We can't really control the direct web access to directories in dirroot,
that is part of the server setup. So we at least warn admins as they may
not realize the risks of having directories like vendor or node_modules
exposed.
Credit goes to Petr Škoda for mentioning the PHPUnit issue CVE-2017-9841
to me.
Make sure to check that $user in enrolled in $course before checking
whether the current user has capabilities in that course, and make sure
that we don't check user context caps when handling a specific course.
The course object passed as parameter to extend_navigation_user
callback contained only a few parameters, some parameters like
showgrades or showreports were missing.
The callback should receive a full course object.
* Removed the div with the class 'form-group' that's enclosing the
select element and friends. It's not needed since the urlselect template
is an inline form.
* Also, for completeness, I added the helpicon data for the template's
context.
Make indexing of user messages tolerant to user deletion.
When creating the search document for user messages,
add a check to see if the user has been deleted in the
system. If they have been deleted abort creating the search
document.
This is to avoid rasining an error when trying to get the
user context for a deleted user.
Instead of putting vertical-align: middle as indication for participants table
headers, none is set which leads to theme default, i.e. bottom in Clean and Boost.
If a malformed value was passed, it may be that we can still display it.
We should not assume that, if a string is not passed, that we are
dealing with a promise.
This is an old bit of UI inconsistency. For some reason it used to take
people to the list of all courses. Given modern Moodle usability
conventions, that does not really make sense any more.
Change to download_rewrite_pluginfile_urls() ensuring prefix isn't
added to file links when downloading with the downloadasfolders
user preference set to true. Links to files in onlinetext now work
when downloading as folders.
assign->download_submissions():
- groupname now only added to zip file name if not empty, fixing a
double hyphen bug in the file name.
assign->download_rewrite_pluginfile_urls():
- groupname is now correctly determined using get_submission_group()
instead of using groups_get_activity_group() which fails when there
is no active activity group set. Uses the same logic that
download_submission() uses to prefix file names. Fixes a bug where an
empty groupname prefix was generated, resulting in broken links.
This function used to check only those courses shared by both users
when it should have been checking all courses in which $user is
enrolled. Managers can view a user's course profile without necessarily
sharing the course (being enrolled in) with the $user.
* We have duplicate input event handlers for the autocomplete element
which are both firing when the input element's value is being set.
In case an AJAX handler is defined for the autocomplete suggestions,
this causes the autocomplete suggestions so show "No suggestions" first
and then load the results from the AJAX handler a little bit later.
There are times, such as when viewing a user profile within a course,
when user_can_view_profile() should be passed a course to force it to
restrict its capability checks to only the supplied course. This change
makes sure that core_renderer->context_header() calls this correctly.
This patch adds the missing 'escaping' option to all remaining
xmlrpc_encode_request() calls in the moodle core code.
Without this, the xmlrpc_decode_request() call on the server side may
lead to wrongly decoded non-ascii characters.
The unit test was creating four events, and then relying on them being
retrieved in the order in which they were created.
I've modified the test to:
* ensure timecreated are spaced apart; and
* add an order by timecreated when fetching them.
These tests are an abuse and should not have been accepted. Behat tests should use real pages.
Adding testing only entry points to Moodle is a bad security practice and is not the purpose of behat.
* Add student1 and student2 login/logout steps for the course
participants filtering scenario in order to have last access data
for students 1 and 2 since the participants table is sorted by last
access by default.
* Convert the two course participants scenario to a scenario outline.
The steps are basically the same. Only the view mode is different.
* Remove @javascript tags for the following scenario:
- Filter users on assignment submission page
- Filter users on view gradebook page
- Filter users on course participants page
JS is not really necessary in these scenario and we can get faster
execution time.
For pass/fail setting to work properly, activities must have 'Require grade' completion set,
just make sure we don't allow activities without this setting to be set
slightly refactor duplicate_module() code so it does not rebuild course cache
twice and also we do not need to move module if it is already the last module in a section
totalcount was incorrectly calculated for normal search.
For advanced search it was working as expected.
This was making searched entries pagination behave incorrectly.
When updating the mysql system to utf8mb4 not all tables are
converted to the row format of compressed or dynamic. If a new
index is created there is a possibility that the table could be
using compact or redundant and then an error will be shown saying
that the index size is too large. This fix handles this exception
and converts the table over to compressed.
Do not use custom pfofile field name as a field alias in DB query, use field id instead.
DML lowercases all column aliases and fields with uppercase letters no longer match.
