1. 30 Oct, 2017 1 commit
    • Cecilia Vela Gurovic's avatar
      Security Bug 1701978: fix session cookie issues · 69bcdb52
      Cecilia Vela Gurovic authored
      1. when a user logs in it clears any obsolete
         usr_session cookies for the user
      2. recording the user-agent of the session
         and if it changes to prompt the user to
         login again
      3. when self adding / editing email address(es)
         send 2 emails
      	- one to the new email address asking user to confirm address
      	- and one to the primary email address to alert user
      	that a new email is being added to their account and
      	if this is bad how to contact their admin about the problem.
      
      behatnotneeded
      Change-Id: Ia44b66cf831abd553b72aa8b1d58d2a2634863b8
      69bcdb52
  2. 04 Sep, 2017 1 commit
  3. 29 Jun, 2017 1 commit
    • Cecilia Vela Gurovic's avatar
      Bug 1701141: deleting view when it belongs to a collection · 6ba1dff4
      Cecilia Vela Gurovic authored
      updating view order on collection when deleting page
      in the system and this one belongs to a collection
      (not removing view when editing the collection) so that
      collection is displayed again under "Shared with me"
      for example.
      
      behatnotneeded
      
      Change-Id: I177d85629a46615307841b90d6e91da5e75de5ca
      6ba1dff4
  4. 25 May, 2017 1 commit
    • Robert Lyon's avatar
      Bug 1692749: Security: Stop event log having plain text passwords · bd4941ba
      Robert Lyon authored
      This patch only deals with:
      1) removing passwords from existing event_log table data
      2) stopping the recording of passwords into the event_log table
      3) sets the reset password on next login for those users
      
      It doesn't deal with removing the unnecessary cruft information
      that will be handled by the bug 1692385
      
      behatnotneeded
      
      Change-Id: Id29148f78fa6918f5f5afcb89d211ccb3b60c95b
      Signed-off-by: Robert Lyon's avatarRobert Lyon <robertl@catalyst.net.nz>
      bd4941ba
  5. 11 May, 2017 1 commit
  6. 23 Apr, 2017 1 commit
    • Robert Lyon's avatar
      Bug 1650995: Auth saml idp metadata fix · 864fb0f9
      Robert Lyon authored
      This patch allows the dataroot/metadata/*.xml file to be named after
      the idp rather than the Mahara institution.
      
      Also added
      - A select dropdown so that institution can pick existing auth to be
      paired to
      - Upgrade to rename the dataroot/metadata/*.xml file
      - Check to stop being able to add blank metadata field
      - An alert for user when updating metadata if other institutions are also being effected
      - Delete the metadata if deleted institution is only one using it
      
      behatnotneeded
      
      Change-Id: Ie3f5cdc523404b1081352ede67aab591e79b6dbb
      Signed-off-by: Robert Lyon's avatarRobert Lyon <robertl@catalyst.net.nz>
      864fb0f9
  7. 26 Feb, 2017 2 commits
  8. 11 Feb, 2017 1 commit
    • Cecilia Vela Gurovic's avatar
      Bug 1655456: fix shared collection not displaying · 1a1d193d
      Cecilia Vela Gurovic authored
      Collection shared to a group was not displaying
      in group page and shared with me page
      after first page of collection was deleted.
      Fixed by resetting the order when deleting a view.
      
      behatnotneeded
      
      Change-Id: I096114ecf50b7a3af6d1393b387073676a984006
      1a1d193d
  9. 25 Jan, 2017 1 commit
  10. 24 Jan, 2017 1 commit
  11. 10 Dec, 2016 1 commit
  12. 23 Nov, 2016 1 commit
  13. 24 Oct, 2016 2 commits
  14. 20 Oct, 2016 1 commit
  15. 13 Sep, 2016 1 commit
  16. 01 Sep, 2016 1 commit
  17. 23 Aug, 2016 1 commit
  18. 22 Aug, 2016 1 commit
  19. 01 Aug, 2016 1 commit
  20. 25 Jul, 2016 1 commit
    • Ghada El-Zoghbi's avatar
      Bug 1606101: usr.suspendedcusr must be non-zero · ead553ee
      Ghada El-Zoghbi authored
      It turns out a lot of existing code checks the boolean
      value of usr.suspendedcusr to determine if a user should
      be treated as suspended or not. The LDAP sync cron (and,
      indeed, any code suspending users via a cron task) was
      setting usr.suspendedcusr to 0, which is boolean false,
      so these users would be treated as not suspended.
      
