[Mahara-contributors] [Bug 646713] Re: js config.wwwroot ignores httpswwwroot
As Andrew points out, due to the way we deal with logins (at the same URL with a transitent content, instead of using a round trip to a different login URL like Moodle does), it's completely impossible to make the Ajax based login work with it (the Javascript security model forbids it, as it's clearly a XSS). I talked about this with Nigel when I developed the patch, and he thought the feature was still valuable (and demanded[*]) even if we didn't protect the ajax based logins, so that's why it got in. On the other hand, I don't think httpswwwroot could break mnet certs. We don't use httpswwwroot for anything touching mnet at all (if I'm not mistaken), only for local logins, and only for the login process itself (so exports shouldn't be affected either). I guess we are not going to change the way logins are handled, so this is a bit of a dead end. [*] Many people don't need or aren't interested in protecting the contents of their Mahara site, but they need to protect their usernames and passwords (e.g., they may be using their LDAP credentials, that are reused in other more security-sensitive environments). And running the whole site on SSL just to protect logins is overkill IMHO (and quite a CPU burden if your site is used more than occasionally, even if CPUs have gotten better at crypto). Saludos. Iñaki. -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/646713 Title: js config.wwwroot ignores httpswwwroot Status in Mahara ePortfolio: Confirmed Bug description: Originally reported in http://mahara.org/interaction/forum/topic.php?id=1746 If wwwroot and httpswwwroot are both set and they're set differently, then users accessing mahara over https won't be able to retrieve various things - e.g. help snippets. If the user is coming over https, and httpswwwroot is set, we should be using that instead of the wwwroot. If they use the wwwroot, then browsers see this as XSS and block various things - e.g. help files. This is *only* a problem when visiting over https and the wwwroot is set to http. The only place I can see where we actively pass users from http to https is the account settings page. That said, users can visit the httpswwwroot instead of the wwwroot and will see this on any page that they visit (until they click a link that is...). I've marked this a security bug for the moment until someone else has had a look. I think we may need to have more of a review of this - the ajaxlogin also uses config.wwwroot regardless of the setting of httpswwwroot. Andrew ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 691548] Re: Mahara 1.4 test 1 multiple journals not turning off okay
** Changed in: mahara Status: Triaged => In Progress ** Changed in: mahara Assignee: (unassigned) => Richard Mansfield (richard-mansfield) -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/691548 Title: Mahara 1.4 test 1 multiple journals not turning off okay Status in Mahara ePortfolio: In Progress Bug description: In Mahara 1.4 test 1 when I have turned on multiple journals in my settings and then turn it off again I am still able to create more journals. ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 675385] Re: "Block Title field" has not got a cut off for maximum number of Chars for the field
** Changed in: mahara Assignee: (unassigned) => Richard Mansfield (richard-mansfield) ** Changed in: mahara Status: Confirmed => Fix Committed -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/675385 Title: "Block Title field" has not got a cut off for maximum number of Chars for the field Status in Mahara ePortfolio: Fix Committed Bug description: Hello there, I just edited an RSS feed "Block Title" I had created a while ago and two things happened: 1: I was able to enter 623 characters in the "Title Block field" (should I have been able to or should I have been prompted regarding the amount of characters?) 2: After clicking on the Save button the "processing" icon froze for more than 5 minutes until I canceled out of it. Here is the link:http://master.dev.mahara.org/view/blocks.php?id=749 please find attached the frozen processing text Mahara Master Dev 1.4 On Linux Postgres Using FF3 ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 668236] Re: Feedback is not possible on individual file-based artefacts
** Changed in: mahara Status: Confirmed => Fix Committed -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/668236 Title: Feedback is not possible on individual file-based artefacts Status in Mahara ePortfolio: Fix Committed Bug description: The current 1.3 version allows a person accessing a view to access the details page for an image, and provide feedback on the image. Where a file is available as part of a view, the Provide Feedback link is missing. This seems inconsistent. The request is for comments to be able to be added for files as well as images, This could be best implemented by giving the Institution Administrator the ability to allow/deny comments on individual artefact types. ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 671456] Re: Some time/date settings in langconfig.php are not compatible with Windows
** Changed in: mahara Status: In Progress => Fix Committed ** Changed in: mahara Milestone: None => 1.4.0 -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/671456 Title: Some time/date settings in langconfig.php are not compatible with Windows Status in Mahara ePortfolio: Fix Committed Bug description: According to the note for %e on http://uk3.php.net/manual/en/function.strftime.php windows doesn't support the %e format. There's a cross-platform 'fix' for this which involves determining whether you're running windows and substr ing any %e to a %#d. I've not confirmed how this occurs under Windows, but came across it in the docs whilst assisting some in #mahara. ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 673018] Re: Typo error in LDAP auth config help file
** Changed in: mahara Milestone: None => 1.4.0 -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/673018 Title: Typo error in LDAP auth config help file Status in Mahara ePortfolio: Fix Committed Bug description: In the file auth/ldap/lang/en.utf8/help/forms/auth_config.host_url.php The title says Host UR: instead of Host URL In all versions including 1.3.3 ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 693149] Re: English usage consistency (anymore vs. any more)
** Changed in: mahara Milestone: None => 1.4.0 ** Changed in: mahara Status: New => Fix Committed ** Changed in: mahara Importance: Undecided => Low ** Changed in: mahara Assignee: (unassigned) => François Marier (fmarier) -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/693149 Title: English usage consistency (anymore vs. any more) Status in Mahara ePortfolio: Fix Committed Bug description: Per http://mahara.org/interaction/forum/topic.php?id=2607#post11430, two other default language files favour "any more" but htdocs/artefact/file/blocktype/internalmedia/lang/en.utf8/blocktype.internalmedia.php favors "anymore" instead. Here's a patch to change that. (I'll update the US English language pack to change them all to "anymore", but apparently the rest of the English-speaking world prefers "any more".) Most inconsequential patch ever attached. ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 692614] Re: Registration email can be sent out more than once within the initial 24 hour period
Ruslan, both solutions sound good to me. I think I have a slight preference for 2 just because it avoids the error screen. I really wish Mahara had enforced uniqueness of email addresses in the user table right from the start. -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/692614 Title: Registration email can be sent out more than once within the initial 24 hour period Status in Mahara ePortfolio: Confirmed Bug description: A user can register, and be sent emails, multiple times with the same details prior to completing the registration process from the link sent. There are multiple records in usr_registration with only the sequential id differing. Perhaps we need to check for a unique email in here and offer some notification to the user that the email has already been used? However, there is also the issue that if this initial email wasn't received it might not be easy for the user to wait 24 hours until it clears from the database to try again, or to get hold of a sysadmin to delete the record manually so they can do so without hassle so there might be extra requirements around this or this might be the reason it currently allows for multiple records. ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 693149] Re: English usage consistency (anymore vs. any more)
** Patch added: "0001-Other-default-lang-files-favour-any-more-rather-than.patch" https://bugs.launchpad.net/bugs/693149/+attachment/1772987/+files/0001-Other-default-lang-files-favour-any-more-rather-than.patch -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/693149 Title: English usage consistency (anymore vs. any more) Status in Mahara ePortfolio: New Bug description: Per http://mahara.org/interaction/forum/topic.php?id=2607#post11430, two other default language files favour "any more" but htdocs/artefact/file/blocktype/internalmedia/lang/en.utf8/blocktype.internalmedia.php favors "anymore" instead. Here's a patch to change that. (I'll update the US English language pack to change them all to "anymore", but apparently the rest of the English-speaking world prefers "any more".) Most inconsequential patch ever attached. ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 693149] [NEW] English usage consistency (anymore vs. any more)
Public bug reported: Per http://mahara.org/interaction/forum/topic.php?id=2607#post11430, two other default language files favour "any more" but htdocs/artefact/file/blocktype/internalmedia/lang/en.utf8/blocktype.internalmedia.php favors "anymore" instead. Here's a patch to change that. (I'll update the US English language pack to change them all to "anymore", but apparently the rest of the English-speaking world prefers "any more".) Most inconsequential patch ever attached. ** Affects: mahara Importance: Undecided Status: New -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/693149 Title: English usage consistency (anymore vs. any more) Status in Mahara ePortfolio: New Bug description: Per http://mahara.org/interaction/forum/topic.php?id=2607#post11430, two other default language files favour "any more" but htdocs/artefact/file/blocktype/internalmedia/lang/en.utf8/blocktype.internalmedia.php favors "anymore" instead. Here's a patch to change that. (I'll update the US English language pack to change them all to "anymore", but apparently the rest of the English-speaking world prefers "any more".) Most inconsequential patch ever attached. ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 692614] Re: Registration email can be sent out more than once within the initial 24 hour period
> Are the multiple emails causing a problem or is it just an annoyance? As Sergio suggested on the forum, it is possible though to create two users with the same email by registering twice using different links and specifying different usernames. I see two possible solutions: 1. Leave multiple registration records in usr_registration as it is, but check at the registration key processing that the user with the same email does not exist in usr table. 2. At the registration, ensure that only one record for given email exist (e.g. each consequent registration attempt the record with the same email is being updated with new key and all the data). -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/692614 Title: Registration email can be sent out more than once within the initial 24 hour period Status in Mahara ePortfolio: Confirmed Bug description: A user can register, and be sent emails, multiple times with the same details prior to completing the registration process from the link sent. There are multiple records in usr_registration with only the sequential id differing. Perhaps we need to check for a unique email in here and offer some notification to the user that the email has already been used? However, there is also the issue that if this initial email wasn't received it might not be easy for the user to wait 24 hours until it clears from the database to try again, or to get hold of a sysadmin to delete the record manually so they can do so without hassle so there might be extra requirements around this or this might be the reason it currently allows for multiple records. ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 692614] Re: Registration email can be sent out more than once within the initial 24 hour period