Even when course module is not available the intro text can still be visible on the
course page. In this case the availability restriction is displayed to the student
but link to the activity is not available
The url, which was used for guessing the image, was queried with the
key 'discoveryurl', which is not defined in the context of an issuer.
The baseurl should be sufficient to retrieve the favicon.ico from a
server. That's why the key for was changed from 'discoveryurl' to
'baseurl'.
Since the refactoring towards using the filepicker for file and picture
fields there are several variables, which are set but never read. Thus,
I removed them.
When a file or picture field was added with existing records, these
records could not be saved, since the draft area was not created
properly.
Co-authored-by: Jérôme Mouneyrac <mouneyrac>
Due to Moodle 2.7 and Moodle 3.4 not having a common compatible php version
between them to upgrade from Moodle 3.4 from Moodle 2.7 you'll need to upgrade
to a higher version first or upgrade php at the same time as upgrade,
this encourages the former.
Removed the concat to generate the uniqueid field for the popup
notifications data. The concat can't be used directly in the SQL because
the syntax changes between databases. The sql_concat helper can't be
used because it assumes all values are database columns (which they
aren't in this case).
Instead I've just removed the uniqueid field because it isn't required
for the union all to work and the field isn't being used by anything.
This should fixed the compatibility issues between databases.
Based on work by Tim Lock <tim.lock@blackboard.com>
While upgrading to Moodle 2.8 or above it is possible for it to fail if
the site has multiple graded attempts for a user without an associated
submission record. This caused the upgrade to violate the databases
unique key rules.
This same issue could apply to a backup that was created of an
assignment that had this issue, when it is restored into Moodle 2.8 or
later.
This change adds the attempt number from the grade table into the query
that is inserting the new submission record (thanks to Tim). It also
moves the insert query before the latest flag is set on submission
records to ensure that only one has it, without this it is possible that
multiple submission records would be marked as the latest after an
upgrade or restore.
The OR clause in these queries used different sets of columns to select
userid which meant that the indexes that included user id could not be
used.
This change splits the query so that each individual part can use one of
the indexes that includes a userid which speeds them up considerably.
When a user is entering a password which isn't returned back to them
then its not correct to use the unmask element - this element was
designed for places where we are storing shared secrets.
Fix to:
- Make sure we properly check both user and course contexts in
the load_for_user function in navigation lib and user the
user_can_view_profile function for same-course access checks.
- Use user_can_view_profile in the renderer's context_header to
properly decide whether a user can view another user's picture
and messaging options in the page header.
Fixes a bug in which a user's full name might be disclosed via the
nav tree. Nav generation now checks the current user's access to the
user before adding the node, else adds a dummy node.
In the core dml:
PostgreSQL connections now use advanced options to reduce connection overhead.
These options are not compatible with some connection poolers. The
dbhandlesoptions parameter has been added to allow the database to configure
the required defaults.
This item adds a setting to the logstore_database plugin to let you set the
same flag for your destination database - without it you won't be able to ship
logs to a postgresql database with a pgbouncer frontend.
Mustache templates containing {{#js}} blocks are not returned via the
fragments API. This is because the requirements manager is assigned when the renderer is created
and not updated by the call to start collecting page requirements.
Switch back to GCE build infrastructure for Travis Builds and move
databases to RAM Disk.
This also adds a software entropy generator (haveged) which is
recommended when using a RAMdisk for the database.
Also removed write_header() and write_footer(). The reason for this
is because in core we want to know if the format being used supports
multiple sheets. To do this, and ensure we do not break third-party
dataformat plugins, we are using method_exist(). If write_header()
and write_footer() remain in the base class then this will always
be true.
Remove unittest-specific callbacks for checking access and displaying
the calendar events on the dashboard.
This will allow plugin developers unittest the full behavior
of how their plugins add events to the dashboard.
Reset all static caches between unittests.
In the issue MDL-39319 (6ddf92c77), the ability to uninstall multiple
language packs at once was added. By a mistake, the PARAM_ALPHAEXT was
used as paramater type for the dash-separated list of language packs to
be uninstalled. Language packs with a number in the name (such as
en_us_k12) do not pass the ALPHAEXT cleaning.
This patch changes the parameter cleaning to PARAM_SAFEPATH which is
more appropriate for the given scenario as language code themselves must
be SAFEDIRs.
Default of $params = null leads to a problem in query_db().
There this value is used in array_merge, which can not handle null
values. If null is passed for one of the params the outcome will be null
independent of the value of the second param!
