set_user_preference and unset_user_preference let you pass the user to
set preferences for as an id. Previously, if you passed $USER->id there,
those methods did not update the Cache in $USER, which was surprising,
and not easy to debug.
Now, we always update the preference cache in $USER if the preference is
being changed for the current user.
If there is an empty required custom user profile field, Web Services
should return the usernotfullysetup exception instead ignoring it.
The mobile app already handles this exception for core fields
redirecting the user to web in order to fill the missing field.
Add field 'visibleoncoursepage' to the course_modules table
Add site-wide setting for turning on stealth mode availability
Add callback for "stealth" mode support in the course formats
Change display of modules/sections availability on the course page
This change moves all operations which deal with the fetching/updating, or
setting of files from the file_storage class into a new file_system class.
A new file_system can be specified in the config.php and used to replace
all relevant methods in order to move the file system component to an
alternative solution.
The patch adds validation for the noreplyaddress setting variable, for
the explicit $replyto parameter and for the sender's email. In case of
misconfigured noreplyaddress setting, it falls back to the default
noreply address value. In case of invalid email in the user's record,
the email is not sent.
The patch also adds unit test for the value returned by the function
generate_email_processing_address() so that it can be considered as a
valid email, too.
This is supposed to significantly minimise the risk of exploiting the
vulnerability in PHPMailer's Sender field.
Removing the check in login/token.php is secure since the
auth_forcepasswordchange is checked in require_login that is called via
validate_context.
The user must be able to get a token even if that setting is on. With
that token we’ll redirect the user to the site or we’ll change the
password when a new WS for that is available.
We din't call it SSO because:
- SSO usually requires a 3rd party for authentication
- SSO term is already used in tool_mobile when supporting using auth methods like CAS or Shibboleth
This is:
a) To help avoid devs going on a wild goose chase to find a perf issue
when it's caused by css building
b) To make it clearer that this should never be enabled on production
sites (we already have a warning in the performance report, but who
looks at that)
Now that boost is the default theme and builds css itself, it's more
critical.
- New site setting to define the default course duration (used to set
the default end date for some course formats)
- End date setting out of restore
- Fix tool_uploadcourse
- Other fixes here and there