Just to keep all relevant information here, the issue was discussed on the forum as well: http://mahara.org/interaction/forum/topic.php?id=2630#post11526 -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/692614 Title: Registration email can be sent out more than once within the initial 24 hour period Status in Mahara ePortfolio: Confirmed Bug description: A user can register, and be sent emails, multiple times with the same details prior to completing the registration process from the link sent. There are multiple records in usr_registration with only the sequential id differing. Perhaps we need to check for a unique email in here and offer some notification to the user that the email has already been used? However, there is also the issue that if this initial email wasn't received it might not be easy for the user to wait 24 hours until it clears from the database to try again, or to get hold of a sysadmin to delete the record manually so they can do so without hassle so there might be extra requirements around this or this might be the reason it currently allows for multiple records. ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 632308] Re: User can submit view for assesment to the group where s/he has admin or tutor role
Yes, it has been reverted (9b3beda9c15). Sorry for not updating in the tracker. ** Changed in: mahara Status: In Progress => Won't Fix -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/632308 Title: User can submit view for assesment to the group where s/he has admin or tutor role Status in Mahara ePortfolio: Won't Fix Bug description: Not sure if it is a bug. User is able to submit a view for assessment to the group where s/he is the admin or tutor (i.e. submit a view for assessment to oneself). I suggest to fix it either by disabling such possibility completely, or allowing it only if there are other tutors or admins in the group (in which case user will not be able to assess own view despite the role). Fix is ready, just need a confirmation from community. ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 692953] Re: XMLRPC automatic user creation and password recovery issue
Just pushed the fix. It is now ensured that password recovery is requested for internal users only. ** Changed in: mahara Status: New => Fix Committed -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/692953 Title: XMLRPC automatic user creation and password recovery issue Status in Mahara ePortfolio: Fix Committed Bug description: Something to think about. The use case is: 1. Create user in moodle that would have the similar username and email to the one that already exists in Mahara (ensure "we auto-create the user" is set in XMLRPC settings). Say, we created user "test1". 2. Login to Mahara from Moodle, the new user with amended username will be created (test11). At this point we have two different usernames with the same email in Mahara. 3. Now, if original test1 forgot a password, (s)he will only be able to use username-based recovery in "Lost username/password", entering email will ends with error "The email address or username you entered doesn't match any users for this site". The easiest way is probably ensuring that password recovery can be requested for internal users only. ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 692953] [NEW] XMLRPC automatic user creation and password recovery issue
Public bug reported: Something to think about. The use case is: 1. Create user in moodle that would have the similar username and email to the one that already exists in Mahara (ensure "we auto-create the user" is set in XMLRPC settings). Say, we created user "test1". 2. Login to Mahara from Moodle, the new user with amended username will be created (test11). At this point we have two different usernames with the same email in Mahara. 3. Now, if original test1 forgot a password, (s)he will only be able to use username-based recovery in "Lost username/password", entering email will ends with error "The email address or username you entered doesn't match any users for this site". The easiest way is probably ensuring that password recovery can be requested for internal users only. ** Affects: mahara Importance: Low Assignee: Ruslan Kabalin (ruslan-kabalin) Status: New ** Tags: moodle password recovery xmlrpc ** Changed in: mahara Assignee: (unassigned) => Ruslan Kabalin (ruslan-kabalin) ** Changed in: mahara Importance: Undecided => Low -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/692953 Title: XMLRPC automatic user creation and password recovery issue Status in Mahara ePortfolio: New Bug description: Something to think about. The use case is: 1. Create user in moodle that would have the similar username and email to the one that already exists in Mahara (ensure "we auto-create the user" is set in XMLRPC settings). Say, we created user "test1". 2. Login to Mahara from Moodle, the new user with amended username will be created (test11). At this point we have two different usernames with the same email in Mahara. 3. Now, if original test1 forgot a password, (s)he will only be able to use username-based recovery in "Lost username/password", entering email will ends with error "The email address or username you entered doesn't match any users for this site". The easiest way is probably ensuring that password recovery can be requested for internal users only. ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 605751] Re: Provide PDF / print version of resume
*** This bug is a duplicate of bug 547690 *** https://bugs.launchpad.net/bugs/547690 PDF export is in development. Specification here - http://wiki.mahara.org/Developer_Area/Specifications_in_Development/PDF_Export It seems this bug is a duplicate of this -> https://bugs.launchpad.net/mahara/+bug/547690 so it's not needed anymore. ** This bug has been marked a duplicate of bug 547690 Print version of a view (pdf?) * You can subscribe to bug 547690 by following this link: https://bugs.launchpad.net/mahara/+bug/547690/+subscribe -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/605751 Title: Provide PDF / print version of resume Status in Mahara ePortfolio: Triaged Bug description: It would be cool if people could print / export their resume as one nicely formatted document once they have filled in all information. ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
