We were already caching these preferences when a user object is provided
to get_user_preferences, or when $USER is provided.
This changee swaps get_user_preferences to use the global USER object
when the USER->id matches the userid supplied to the function.
CSRF protection for the login form. The authenticate_user_login function was
extended to validate the token (in \core\session\manager) but by default it
does not perform the extra validation. Existing uses of this function from
auth plugins and features like "change password" will continue to work without
changes. New config value $CFG->disablelogintoken can bypass this check.
Places that display list of users (such as course participants page)
with additional identifier fields now respect the user's permission to
view other users' hidden profile fields.
If enabled $CFG->allowcohortthemes, then themes can be set at the cohort level.
This will affect all users with only one cohort or more than one but with the same theme.
The default theme order will be: course, category, session, user, cohort, site.
Also deprecated the following functions -
1. message_move_userfrom_unread2read - It is not necessary
for us to mark a message as read on user deletion.
2. message_get_blocked_users - Horrible logic used to
determine if a user is blocked via reference on some
randomly chosen 'isblocked' variable.
3. message_get_contacts - The same as above. This can be
done in a much nicer way.
4. message_mark_message_read - We want two functions to do
this to avoid confusing messages and notifications.
5. message_can_delete_message - This assumed the variable
$message contained the 'useridto' property, which
was present in the old table structure. We do not want
future usages where a query is done on the new table
and is simply passed as this won't contain this property.
6. message_delete_message - Same as above.
- Define sitepolicy handler manager class, base class and the core handler
- Allow to set a plugin as sitepolicyhandler that implements the sitepolicy API
- Modify web services to return information from the 3rd party handler instead of core if needed
The patch introduces a new site setting 'sitepolicyhandler' that can be
either empty or contain a plugin component name. If it is empty, the
site policy feature keeps working as before and the core keeps the
control over it.
If a plugin is specified, it is expected to implement the callback
'site_policy_handler' in its lib.php file. The callback should return a
URL to a script where the user can accept the site policies. The plugin
itself is responsible for setting the 'policyagreed' flag in the users
table. The callback may return an empty value, in which case the user
can continue using the site without being redirected.
The patch adds support for a new pre-config flag NO_SITEPOLICY_CHECK.
This constant should be defined and set to true if we should not check
the user's policyagreed status during the require_login().
This is for pages where the user actually accepts the site policies and
helps to avoid the redirect loop.