1. 30 Oct, 2017 1 commit
    • Cecilia Vela Gurovic's avatar
      Security Bug 1701978: fix session cookie issues · 69bcdb52
      Cecilia Vela Gurovic authored
      1. when a user logs in it clears any obsolete
         usr_session cookies for the user
      2. recording the user-agent of the session
         and if it changes to prompt the user to
         login again
      3. when self adding / editing email address(es)
         send 2 emails
      	- one to the new email address asking user to confirm address
      	- and one to the primary email address to alert user
      	that a new email is being added to their account and
      	if this is bad how to contact their admin about the problem.
      
      behatnotneeded
      Change-Id: Ia44b66cf831abd553b72aa8b1d58d2a2634863b8
      69bcdb52
  2. 14 Nov, 2016 1 commit
    • Cecilia Vela Gurovic's avatar
      Bug 1565199: Filter Recent Journals block Add entry + errors · e08db4cd
      Cecilia Vela Gurovic authored
      In the block Recent journal entries, the drop-down menu
      only shows the Journals which the user has permission to
      add a new entry.
      
      Also corrected error showing up and broken Journal search
      in the Edit block side screen.
      
      Also fixed the poor alignment of the artefactchoooser search form's
      search button
      
      Also fixes Bug 1636850 with change in lib/view.php
      
      behatnotneeded
      
      Change-Id: I44c0d6d25eda7cb37d4a8aab66a6d1b93ca60b69
      (cherry picked from commit 88b94532)
      e08db4cd
  3. 19 Oct, 2016 1 commit
  4. 07 Jul, 2016 1 commit
    • Robert Lyon's avatar
      Bug 1580399: Stop users logging in to suspended/expired institutions · c10a36bc
      Robert Lyon authored
      Moving the code from LiveUser->login() to
      ensure_user_account_is_active() so that internal and external logins
      can use the same code. This means the check now will fall after
      LiveUser->authenticate() so a user's lastlogin values will be updated.
      but that should be ok as the login was successful, it's just they
      can't go any further as their institution is not active.
      
      behatnotneeded
      
      Change-Id: Ie78a60978d5936f78af5a962ca3efdcdee148b93
      Signed-off-by: Robert Lyon's avatarRobert Lyon <robertl@catalyst.net.nz>
      c10a36bc
  5. 05 Jul, 2016 1 commit
  6. 03 Jul, 2016 1 commit
    • Robert Lyon's avatar
      Bug 1594579: Copy view artefacts only once · baac44f1
      Robert Lyon authored
      Rather than copy the same artefact once per page we should only copy
      it once per copy of page(s) transaction. Eg if we are to copy a
      collection of 5 pages and they all have a block pointing to the same
      image we should copy that image only once not 5 times.
      
      behatnotneeded - behat file to come
      
      Change-Id: Iecdde53515cdd9d5ee02918252b486aa0f662fab
      Signed-off-by: Robert Lyon's avatarRobert Lyon <robertl@catalyst.net.nz>
      baac44f1
  7. 24 Jun, 2016 1 commit
  8. 08 Jun, 2016 1 commit
    • Aaron Wells's avatar
      Bug 1590293: Correcting inconsistencies in session expiration · 4bed19a1
      Aaron Wells authored
      1. Add some documentation to session.php explaining what
      the session.gc_maxlifetime ini setting does.
      
      2. If we can't access $CFG->session_timeout, use a timeout of
      an hour instead of the PHP default of 24 minutes.
      
      3. Limit $CFG->session_timeout to 30 days, because we're already
      enforcing that limit in session.php
      
      4. Add "usr_session.mtime" column so that we can delete old sessions
      based on inactivity instead of creation date.
      
      5. Make the cron delete old session files as soon as they've expired,
      rather than padding that an additional two days.
      
