Unfortunately PHP does not provide any means to autoload the files that
a functions is located in, even if they are in an namespace.
To work around this, Composer makes use of an `autoload.files` section
in the `composer.json` file. Shortly after the Composer autoloader is
registered with the `spl_autoload_register` call it also includes any
files listed in this section.
Moodle does not do this and really we should be doing so.
This change adds a section to the autoloader registration method which
loads all of the files defined in any third-party library included in
our `lib` directory which contains any `composer.json` file with such a
stanza.
Curl has the option CURLOPT_UNRESTRICTED_AUTH. If true, curl will send
the credentials to a different host. If false, they will not be sent.
CURLOPT_UNRESTRICTED_AUTH can only work if the CURLOPT_FOLLOWLOCATION
option is true. The filelib forces the CURLOPT_FOLLOWLOCATION option
to be false, because all redirects are emulated at the PHP level. So,
in this case, the CURLOPT_UNRESTRICTED_AUTH option is only being used
in our logic and will not work as you might expect it to.
This patch works almost the same as CURLOPT_UNRESTRICTED_AUTH in ideal
conditions. It will check whether the host is different. If so, the
system will check what value CURLOPT_UNRESTRICTED_AUTH has. If it is
not specified, then by default, it will be false. If false, then
credentials will not be sent.
On Postgres, at least, get_recordset_sql performs signficantly worse
if you don't pass a limit. So, we add a limit to the query, but one
that in enormously too large, so it should never have an effect.
(And, there is code to check we never hit the limit, to avoid subtle bugs.)
This 'fix' is basically a work-around, but one that is already used in
some places. Now it is used in all similar places.
Exactly what causes the current file path in a file manager to become
unset is still unclear to me, but it seems to be an obscure race
condition that is very hard to reproduce.
However, when it happens, currently we are effectively defaulting to
path '/undefined/'. Using '/' is never worse, and is infinitely better
in the case where the filepicker does not allow folders to be used
(which includes important cases like essay questions in a quiz, which
some people use for exams!). In that case, falling back to non-top-level
path leads to dataloss.
Also, this is all historic JavaScript which will get replaced in the
grand de-YUI-fication, so I think a pragmatic fix is justified here.
The Open ID Connect plugin uses null for the password,
which makes the internal password update fail to proceed.
Allowing null resolved the problem.
As a note, there is a potential issue if the authentication method has
a false return for the prevent_local_password because it will trigger
the hash_internal_user_password() where the $password can not be null.
Since this only addresses the oauth2 issue, we should ignore it.
