• last updated 16 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Improve visualization of test info

Relax test condition:

make sure potential injections are not rendered on the page response.

Added dotlrn-bootstrap3-theme as default and use it instead of the outdated one

    • -0
    • +3
    /openacs-4/packages/dotlrn/install.xml
Added dotlrn-bootstrap3-theme to modules and to dotlrn-all

improved spelling

Improved navigation bar menu structure

Before, the "admin" pulldown contained item "Advanced", which was pretty

unclear. The new label for the subsite administration is now "Subsite Adminsitration".

Upgrade timezone data to tzdb-2024a (Released 2024-02-01) from IANA

The last update of the timezone data of OpenACS happened on Sep 29,

2015 in the release process of OpenACS 5.9.0. The new timezone data is

based on the newest released data from IANA reflecting the changes

made by political bodies to time zone boundaries, UTC offsets, and

daylight-saving rules. The procedures to update the database are

described in RFC 6557 (https://www.rfc-editor.org/rfc/rfc6557.html)

and contains data for e.g. Europe up to the year 2499.

reduced verbosity

bumped version number of upstram package to 1.11.3

Removed "-debug" flag

improved robustness of "try_cache"

Added handling of "-per_request" option

Made "ad_find_all_files" more robust when some subdirectory has too restrictive permissions

Previously, on some OS, Tcl's "glob" command was returning file names,

also, when the permissions should not allow it (macOS), while one

other systems, it raised an error (Linux). The problem is that

"ad_find_all_files" raises an error during startup, not all files are

found, and e.g. some of the files (like e.g. .xql) are not picked up,

... and as a consequence, strange things happen.

With this change, loading is more robust. Now, warnings are issued instead of exceptions.

Silence potentially confusing warning during first installation

Improved consistency of appearance, when multiple CSS toolkits are in use

- This change makes sure that consistently [::xowiki::CSS toolkit] is

used instead of accessing the package parameter

"PreferredCSSToolkit" directly. This change is necessary for

handling e.g. of the parameter setting "default"

consistently. Previously, a "default" value could result in loading

the obsolete YUI .js and .css files.

- When "menu_entries" have multiple "config" entries, use the last one.

    • -5
    • +11
    /openacs-4/packages/xowiki/tcl/folder-procs.tcl
Extended site-wide admin page to include link for site-wide pages

Adding a link to site-wide admin pages makes it easier for admins to locate

the site-wide pages (pages, which can be used in all xowiki instances)

Added link to parameter page in xowiki/admin page if it exists

This is a change to ease usage for novices. The "admin" pages should be replaced

in the future, but for the time being, it helps for site-admins to understand,

how to change which parameter value to obtain the desired results.

Extended "Page.copy_content_vars" with a "-except" parameter

This change makes it possible to use values from template pages

without changing the name of the target page. This change also

introduces a small modernization to use dicts instead of arrays.

    • -7
    • +14
    /openacs-4/packages/xowiki/tcl/xowiki-procs.tcl
added URL for version checking to see, if a newer version is available from the CDN

Added site-wide admin pages for xowf

This makes it easy for admins to locate the site-wide pages

(pages, which can be used in all xowf instances)

file index.adp was initially added on branch oacs-5-10.

    • -0
    • +0
    /openacs-4/packages/xowf/www/sitewide-admin/index.adp
file index.tcl was initially added on branch oacs-5-10.

    • -0
    • +0
    /openacs-4/packages/xowf/www/sitewide-admin/index.tcl
Improved simple setups and usability for novices:

- turn off production mode per default, such that users see the pages they create immediately

- added a menu-entry per default to add exam folder. This eases testing for users of the test item family of features

    • -3
    • +4
    /openacs-4/packages/xowf/tcl/xowf-procs.tcl
Extend test suite

when testing FormPage validation, make sure two distinct behaviors are respected:

1) Rejected values that were part of the request are kept into their original form fields so the user can rework them and resubmit

2) Other parts of the page, such as the page title, are NOT influenced by data that faild to validate

Rationale: displaying unvalidated information as part of the response can be interpreted as a page injection.

In current codebase, that the title was changed indicates, that rejected information made its way into the :title object member of the FormPage.

The potential consequences of the FormPage setting unvalidated information into its members depends on a number of factors such as formfield logics, callbacks and proper page quoting (to name a few).

Replace permission::require_write_permission with permission::require_permission across the calendar package

Rationale: permission::require_write_permission assumes the object creator to have write permission on the object. Instead, we should rely on permissions to be set correctly on the calendar. permission::require_write_permission also performs an additional query to retrieve the object creator.

It is unclear whether permission::require_write_permission makes sense at all as an api, but we leave this to a future post-release reform.

    • -3
    • +11
    /openacs-4/packages/calendar/www/cal-item-view.tcl
Reduced attack vectors for query and form variables while keeping semantics

- improve form_parameter and query variable validation

- revert partly change: it is intentional that in case of validation errors, the

instances variables of the in-memory object contain invalid data in order

to be able to show the use the invalid data in the form.

- prefer "string first" idiom over regular expression

fix typo

Move test from acs-kernel to acs-tcl, add remarks

Fix typo

Bring the logics to parse a datetime from lc_time_fmt into an own private utility lc_datetime_to_clock and reuse it also when we convert from one timezone to another

Test cornercase encountered in practice: a user claims a timezone different to that of the system and creates a calendar item in various formats

This test currently fails, because when we convert the time between the user and the system timezone, we are too strict and allow only the "long" timestamp format "%Y-%m-%d %H:%M:%S"