Repository instances are stored in the 'repository' table. Repositories
in the table are either 'Enabled and visible' or 'Enabled but hidden'.
Hidden repositories still serve their files, but are not visible in the
filepicker UI. Disabling a repository instance removes its record from
the table.
In the original implementation of the plugin manager (see b9934a17), the
method plugintype_repository::get_enabled_repositories() correctly
returned all records from the repository table. Then as a part of the
bigger refactoring in MDL-41437, the commit bde002b8 replaced the
original method with the new get_enabled_plugins() one which started to
return visible repositories only.
As a consequence, the admin tree stopped populating setting page nodes
for hidden repository instances. So attempting to visit their setting
page threw a section error. Credit goes to Ike Quigley for debugging and
tracing this down.
This patch fixes the way how the list of enabled repositories is
populated by the plugin manager so that both visible and hidden
repositories are returned again. This does not affect the filepicker
itself as it is using its own methods for obtaining the list.
There can be a different number of courses displayed in the
'Navigation' block and in the 'Flat' navigation. This patch
decides what courses we want to display on each, then
applies the 'navcourselimit' setting individually.
Add string "Side panel" to make the purpose of
trigram/hamburger icon at top left clearer, particularly
when using screen readers e.g. Jaws/NVDA.
Currently it reads out only "expand"
If we let videojs auto-init the video/audio tags present in the page - we cannot guarantee that the
youtube library will be loaded by the time video.js is processing the tag.
Video.js uses the presence of a data-setup attibute to signal that it should auto-init this tag, so
we have to rename our config attribute to something else.
The availability info text can be either a one line short text such as
"Hidden from students" but it can also be a long HTML formatted text
with the list of all restricted access conditions. For the latter, using
bootstrap labels was not appropriate.
This extends the template context data with some boolean flags that
allow to better distinguish the source and meaning of the availability
information and display it accordingly.
Credit goes to Marina Glancy for the solution idea.
Find any events records for assign group overrides having null priority
and sets their priority to the sortorder value from the corresponding
assign_overrides table entry.
Fixed a bug in which $fromform->sortorder wasn't set before passing
$formdata to assign_update_events, resulting in the existing event
priority being incorrectly nulled and breaking the effective override.
The previous behaviour was to only lock when in theme designer mode.
As a result, when generating the theme for after a reset, each new
client was starting the generation afresh and no locking was taking
place at all.
This version includes a fix[1] contributed by Frédéric Massart investigating
our compilation time issues, which significantly improves the speed of
processing font awesome.
Thanks, Fred!
[1] https://github.com/sabberworm/PHP-CSS-Parser/pull/120
Starting with npm version 5, npm install will generate a lockfile
(now named package-lock.json) or update the existing npm-shrinkwrap.json
To prevent changes being generated in the codebase when this happens, we
need to commit the version 5 generated shrinkwrap.
This is related to a general overhaul [1] of how npm manages things. But
for our purposes, we the lockfile should be BC to previous versions [2].
Going forward, we need to ensure we generate the lockfile on npm >=5 to
prevent differences from the previously un-versioned lockfile.
[1] http://blog.npmjs.org/post/161081169345/v500
[2] https://github.com/npm/npm/issues/16728#issuecomment-305104149
* Use the calendar_event::description property and format it using
format_text() on it in order to apply the appropriate filters.
* Then use html_to_text() on it to strip the tags and convert the
description to plain text while converting <br> and <p> tags to
line breaks.
When certainty-based marking is used, grades can 'exceed' the maximum grade
(because they are multiplied by factors). Therefore, in such cases, don't show
no warning.
There are situations where we need to sort events on a field called
"timesort", but sometimes it is not set. So we can fall back to
"timestart" in this case.
While ldap_get_entries_moodle() PHPdocs state that it returns "array
ldap-entries with lower-cased attributes as indexes.", this is not true. It
uses ldap_get_attributes() internally, which returns both numerically indexed
attribute names, and dictionary-like entries indexed by attribute names.
Current code lowercases the dictionary-like entries, but then uses the
numerically indexed entries for the attribute names used as keys in the
returned array. The numerically indexed names might or might not be lowercased,
depending on the LDAP server and PHP version) version. E.g., OpenLDAP 2.x,
Novell eDirectory 8.x and MS Active Directory return mixed-cased attribute
names, and PHP 5.x and PHP 7.x don't lowercase them inside ldap_get_entries().
