These unit tests were modifying the PAGE and other globals in the middle of
tests and were failing as a result.
Broke the tests up into separate tests where the functionality is now
tested individually.
This unit test does not verify contents, details, but only
that the returned users for every group mode, for every
filtering (active, groupid and withcapability) together
with permissions are correct.
Changed the messaging API to allow you to provide a parameter
that will cause the code to check if the sender of the message
has the correct permissions before the message is sent.
The ajax messaging (message button on profile page) has been
updated to perform these permission checks. This brings it
inline with the existing private message page.
This patch adds a method to the course completion criteria classes
which allows them to specify an icon for display in the course
completion report table.
There is a default implementation which simply looks for an icon
in pix/i with a name matching the completion criteria type.
The problem with the previous implementation was that the table's
$this->prefs can contain valid non-empty value in its default state -
the default column to sort by. On resetting, we must not throw away
these default prefs.
This patch simplifies the TABLE_VAR_RESET interpretation. If such an
HTTP parameter is passed via the request, the table simply behaves as if
there were no previously stored preferences (does not matter if coming
from the current session, or from the persistent cross-session storage).
The logic that decides on whether or not the reset widget should be
displayed is put into a new method can_be_reset() with unit tests
attached.
Finally, the previously private method render_reset_button() is now
protected and the reset widget is given a new semantic CSS class.
This patch fixes a XSS vulnerability with surveys where a student user
could inject arbitrary HTML in a comment on the survey. The fix is to
escape the comment before displaying it to the teacher.
This commit add a new session key hidden field on the lesson password form
and confirm if the session key is valid on related pages to prevent CSRF on
password protected lessons.
