The MoodleSession cookie is already set this way when using Chrome, but
not for Firefox. This is a decision made in \core\session\manager. When
Firefox eventually defaults to SameSite=Lax when the SameSite attribute
is omitted from the Set-Cookie headers, the MoodleSession cookie won't
be sent. This change ensures the cookies used during LTI launches will
continue to work if/when this happens, and despite any changes which may
be made to core's sessionlib in future.
Adds the property that is required by Chrome to opt-in to its 3rd party
cookie partitioning solution, CHIPS. This specific change to auth_lti is
to ensure the MoodleSession Set-Cookie header resulting from
complete_user_login() calls (in auth.php) have this property set.
To opt a cookie in to Chrome's 3rd party cookie partitioning solution,
CHIPS, the property 'Partitioned;' needs to be set. This adds a helper
class supporting this, for a given cookie(s).
Note also, PHP's native
cookie APIs (setcookie, etc) don't support this cookie property yet -
(https://github.com/php/php-src/issues/12646).
Since this class is intended to allow existing Set-Cookie headers to be
modified before being sent (e.g. allowing clients to set a property on a
cookie set elsewhere in code), it deals with the headers directly anyway
but it means that new cookies must also use this helper to opt-in,
instead of relying on setcookie(). E.g. where the intent is to add
partitioning support to a new cookie, that cookie must first be set
(setcookie) and then it may opt-in to partitioning via this helper;
partitioning support cannot be achieved directly through setcookie and
friends yet.
Browsers are phasing out 3rd party cookies. Those which can be set are
partitioned to the top level embedding site, so piggybacking is
prevented. This will break the account linking process. This fix swaps
the piggyback for a login round trip, as originally intended, which
resolves the issue.
With the new flow, users can go to the login page from the confirmed page,
and if the user successfully logs in, the user will be directed to the confirmed page.
To avoid that, the confirmed page can only be seen by users who are not logged in.
MDL-78806 core: Remove redundant site name on page titles
* With the site name now being appended to the page titles, there
is no need to manually append the page titles.
When receiving data from the LTI launch, or service call, only update
the user record when we know something has changed. This prevents the
creation of many \core\event\user_updated events.
This isn't required and generates excess events. The only thing update
does, other than update the user fields, is to update the picture, but
in this case, that's unset in membership-based auths anyway, so it's
entirely safe to remove this.
After the user creation, the system must call an update function to update profile_fields_*.
We also provided two functions into user/profile/lib.php to get available from other areas.
We added PHP unit testing for new public functions and
the Behat tests for custom profile fields with locked and unlocked statuses.
Co-authored-by: Matt Porritt <matt.porritt@moodle.com>
Update oauth2 to allow mapping of provider attributes against
user profile fields. Fields can also be locked to prevent
user changes.
Co-Authored-By: Michael Milette <michael.milette@tngconsulting.ca>
Evaluated usage of "Install selected language pack(s)" in Behat and
replaced the steps to use generator to install language packs as part
of test setup.
Since phpCAS v1.6.0, a required base service URL parameterneeds to be
passed to phpCAS::client(). This is basically the protocol, hostname,
and port number (optional) of the site connecting to the CAS server
in order for it to perform service URL discovery.
This partially reverts MDL-73270, where some useful environmental
checks and notifications in the admin UI were added to inform
about different parts of Moodle relying on the "unsupported"
php-xmlrpc extension.
Since then, some changes have happened in core, only available
for Moodle 4.1 and up (see the MDL-70889 mini-epic). Namely:
- MNet (SSO, roaming, auth, enrol and Mahara portfolio) are not
using the php-xmlrpc extension anymore, but a pure php library.
- The xmlrpc webservices protocol, has been move from core to
the plugins directory, although it continues using the php-xmlrpc
extension.
Because of that here we are removing all the checks and notifications
related with MNet (not using the extension anymore), but keeping the
webservice plugin ones (still using the extension). Surely if some day the
protocol stops using the extension, we'll be able to remove the
corresponding checks too. But that's future.