This is probably why all calls to ldap_get_entries_moodle() are followed by
calls to array_change_key_case(), even if that shouldn't be necessary.
So make sure we always return lower-cased attributs as indexes and add some
unit tests to avoid regressions in the future.
Currently, the sorting being used for the grader report table
(asc/desc arrows) is just the grade_grades.finalgrade.
This adds grade_grades.userid in the sort to prevent duplicate
in records returned when using pages.
* Change the start date of the parent event to the current date
for tests that with events that recur forever.
* Limit query results to 100 for events that recur forever that can
generate more than 100 event records.
Previously when a repeating chat was updating the calendar
it would only update the timestart column. It needs to also
update the timesort column to display correctly on the new
overview.
When using $page->context it calls magic_get_context() in lib/pagelib.php.
This method sets the context to context_system::instance() if it is currently
null and returns that as the context. However, when installing a new site
context_system::instance() also returns null.
@@ -31,7 +31,7 @@ $string['delete_confirmation'] = 'Are you absolutely sure you want to remove <st
$string['deletea']='Delete {$a}';
$string['deletefiletypes']='Delete a file type';
$string['description']='Custom description';
$string['description_help']='Simple file type description, e.g. ‘Kindle ebook’. If your site supports multiple languages and uses the multi-language filter, you can enter multi-language tags in this field to supply a description in different languages.';
$string['description_help']='Simple file type description, e.g. \'Kindle ebook\'. If your site supports multiple languages and uses the multi-language filter, you can enter multi-language tags in this field to supply a description in different languages.';
$string['descriptiontype']='Description type';
$string['descriptiontype_help']='There are three possible ways to specify a description.
@@ -49,15 +49,15 @@ $string['error_defaulticon'] = 'Another file extension with the same MIME type i
$string['error_extension']='The file type extension <strong>{$a}</strong> already exists or is invalid. File extensions must be unique and must not contain special characters.';
$string['error_notfound']='The file type with extension {$a} cannot be found.';
$string['extension']='Extension';
$string['extension_help']='File name extension without the dot, e.g. ‘mobi’';
$string['extension_help']='File name extension without the dot, e.g. \'mobi\'';
$string['groups']='Type groups';
$string['groups_help']='Optional list of file type groups that this type belongs to. These are generic categories such as ‘document’ and ‘image’.';
$string['groups_help']='Optional list of file type groups that this type belongs to. These are generic categories such as \'document\' and \'image\'.';
$string['icon']='File icon';
$string['icon_help']='Icon filename.
The list of icons is taken from the /pix/f directory inside your Moodle installation. You can add custom icons to this folder if required.';
$string['mimetype']='MIME type';
$string['mimetype_help']='MIME type associated with this file type, e.g. ‘application/x-mobipocket-ebook’';
$string['mimetype_help']='MIME type associated with this file type, e.g. \'application/x-mobipocket-ebook\'';
$string['pluginname']='File types';
$string['revert']='Restore {$a} to Moodle defaults';
$string['revert_confirmation']='Are you sure you want to restore <strong>.{$a}</strong> to Moodle defaults, discarding your changes?';
$string['databasehandlesoptions_help']='Does the remote database handle its own options.';
$string['databasetable']='Database table';
$string['databasetable_help']='Name of the table where logs will be stored. This table should have a structure identical to the one used by logstore_standard (mdl_logstore_standard_log).';
$string['includeactions']='Include actions of these types';
For a complete list of string identifiers, see the documentation.';
$string['custommenuitems']='Custom menu items';
$string['custommenuitems_desc']='Additional items can be added to the app\'s main menu by specifying them here. Enter each custom menu item on a new line with format: item text, link URL, link-opening method (inappbrowser, browser or embedded) and language code (optional, for displaying the item to users of the specified language only), separated by pipe characters. For example:
$string['custommenuitems_desc']='Additional items can be added to the app\'s main menu by specifying them here. Enter each custom menu item on a new line with format: item text, link URL, link-opening method and language code (optional, for displaying the item to users of the specified language only), separated by pipe characters.
Link-opening methods are: app (for linking to an activity supported by the app), inappbrowser (for opening a link in a browser without leaving the app), browser (for opening the link in the device default browser outside the app) and embedded (for displaying the link in an iframe in a new page in the app).
