- 16 Apr, 2015 6 commits
-
-
Robert Lyon authored
Bug 1286935 Seeing as we check the url against FILTER_VALIDATE_URL and that only site admins can add to the 'allowed iframe sources' that should be enough without having to add the / to the end of the url. Change-Id: I82e3623d3df2fa03012278d334994224c51a092e Signed-off-by:
Robert Lyon <robertl@catalyst.net.nz>
-
Robert Lyon authored
-
Robert Lyon authored
By doing two things: 1) Getting the embedded SWF object to set the allowscriptaccess = "never" and allownetworking = "never" 2) By forcing a 'download file' link to actually download file - this goes for all files now that don't have embedded=1 in their url. I've done it this way, having the embedded item have extra url param so that if a user tries to manipulate a url by removing params it will default to force download. I've merged the changes I'd done here https://reviews.mahara.org/#/c/3522/2 and I've also cleaned up places where the download=1 was used as that is not needed now. Now if there are places where we need to embed rather than download we add the embedded=1 to the url. Change-Id: If5290a7c571d06d4178ef2ae5c4c09ed287403b4 Signed-off-by:
Robert Lyon <robertl@catalyst.net.nz>
-
Robert Lyon authored
Bug #1422232 Change-Id: Ia8fd7d074db3be027e1318a07d062a9ed1bb2ad8 Signed-off-by:
Robert Lyon <robertl@catalyst.net.nz>
-
Users who are logged in on the suspended institution's auth method are logged out. Change-Id: I10e1dec465a4363a076e92f4d90ec663ff8a822e Signed-off-by:
Robert Lyon <robertl@catalyst.net.nz>
-
Robert Lyon authored
Do correct string/variable comparison Change-Id: I98c5c1360891699e439108789b2015d7587222ca Signed-off-by:
Robert Lyon <robertl@catalyst.net.nz>
-
- 15 Apr, 2015 4 commits
-
-
Change-Id: I45bdbbaeedf2e6bced74da0a8d7eebed753d4595 Signed-off-by:
Son Nguyen <son.nguyen@catalyst.net.nz>
-
Robert Lyon authored
-
Change-Id: I0ae87e94bd7ad723a19045598280a6c4880aa3d8 Signed-off-by:
Son Nguyen <son.nguyen@catalyst.net.nz>
-
And this ends up breaking the 'more' link in the inbox. Normally we don't expect the url to contain the full path so we need strip it off as it's added back in via the template. Change-Id: Ibf22f361aaf7697e9903a2374f15d4fb031d01ef Signed-off-by:
Robert Lyon <robertl@catalyst.net.nz>
-
- 13 Apr, 2015 1 commit
-
-
Robert Lyon authored
A person can alter the viewid passed to the watchlist ajax update and so a user can end up watching a view they have no access to Change-Id: I21d00963ac3d9d53e337bcb0a7162bd2a1da1802 Signed-off-by:
Robert Lyon <robertl@catalyst.net.nz>
-
- 29 Mar, 2015 3 commits
-
-
Change-Id: I643a825a3ff878cb8573e96cb2741c0dee0cb29f Signed-off-by:
Son Nguyen <son.nguyen@catalyst.net.nz>
-
Robert Lyon authored
To test see bug report Change-Id: I88069adce01c77a1009ac49bf61966524532ca44 Signed-off-by:
Robert Lyon <robertl@catalyst.net.nz>
-
Robert Lyon authored
Change-Id: I2030a8222ff7691952f9351b297298484f102ac5 Signed-off-by:
Robert Lyon <robertl@catalyst.net.nz>
-
- 27 Mar, 2015 1 commit
-
-
Robert Lyon authored
To test - see bug report Change-Id: I74b9d35eb8be34af90ee46714f9b4ad19bc340d5 Signed-off-by:
Robert Lyon <robertl@catalyst.net.nz>
-
- 24 Feb, 2015 2 commits
-
-
Change-Id: I4536536d254d9dc85c9eb8405bd6ab61c0ae26e9 Signed-off-by:
Yuliya Bozhko <yuliya.bozhko@totaralms.com>
-
Bug 1390833 This will update all attachments to the artefact Change-Id: Idc06d5ce35b2427575b44d53f4aa56dfc7b01cf8 Signed-off-by:
Son Nguyen <son.nguyen@catalyst.net.nz>
-
- 09 Feb, 2015 1 commit
-
-
Robert Lyon authored
Currently it checks lowercase username against the same username But we need to compare apples wuith apples so the subquery also needs to return lowercase username. Change-Id: Icbe65e12d415be6f943399185c828166ed8a98d4 Signed-off-by:
Robert Lyon <robertl@catalyst.net.nz>
-
- 08 Feb, 2015 1 commit
-
-
Change-Id: I0dffc63f0ea10409c9ae18b9194a13a2287e0a7c Signed-off-by:
