• last updated a few minutes ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
reduce verbosity

CSP: add connect-src default rule

revert premature commit affecting all sites

add autocomplete hint as suggested by chrome

Add new column 'public_avatar_p' to the 'user_preferences' table, in order to allow the user to decide wheter to make the avatar (profile picture) public to other users or not, with a conservative default, false. Add also a simple API to get/set that value and bump acs-kernel version number.

file avatar-procs.tcl was initially added on branch oacs-5-10.

    • -0
    • +0
    /openacs-4/packages/acs-subsite/tcl/avatar-procs.tcl
file avatar-procs.xql was initially added on branch oacs-5-10.

    • -0
    • +0
    /openacs-4/packages/acs-subsite/tcl/avatar-procs.xql
regenerated adp files

Allow to filter members by relationship type

fix invalid HTML (closing INPUT tag is not allowed)

    • -1
    • +1
    /openacs-4/packages/dotlrn/www/spam-2.adp
fix invalid markup

follow usual indentation

Force xowiki.css to be loaded sooner than css from the theme, so we have a chance to override its styling

whitespace changes

address issue #3384

Allow new 'publish_status' action button to be specified in form-usages includelet, similar to what we have in xowiki/www/admin/list

Introduce a new option for form-usages includelet which, similar to child resources, allows to specify bulk actions (currently, only 'export' is implemented)

report server tag name as well to get precise version info

Add '-delete' flag to 'ad_parameter_cache' in 'parameter::set_value', to delete the value from cache before setting, making the value coherent amongst threads (thanks Antonio for the fix).

make code more robust when exposed to hacking attacks

keep chain on session_ids in case the sessions change

comment out and/or drop references t money to address issue #3381

Default value for "sign" in export vars should be empty, and not "0"

- relax strict error handling on export_vars_sign for the time being

Fix regression in 'if_no_rows' idiom for db_foreach, document alternative syntax, create a test for db_foreach main functionalities

simplify and fix subst operation

distinguish between "install" and "upgrade" in heading and explanation text

- ad_set_cookie: add option "-samesite" and use it, when the server supports it (NaviServer 4.99.18)

- use "-samesite strict" per default on signed cookies

Background from NaviServer commit:

ns_setcookie: add flag "-samesite" with values "strict|lax|none"

When the flag is set it prevents the browser from

sending this cookie along with cross-site requests to mitigate cross site

scripting attacks. Permissible values are [term strict], [term lax],

or [term none] (default). While the value [term strict] prevents

sending the cookie to the target site in all cross-site browsing

context, the value of [term lax] allows sending the cookie when the

user clicks on regular links. For details, see

https://www.owasp.org/index.php/SameSite

This cookie flag is not yet part of an RFC, but most major browsers

support it. Browsers that do not support it, ignore the flag

silently (see https://caniuse.com/#search=samesite).

Although most cookies should probably use the flags, in order to

provide backward compatibility, the flag can't be activated by

default on all cookies.

Bring files on oacs-5-10 in sync with HEAD

    • -13
    • +0
    /openacs-4/packages/chat/lib/transcripts.xql
whitespace and spelling changes