For example:
<pre>
App\'s help | https://someurl.xyz/help | inappbrowser | en
Visit our SIS | https://someurl.xyz | browser | en
My grades | https://someurl.xyz/local/mygrades/index.php | embedded | en
Mis calificaciones | https://someurl.xyz/local/mygrades/index.php | embedded | es
</pre>
Use inappbrowser when you want to open the link in a browser without leaving the app, use browser for opening the link in the device default browser and embedded if you want to display the link embedded in a new page in the app.';
App help|https://someurl.xyz/help|inappbrowser
My grades|https://someurl.xyz/local/mygrades/index.php|embedded|en
Mis calificaciones|https://someurl.xyz/local/mygrades/index.php|embedded|es
</pre>';
$string['disabledfeatures']='Disabled features';
$string['disabledfeatures_desc']='Select here the features you want to disable in the Mobile app for your site. Please note that some features listed here could be already disabled via other site settings. You will have to log out and log in again in the app to see the changes.';
$string['enablesmartappbanners_desc']='This will display a banner promoting the Moodle Mobile app when visiting the site in a Mobile browser.';
$string['enablesmartappbanners_desc']='If enabled, a banner promoting the mobile app will be displayed when accessing the site using a mobile browser.';
$string['forcedurlscheme']='If you want to allow only your custom branded app to be opened via a browser window, then specify its URL scheme here; otherwise leave the field empty.';
$string['issuerloginparams']='Additional parameters included in a login request.';
$string['issuerloginparams_help']='Some systems require additional parameters for a login request in order to read the user\'s basic profile.';
$string['issuerloginparamsoffline']='Additional parameters included in a login request for offline access.';
$string['issuerloginparamsoffline_help']='Each OAuth system defines a different way to request offline access. E.g. Google requires the additional params: "access_type=offline&prompt=consent" these parameters should be in url query parameter format.';
$string['issuerloginscopes_help']='Some systems require additional scopes for a login request in order to read the users basic profile. The standard scopes for an OpenID Connect compliant system are "openid profile email".';
$string['issuerloginscopesoffline_help']='Each OAuth system defines a different way to request offline access. E.g. Microsoft requires an additional scope "offline_access"';
$string['issuerloginparamsoffline_help']='Each OAuth system defines a different way to request offline access. E.g. Google requires the additional params: "access_type=offline&prompt=consent". These parameters should be in URL query parameter format.';
$string['issuerloginscopes_help']='Some systems require additional scopes for a login request in order to read the user\'s basic profile. The standard scopes for an OpenID Connect compliant system are "openid profile email".';
$string['issuerloginscopesoffline_help']='Each OAuth system defines a different way to request offline access. E.g. Microsoft requires an additional scope "offline_access".';
$string['issuerloginscopesoffline']='Scopes included in a login request for offline access.';
$string['issuerloginscopes']='Scopes included in a login request.';
$string['issuername_help']='Name of the identity issuer. May be displayed on login page.';
$string['issuername']='Name';
$string['issuershowonloginpage_help']='If the OpenID Connect Authentication plugin is enabled, this login issuer will be listed on the login page to allow users to log in with accounts from this issuer.';
$string['issuershowonloginpage']='Show on login page.';
$string['issuershowonloginpage_help']='If the OAuth 2 authentication plugin is enabled, this login issuer will be listed on the login page to allow users to log in with accounts from this issuer.';
$string['issuershowonloginpage']='Show on login page';
$string['enablerunnow']='Allow ‘Run now’ for scheduled tasks';
$string['enablerunnow']='Allow \'Run now\' for scheduled tasks';
$string['enablerunnow_desc']='Allows administrators to run a single scheduled task immediately, rather than waiting for it to run as scheduled. The task runs on the web server, so some sites may wish to disable this feature to avoid potential performance issues.';
$string['resettasktodefaults']='Reset task schedule to defaults';
$string['resettasktodefaults_help']='This will discard any local changes and revert the schedule for this task back to its original settings.';
$string['runnow']='Run now';
$string['runnow_confirm']='Are you sure you want to run this task ‘{$a}’ now? The task will run on the web server and may take some time to complete.';
$string['runnow_confirm']='Are you sure you want to run this task \'{$a}\' now? The task will run on the web server and may take some time to complete.';
$string['scheduledtasks']='Scheduled tasks';
$string['scheduledtaskchangesdisabled']='Modifications to the list of scheduled tasks have been prevented in Moodle configuration';
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
$string['defaulttab']='Default tab';
$string['defaulttab_desc']='The tab that will be displayed when a user first views their course overview. When returning to their course overview, the user\'s active tab is remembered.';
$string['future']='Future';
$string['inprogress']='In progress';
$string['morecourses']='More courses';
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.