• last updated 11 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Rework the add_editor api so that it won't rely on global templating variables and fix both configuration from defaults and local

Harden the page contract and ensure that:

- for chat rooms in the chat package, only the chat class enforcing permissions is used

- for other chat ids, either the id is an object the user can read, or the user can at least read on the current connection package

Cleanup old parameter on upgraded installations

file apm-callback-procs.tcl was initially added on branch oacs-5-10.

    • -0
    • +0
    /openacs-4/packages/richtext-tinymce/tcl/apm-callback-procs.tcl
file download.tcl was initially added on branch oacs-5-10.

file index.tcl was initially added on branch oacs-5-10.

file index.adp was initially added on branch oacs-5-10.

TinyMCE 7.0.1 integration

We reboot TinyMCE richtext-editor integration to support newest version 7.0.1.

Editor can be served from CDN (requires an API key) or locally, by downloading a distribution via the site-wide admin page of the package.

Editor can be configured either per-website or per-usage, as we do with other editors.

At present, no OpenACS specific features, such as image upload, are provided. Custom plugins from previous versions of this package have also been discontinued.

Notable differences with similar integrations:

- editor configuration is specified as a dict, rather than a list of lists

- current package parameters are global, rather than de-facto global instance parameters

- deprecated configuration from acs-templating is not supported anymore

  1. … 1804 more files in changeset.
harden page_contract

    • -2
    • +2
    /openacs-4/packages/chat/www/room-exit.tcl
Make test more robust in setups where we cache permissions

Cleanup commented code

Only allow valid privileges in the privs parameter

restrict substitution in string

Implement a package-specific page contract filter to collect current (and future) security fixes

Reject frames and iframes in the content

Prevent sneaking symlinks in the content repository

Many thanks to Thomas Rennner and Günter Ernst for analyzing the issue

cr_write_content reform

when serving files, do not trust the content information, as the absolute path to the file can be determined programmatically in this case.

This also reduce divergency between Oracle and Postgres

Fixed issue introduced in OpenACS 5.9.0

The old version did not insert a property value via the

sec_session_property__upsert() in PostgreSQL on the initial setting

(later updates were OK). The broken version was just adding a tuple

and left the "property_value" empty.

Many thanks to Jonathan Kelley for identifying the issue and reporting it.

file upgrade-5.10.1b4-5.10.1b5.sql was initially added on branch oacs-5-10.

Implement a new filter for inclass-exam submissions

When displayed by the print-answers method, allow to filter also for not graded.

    • -10
    • +10
    /openacs-4/packages/xowf/xowf.info
added link to cluster info to acs-admin main page when cluster is enabled

improved spelling

    • -2
    • +2
    /openacs-4/packages/xowf/www/index.vuh
    • -1
    • +1
    /openacs-4/packages/xowiki/xowiki.info
    • -2
    • +2
    /openacs-4/packages/xowiki/www/index.vuh
clean dirty editor buffer

improved spelling

Made startup more robust

- handle not-yet-defined callback procs gracefully

updated version number of jquery (introduced not long ago)

Improved readability of configuration parameter "parameterSecret"

- Switched to camelCase for better readabilty and uniformity

- NaviServer configuration parameters are case insensitive, so no danger for backward compatibility

Made .xql file more consistent by using dot notation

OpenACS for PostgreSQL uses since the release of 5.10.0 the dot

notation for the SQL function acs_permission.permission_p() to ease

portability with Oracle.

In general, one has to be careful that during an upgrade from an older

OpenACS version (e.g. 5.9.*) directly to 5.10.1 to upgrade process

does not depend on the dot notation, otherwise the upgrade will fail.

One should be safe for most UI functions in this respect.

Expand permission test suite to include definition of custom privileges in a couple of setups

Provide an automated test of "advanced" permission features: permission inheritance via group, or via the permission context