Son Nguyen <son.nguyen@catalyst.net.nz>
-
- 03 Feb, 2015 1 commit
-
-
Aaron Wells authored
Bug 1417364: This check causes too many false positives and doesn't catch actual problems often enough. Change-Id: I659cafd3dcdbcf254d66a72bcb4f2f6a1ba2ddba
-
- 29 Jan, 2015 1 commit
-
-
Bug 1415709 Change-Id: Ib6758dfe1d10884f69261179687d5ffde7ff81f9
-
- 26 Jan, 2015 1 commit
-
-
Robert Lyon authored
To test - create an institution and give it the custom theme. Add user to institution and log in with that user. Between each test you will need to re-save the institution so that the custom theme data in the db gets updated by the template change. Change-Id: I21d97c77896d872cbfc335473fbf510999b5187b Signed-off-by:
Robert Lyon <robertl@catalyst.net.nz>
-
- 12 Jan, 2015 2 commits
-
-
Son Nguyen authored
- Use render_self() in full detail option - Remove calls of $artefact->get() in template file Change-Id: I6be321adfda07c7f3e7cb3ac4026894b081e131f Signed-off-by:
Son Nguyen <son.nguyen@catalyst.net.nz>
-
- Filter out draft posts when editing the blogpost block - Don't display the post's content if it is unpublished Change-Id: Iaaf92f29383e2f3997e214b052dd116005a971dd Signed-off-by:
Son Nguyen <son.nguyen@catalyst.net.nz>
-
- 06 Jan, 2015 1 commit
-
-
Aaron Wells authored
Change-Id: I76f8965e7309940b11d3ba95839375bce92b3d3c
-
- 14 Dec, 2014 1 commit
-
-
Aaron Wells authored
Bug 1399311 Change-Id: I8d66b266d6de3dedb9069f852c5540a139ebb1e5
-
- 10 Dec, 2014 1 commit
-
-
Change-Id: I63c4c566504492abb947202f8cf3ba5838770c9f Signed-off-by:
Yuliya Bozhko <yuliya.bozhko@totaralms.com>
-
- 04 Dec, 2014 1 commit
-
-
Requires https now - used to work with http but no longer Change-Id: I4aae1d36c532dcdfc96b5a4a673910b654ea9a2c Signed-off-by:
Robert Lyon <robertl@catalyst.net.nz>
-
- 25 Nov, 2014 8 commits
-
-
Robert Lyon authored
Signed-off-by:
Robert Lyon <robertl@catalyst.net.nz>
-
Robert Lyon authored
Signed-off-by:
Robert Lyon <robertl@catalyst.net.nz>
-
Aaron Wells authored
Bug 1394820 Change-Id: I710098cb96ac7d0868926a95c4b4488df4753e4c
-
Robert Lyon authored
-
Robert Lyon authored
-
Aaron Wells authored
Bug 1387903 Change-Id: I369d58f85c944f4be2bc2965c080b2c4c86dadc1
-
Robert Lyon authored
-
Bug 1385564: This doesn't provide much additional security, because if the access cookies are still in your browser session, then the secret URL itself is probably still in your browser history. But if someone goes to the trouble of logging out *and* clearing their browser history, this will ensure that it actually does end the secreturl access cookie like they'd expect. Change-Id: Ia75f58015ab2cb54c9184cdc8b5bf32dfe543733
-
- 24 Nov, 2014 3 commits
-
-
Robert Lyon authored
Bug 1394330 In most places in mahara we specify that we want base 10 number returned (or base 16 in case of a hexidecimal css colour) But there are a few places where we don't specify the radix at all It's best practice to always include the radix because for older browsers it interprets leading 0 as octal by default. Also makes it clearer to developers what type of number is expected to be retrieved from the string. Change-Id: Iaecc85cbed875f85b313188c4e96cc1b77c77b31 Signed-off-by:
Robert Lyon <robertl@catalyst.net.nz>
-
Robert Lyon authored
Change-Id: I042c1127f7601483e8723b2e31bf07683accf2c0 Signed-off-by:
Robert Lyon <robertl@catalyst.net.nz>
-
Robert Lyon authored
When upgrading, should only check if the cron job 'auth_clean_expired_password_requests' already exists in the table - without all the other fields that need to be updated. Otherwise, it will check on all the fields (i.e. minute, hour, etc). If the admin updated them, the check won't match and a duplicate error results. Change-Id: I2d30ac97e9a82aaf0d538a834396fdc2d2757480 Signed-off-by:
Ghada El-Zoghbi <ghada@catalyst-au.net> Signed-off-by:
Robert Lyon <robertl@catalyst.net.nz>
-
- 23 Nov, 2014 1 commit
-
-
Robert Lyon authored
-