Upgrade step that resets the 'Data modification API' (convert_data)
setting to its default value if this setting is currently configured
to use a file located within the $CFG->dataroot directory.
Prevents configuring the 'Data modification API' (convert_data) setting
to use files located within the $CFG->dataroot directory as it exposes
the site to security risks.
This just deletes all the upgrade steps previous to 3.5.0. Some
small adjustments, like tweaking globals can also be applied
when needed.
Also includes an upgrade step to prevent upgrading from any
version < 2018051700 (v3.5.0) as anti-cheating measure.
Previous commits have removed/deprecated all the upgradelib functions
not used anymore in codebase. Deletion has been documented in corresponding
upgrade.txt files:
- upgrade_fix_block_instance_configuration()
- upgrade_theme_is_from_family(), upgrade_find_theme_location()
and linkcoursesectionsupgradescriptwasrun setting
- upgrade_block_positions
- upgrade_fix_config_auth_plugin_names()
and upgrade_fix_config_auth_plugin_defaults()
- format_xxx_upgrade_remove_numsections(), format_xxx_upgrade_hide_extra_sections()
and format_xxx_upgrade_add_empty_sections()
- filter_mathjaxloader_upgrade_cdn_cloudflare()
and filter_mathjaxloader_upgrade_mathjaxconfig_equal()
- get_assignments_with_rescaled_null_grades()
These have been kept because continue being used by restore:
- \core\task\refresh_mod_calendar_events_task
These functions were used only by deleted upgrade steps
so it's safe to proceed with straight deletion, considering
them internal. Deletion has been documented in corresponding
upgrade.txt files:
- upgrade_fix_config_auth_plugin_names()
- upgrade_fix_config_auth_plugin_defaults()
* set $idp['iconurl'] = null if no auth_logo
* lib/templates/loginform.mustache will skip NULL iconurls
* lib/ajax/service?info=tool_mobile_get_public_config will validate the NULL values
Significant string changes:
* moodleorghubname,core_admin and
sitemustberegistered,message_airnotifier - 'Moodle.net' changed to
'Moodle'
* registration_help,core_admin and registermoochtips,core_hub - removed
erroneous 'access to Moodle.net our course sharing platform'
* trackingtype_help,mod_forum and formnotavailable,core_grading and
showgrades_help,core and rolewarning_help,core_rating -
'Administration block' changed to 'Actions menu or admin block',
'navigation block' changed to 'navigation drawer or block'
Significant string changes:
* importgroups_help,core_group - Correcting optional fieldnames
(removing picture, hidepicture and adding groupidnumber, groupingname
and enablemessaging)
* penaltyforeachincorrecttry_help,core_question - additional paragraph
about scoring logic
* resultdownloadready,tool_dataprivacy - wording corrected (no need to
go to a download page)
* auth_dbfielduser,auth_db - varchar data type requirement
* Convert login form to a mustache template
* Bring logic in auth/shibboleth/login.php
* Replace usage of $_POST variable with optional_param()
* Remove unused index_form.html
3.7 (min PHP 7.1) requires 3.2 (first version supporting PHP 7.1)
This just deletes all the upgrade steps previous to 3.2.0. Some
small adjustments, like adding missing MOODLE_INTERNAL or tweaking
globals can also be applied when needed.
Also includes an upgrade step to prevent upgrading from any
version < 2016120500 (v3.2.0) as anti-cheating measure.
Next commit will get rid of/deprecate all the upgradelib functions
not used anymore in codebase. (note there isn't any this time).
CSRF protection for the login form. The authenticate_user_login function was
extended to validate the token (in \core\session\manager) but by default it
does not perform the extra validation. Existing uses of this function from
auth plugins and features like "change password" will continue to work without
changes. New config value $CFG->disablelogintoken can bypass this check.
This reduces the amount of code to an already confusing logout.php
file and prevents conflicts if someone else happens to be using
the same function name in a file.
* Use the Moodle 2+ {sessions} table, and decode the session
correctly using session_decode (adodb_unserialize is deprecated).
* Kill all user sessions using \core\session\manager's
kill_user_sessions.
As a result of fixing the auth plugins config storage in MDL-12689, many
settings would be falsely reported as new ones by
admin/upgradesettings.php. We do not want to confuse admins so we try to
reduce the bewilderment by pre-populating the config_plugins table with
default values. This should be done only for disabled auth methods. The
enabled methods have their settings already stored, so reporting actual
new settings for them is valid.
It has never been guaranteed that settings.php would always be included
from inside the core\plugininfo\auth::load_settings() scope only.
Alternative fix would be to use $plugininfo->name but I think it is
better to be explicit here (same as we are explicit with setting names,
strings etc).
Some auth plugins used to have a mix of the legacy style of plugin names
in config_plugins table (such as 'auth/mnet') and the new correct
style (such as 'auth_mnet'). Attempting to rename the setting plugin via
low level SQL UPDATE could lead to duplicate key violation.
The patch introduces a new helper function to safely migrate the old
settings to the new ones, eventually informing the admin about the
values mismatch.