      Change-Id: I9da2b26217774566b1131e997724359715edb2fe
      behatnotneeded: Covered by existing tests
      4bed19a1
  9. 30 May, 2016 1 commit
  10. 27 Apr, 2016 1 commit
  11. 18 Apr, 2016 1 commit
    • Aaron Wells's avatar
      Bug 1567784: session_regenerate_id() not working · a923f51b
      Aaron Wells authored
      We have existing code that tries to regenerate your
      session ID when you log in. But it stopped working
      in PHP 15.04 because the session has usually been
      closed when it gets called.
      
      Change-Id: I5f99cdf355892040866bb0113fd934e3d37bf33c
      behatnotneeded: Can't be tested by behat
      a923f51b
  12. 06 Apr, 2016 1 commit
  13. 15 Dec, 2015 1 commit
    • Aaron Wells's avatar
      Removing obsolete "disablelogin" setting · 0284f9ab
      Aaron Wells authored
      Bug 1526076: I believe the initial intent was that
      Mahara core, and/or each plugin, could add a value
      to its version.php file indicating "disablelogin"
      true or false. And in this way, an upgrade could
      indicate whether it was a small enough upgrade that
      users did not need to log out for it.
      
      However, in practice this is not practical because
      we don't know what version of Mahara the user is
      upgrading from, and that is what determines whether
      or not it's a "stable" upgrade.
      
      Additionally, the core disablelogin has been set to true
      for the past 7 years, and the plugin disablelogin
      setting no longer has any effect.
      
      Removing disablelogin should hopefully make our
      maze of init.php auth_setup() login stuff a little
      bit easier to follow.
      
      behatnotneeded: Covered by existing tests
      
      Change-Id: I5f8a2b4faa95b9225bb926de6a54a622ea1a9618
      0284f9ab
  14. 14 Dec, 2015 1 commit
    • Aaron Wells's avatar
      Rename $CFG->siteclosed to $CFG->siteclosedforupgrade · 1404fe80
      Aaron Wells authored
      Bug 1526101: This should help make it clearer what's going
      on in init.php and the related auth code, by making the
      distinction between $CFG->siteclosed and $CFG->siteclosedbyadmin
      clearer.
      
      behatnotneeded: Covered by existing tests
      
      Change-Id: I8bc728622ae965ce25b55ee4b55278771fc1eedc
      1404fe80
  15. 09 Dec, 2015 1 commit
  16. 20 Nov, 2015 1 commit
    • Hugh Davenport's avatar
      Fix behaviour on submitting multiple pages to Moodle · fd9f1f82
      Hugh Davenport authored
      Bug 1516823
      
      The moodle plugin for mahara assignment submissions [1] had an issue [2]
      where is the plugin was configured in non locking mode, multiple
      submissions of the same view would result in only the latest submitted
      link working.
      
      This was due to the page getting locked then released, which resulted in
      a new mt token, which made all the old ones not work. This patch changes
      that by accepting a new parameter which checks whether you are locking
      and if not, then don't generate and send a token back.
      
      When viewing a view, check for the new parameter mnetviewid or mnetcollid
      along with the parameter assignment. If these are present, then Mahara
      sends an MNet request back to Moodle which tells Mahara whether the user
      has the permission to view the page.
      
      This requires an update to the Moodle plugin, which is sent for review
      currently [3]. Mahara detects whether this plugin is upgraded and
      publishing the new MNet function. If it isn't, it falls back to original
      behaviour gracefully. This is done by attempting to send a MNet request.
      
      [1] https://github.com/MaharaProject/moodle-assignsubmission_mahara
      [2] https://github.com/MaharaProject/moodle-assignsubmission_mahara/issues/2
      [3] https://github.com/MaharaProject/moodle-assignsubmission_mahara/pull/19
      
      behatnotneeded: Can't yet test MNet issues in Behat
      
      Change-Id: I80739181b58bf7cf9c326e7b0a588b6239f864f1
      fd9f1f82
  17. 17 Nov, 2015 1 commit
  18. 13 Oct, 2015 1 commit
  19. 18 Aug, 2015 1 commit
  20. 16 Aug, 2015 1 commit
    • Robert Lyon's avatar
      Bug 1483963 - Better reporting on login activity · 19af23b2
      Robert Lyon authored
      Added a tab 'Logins' to site statistics page that contains
      how many total logins for an institution and also how many unique
      users have logged in during a certain time period - defaults to
      previous calendar month
      
      One can get different results by adjusting the url like so
      admin/statistics.php?type=logins&start=2014-01-01&end=2015-01-01
      if needing to get a different time period
      
      On upgrade it populates the usr_login_data table with the current
      lastlogin time for non-deleted users
      
      Currently usr_login_data only records user id and ctime (for login
      time) but one could also add more columns tothe table if needing to
      record something that happens once per successful login.
      