      We are going to update all usr.suspendedcusr = 0
      to a valid site admin ID.
      
      Change-Id: Iecfbfd8a4cdd98d5d07149bb40c64308262ea234
      behatnotneeded: Test to come later
      ead553ee
  21. 24 Jul, 2016 1 commit
  22. 22 Jul, 2016 1 commit
  23. 14 Jul, 2016 1 commit
    • Robert Lyon's avatar
      Bug 1438894: Moving the profile introduction text to description column · e305c12a
      Robert Lyon authored
      Currently all the artefacts that save html/tinymce data do so in the
      description field - except the internal profile introduction field.
      
      Seen as we are already doing special handling of this plugin we might
      as well save the html/tinymce data into the 'description' column of
      the db for consistency sake.
      
      behatnotneeded - existing tests should suffice
      
      Change-Id: I68da79f1c9423e19218162d8315008134251c31f
      Signed-off-by: Robert Lyon's avatarRobert Lyon <robertl@catalyst.net.nz>
      e305c12a
  24. 08 Jul, 2016 1 commit
  25. 07 Jul, 2016 1 commit
  26. 05 Jul, 2016 1 commit
  27. 01 Jul, 2016 1 commit
  28. 24 Jun, 2016 1 commit
  29. 20 Jun, 2016 1 commit
  30. 08 Jun, 2016 1 commit
    • Aaron Wells's avatar
      Bug 1590293: Correcting inconsistencies in session expiration · 4bed19a1
      Aaron Wells authored
      1. Add some documentation to session.php explaining what
      the session.gc_maxlifetime ini setting does.
      
      2. If we can't access $CFG->session_timeout, use a timeout of
      an hour instead of the PHP default of 24 minutes.
      
      3. Limit $CFG->session_timeout to 30 days, because we're already
      enforcing that limit in session.php
      
      4. Add "usr_session.mtime" column so that we can delete old sessions
      based on inactivity instead of creation date.
      
      5. Make the cron delete old session files as soon as they've expired,
      rather than padding that an additional two days.
      
      Change-Id: I9da2b26217774566b1131e997724359715edb2fe
      behatnotneeded: Covered by existing tests
      4bed19a1
  31. 17 May, 2016 2 commits
  32. 27 Apr, 2016 1 commit
  33. 31 Mar, 2016 1 commit
    • Son Nguyen's avatar
      Enhance the openbadgedisplayer plugin. Bug 1536393 · 42c171f9
      Son Nguyen authored
      Allow loading openbadgedisplayer block via ajax.
      Dynamically load badge groups from sources.
      Cache badge details in database for one day if $fromcache is true.
      
      behatnotneeded
      
      Change-Id: I36c8054fd6daf7ca1fcf1fe3a22672c9eb009c6e
      42c171f9
  34. 28 Mar, 2016 1 commit
  35. 17 Mar, 2016 1 commit
    • Aaron Wells's avatar
      Use $CFG->cacheversion for HTMLPurifier cache version · 42559c5b
      Aaron Wells authored
      Bug 1558387
      
      With this, we don't have to remember to bump HTML.DefinitionRev in
      html_clean(), or clear the htmlpurifier directory in dataroot.
      
      behatnotneeded: API change only
      
      Change-Id: I15cd291fd8e5d7d5c357f1595a89f34f44236e7d
      42559c5b
  36. 16 Mar, 2016 1 commit
  37. 14 Mar, 2016 1 commit