friend to email requestor (Bug #1389906)" into 1.9_STABLE · 63b17aaa
  Robert Lyon authored Nov 24, 2014
  
  63b17aaa