      Change-Id: If59b207356894eaced7b9977b80d539a28cb7e56
      Signed-off-by: Robert Lyon's avatarRobert Lyon <robertl@catalyst.net.nz>
      19af23b2
  21. 31 Jul, 2015 1 commit
  22. 27 Jul, 2015 1 commit
  23. 13 Apr, 2015 1 commit
  24. 12 Jan, 2015 1 commit
  25. 04 Dec, 2014 1 commit
  26. 18 Nov, 2014 1 commit
  27. 28 Oct, 2014 1 commit
    • Aaron Wells's avatar
      Clear secreturl access cookies on logout · 9bceca2b
      Aaron Wells authored
      Bug 1385564: This doesn't provide much additional security, because if
      the access cookies are still in your browser session, then the secret URL
      itself is probably still in your browser history. But if someone goes to
      the trouble of logging out *and* clearing their browser history, this
      will ensure that it actually does end the secreturl access cookie like
      they'd expect.
      
      Change-Id: Ia75f58015ab2cb54c9184cdc8b5bf32dfe543733
      9bceca2b
  28. 18 Sep, 2014 1 commit
    • Robert Lyon's avatar
      The archiving of submitted pages/collections from groups (Bug #1335670) · 5c57b565
      Robert Lyon authored
      This patch contains:
      - The export queue system where pages/collections on release from
      submission are added to the export queue table ready to be archived.
      - The export queue admin page showing what is in the queue to be
      exported. The cron runs every 6 minutes. Queue items failed to export
      are also shown here.
      - The archive list admin page, where one can download the generated
      leap2a files for the archived submissions.
      
      In this patch you should be able to add things to the export queue by
      either releasing a sumbission on a group that has 'archive
      submissions' option ticked. This will add the archive to that archived
      submission page, or you can also run a leap2a export from portfolio
      export which will add the export queue and send you an email once the
      export is done.
      
      Things to note:
      - The is a server busy function that stops the export queue from
      running but I'm not too sure if the threshold is too low/high
      - The export queue tries to export the first 100 items each run but if
      resources are fine in handling that easily then the number could be
      higher but I'm not sure of what will be a good number.
      - Currently there is alsoe infrastructure like table columns for dealing
      with releasing submissions from external systems (eg moodle) but that
      functuionality is yet to be built.
      - The checking of server busy in MS windows untested - may need to
      just let MS ignore server busy check as there doesn't seem to be
      standard way to check this.
      
      Change-Id: If4c1d272e9c5d46fbf16b2ff73ceb2687c06ffd4
      Signed-off-by: Robert Lyon's avatarRobert Lyon <robertl@catalyst.net.nz>
      5c57b565
  29. 15 Sep, 2014 1 commit
  30. 20 Aug, 2014 1 commit
  31. 04 Jun, 2014 1 commit
  32. 09 May, 2014 1 commit
    • Yuliya Bozhko's avatar
      Some artefact refactoring (Bug #1298646) · 3ba72d71
      Yuliya Bozhko authored
      Fixes in this patch:
      
      - Moved artefact.php to artefacts directory to separate it from pages.
      - Fixed reference to a wrong 'artefactonlyviewableinview' string.
      - Removed add_to_render_path() and its calls which have no purpose at all.
      - Removed 'artefact_parent_cache' table.
      - Removed cron jobs related to 'artefact_parent_cache' from DB.
      - Added 'path' column in 'artefact' table to easier calculate hierarchy.
      - Added ArtefactTest.php for artefacts unit tests
      