Note the associated lang strings have been also removed (not deprecated)
because they were highly specific and hardly reusable:
- xmlrpcmaharaenabled
- xmlrpcmnetauthenticationenabled
- xmlrpcmnetenabled
And very same applies, because MNet doesn't contain anything deprecated
or not supported anymore, hence, straight deletion, to the function:
- mnet_get_deprecation_notice()
Also, related tests using any of the removed stuff above have been deleted.
In the other side, the "check_xmlrpc_usage" continues existing and
being used both by environment checks and admin notifications but,
as commented above, now it only looks for the xmlrpc webservice
protocol now.
Basically this fixes MDL-70833 that was reproduced while
testing the update_enrolments requests. Summary:
- Fixes a typo in table name preventing it to be updated ever.
- Fix outer join that was missing records.
- Stop playing and mixing ids (local and remote).
- Better control which enrolments have to be kept (previously
they were being deleted immediately after creating them).
- Improve the coding style of inserts.
- Modernise the deletions to use sql helper and to work with 0..n ids.
Completely remove all uses if the xmlrpc php extension in
the client and replace them by the phpxmlrpc library.
Very noticeably, remove all the uses of the curl extension
and use phpxmlrpc own curl support.
Working ok for moodle-moodle/mahara sso and mahara portfolio export.
Provide a test page in authentication settings
to allow administrators to test configured oAuth2
providers and to examine the data that is passed
back on a successful test user authentication.
Co-authored-by: Matt Porritt <mattp@catalyst-au.net>
This just deletes all the upgrade steps previous to 3.9.0. Some
small adjustments, like tweaking globals can also be applied
when needed.
Also includes an upgrade step to prevent upgrading from any
version < 2020061500 (v3.9.0) as anti-cheating measure.
The next commits will proceed to deprecate / remove functions
that were exclusively (usually belonging to upgradelib) being
used by those, now removed, upgrade steps. This is the list
of code to remove and document in upgrade.txt files:
- upgrade_analytics_fix_contextids_defaults()
- upgrade_convert_hub_config_site_param_names()
- upgrade_rename_prediction_actions_useful_incorrectly_flagged()
- \mod_forum\task\refresh_forum_post_counts adhoc task.
And these is the code that has NOT been removed
because it may be needed later (no matter there aren't uses now):
- \core_search\manager::clean_up_non_existing_area(), used by
- \core\task\clean_up_deleted_search_area_task adhoc task
Applied the following changes to various testcase classes:
- Namespaced with component[\level2-API]
- Moved to level2-API subdirectory when required.
- Fixed incorrect use statements with leading backslash.
- Remove file phpdoc block
- Remove MOODLE_INTERNAL if not needed.
- Changed code to point to global scope when needed.
- Fix some relative paths and comments here and there.
- All them passing individually.
- Complete runs passing too.
Special mention to:
- Some fixtures, initially defined in the test files have been
moved to new files in fixtures subdirectory, leaving the unit
test files clearer:
- moodle2_course_format_test.php
- Rename wrong named test:
- baseoptiogroup_test = baseoptigroup_test
By adding the step:
Given remote langimport tests are enabled
We make the execution of scenarios requiring to install /
upgrade lang packs optional, based in the existence of the constant:
TOOL_LANGIMPORT_REMOTE_TESTS
That way, when we are skipping language upgrades with the CFG var:
$CFG->skiplangupgrade = true
We can decide not not execute those tests.
With other words, putting something like this in the config.php
file we will be controlling when to execute or no the behat tests:
// Disable lang updates on upgrade.
$CFG->skiplangupgrade = true;
if (empty($CFG->skiplangupgrade)) {
// Define it only if we aren't skipping lang upgrades.
define('TOOL_LANGIMPORT_REMOTE_TESTS', true);
}
AdoDB SQL*Server drivers use to modify some error and
logging preferences. As far as the connection is shared
with the main one, that implies that those settings
remain for the whole remaining execution.
We don't want his in tests, because can affect to other
tests at distance.
We are fixing this here, only for tests, because it
doesn't affect normal requests and because, once we
remove AdoDB this won't be needed anymore.