This patch fixes a XSS vulnerability with surveys where a student user
could inject arbitrary HTML in a comment on the survey. The fix is to
escape the comment before displaying it to the teacher.
This commit add a new session key hidden field on the lesson password form
and confirm if the session key is valid on related pages to prevent CSRF on
password protected lessons.
When students are given the appropriate permissions
to view ratings, in the situation where there are
separate groups. The students can view the ratings
of an entry that is in the all participants group.
Comment question window closes after 2 sec.
which crashes win-FF as it's slow to check for
"Changes saved" text. As after switching it is
checked the changes are saved, this step can be
avoided to ensure robustness of the scenario
The Atto autosave feature uses the $PAGE->url to generate unique hashes for
each page. Assignment uses a MUC cache to persist ordering of lists - the result
is that the urls are not unique (they depend on the cached filter).
The fix is to spoof a unique url that will grade only that student with no
active grading list (no next/prev buttons).
If file details (size, type, date) are configured to be displayed we cache them
in course cache raw and build the display string in user language/timezone when
displaying. Also changed behat test not to fail in 2016
This upgrade step addresses issues identified in MDL-51939 where the
groupid was incorrectly set. The issue itself is not present in 2.9, but
this upgrade step is required to correct any incorrect data.
Users that don't have permission to view timed posts outside of the release
time frame will have discussions that have entered the visible frame appear
in an odd order from their point of view on the discussion list.
Example:
Discussion 1, modified 2015-01-01, hidden till 2015-01-03
Discussion 2, modified 2015-01-02, not hidden
The standard 'modified descending' order means that D2 is listed at the top
even after D1 becomes visible. When scanning the list of discussions for new
posts, the user could be tricked into thinking they'd already read it.
This fix instead takes into account the release time of the discussion when
timed forum posts are enabled.
I opted to use CASE statements to handle this instead of GREATEST as the
latter is not supported by MSSQL.