      Change-Id: Ia14cd85b94c32a950354446ee3565bd2964c625c
      Signed-off-by: default avatarYuliya Bozhko <yuliya.bozhko@totaralms.com>
      3ba72d71
  33. 30 Apr, 2014 1 commit
  34. 16 Apr, 2014 1 commit
    • Nathan Lewis's avatar
      Improvements to notification system (Bug #1299993) · 63e0484d
      Nathan Lewis authored
      - Each activity type can specify a default notification method. They default
        to 'email' to remain backwards compatible.
      - Each activity type can specify if it is allowed to be set to 'none'. Defaults
        to 'allowed' for backwards compatibility.
      - Removed 'required' from notification settings - it didn't make sense, and the
        change above deals with this in a better way.
      - The site wide defaults for each activity type can be edited in
        Site options -> Notification settings. These are applied to new users or
        whenever a user does not have the appropriate usr_activity_preference records.
      - Removed 'Default notification method' as it's functionality is now covered by
        the change above.
      - There is a separate help next to each activity type to explain what messages
        will be affected by the setting.
      
      Change-Id: I131cdeefbeaa8e43688aefd9d770fc8cb9bceea8
      Signed-off-by: default avatarNathan Lewis <nathan.lewis@totaralms.com>
      63e0484d
  35. 25 Mar, 2014 1 commit
    • Aaron Wells's avatar
      Prevent new users from taking spammy actions · 7b08f438
      Aaron Wells authored
      Bug 1252101
      
      1. New users get 2 "new user points" on their user record
      
      2. While they have these, they're on probation and can't post
      links in public places, or make public pages.
      
      3. "new user points" are decreased each time a non-probationary
      user responds to a forum post by the user
      
      4. Admins & Staff are automatically non-probationary
      
      Change-Id: Ibccd2e330945f66b07aac062c4f51b67a0c0dba2
      7b08f438
  36. 09 Mar, 2014 1 commit
  37. 07 Mar, 2014 1 commit
  38. 11 Feb, 2014 1 commit
  39. 24 Jan, 2014 1 commit
    • Robert Lyon's avatar
      Allow site_content to be institution specific (bug #1254299) · d268d11b
      Robert Lyon authored
      Changes include:
      - added an institution column to the site_content table
      - added an 'Edit site pages' page under Admin -> Institutions
      that is accessibe by institution admins
      - added an 'institution' option to the edit site pages form - this is
      a hidden field if user can edit only one institution.
      
      On upgrade it updates the site_content table to give current data the
      institution on 'mahara' (incl. local site pages) and for each
      institution it replicates the data already in the db for the default site (excl.
      local site pages) so that every site has their own versions, which can
      be adjusted as one sees fit.
      
      On creation of new institution it creates the rows in site_content
      table but with the default strings (like what you see when you first
      install a mahara) but sets the sitepages column in institution table
      to default (mahara). On deletion of institution it removes the rows in
      site_content.
      
      A user on login sees the institution site page based on what
      institution theme they see.
      
      On logout the 'lastinstitution' cookie is set allowing for them to see
      institution specific site pages.
      
      The 'No institution' (mahara) site pages can only be edited through
      Configure site -> Edit site pages.
      
      Also allow for an institution site page to be viewed if 'institution'
      variable is passed to it eg terms.php?institution=testing allowing for
      another way to access info when logged out.
      
      Change-Id: I2ed30b63c15bf676d83eb2231f48c4ca23ce8b53
      Signed-off-by: Robert Lyon's avatarRobert Lyon <robertl@catalyst.net.nz>
      d268d11b
  40. 13 Jan, 2014 1 commit
    • Aaron Wells's avatar
      Decoupling "copy to new users" settings from other settings · 5580903d
      Aaron Wells authored
      Bug 1267633: Currently the settings for forcing a page to be copied
      to new users, new groups, and new institution members, are only available
      if the page is set to be copyable and is viewable to logged-in users.
      
      But logically there's no reason to link those settings together.
      
      Change-Id: I68b4579d891a56e617a04947664d01d59e620bdf
      5580903d