• last updated 5 hours ago
Constraints: committers
Constraints: files
Constraints: dates
added URL for version checking to see, if a newer version is available from the CDN

Added site-wide admin pages for xowf

This makes it easy for admins to locate the site-wide pages

(pages, which can be used in all xowf instances)

file index.adp was initially added on branch oacs-5-10.

    • -0
    • +0
file index.tcl was initially added on branch oacs-5-10.

    • -0
    • +0
Improved simple setups and usability for novices:

- turn off production mode per default, such that users see the pages they create immediately

- added a menu-entry per default to add exam folder. This eases testing for users of the test item family of features

    • -3
    • +4
Extend test suite

when testing FormPage validation, make sure two distinct behaviors are respected:

1) Rejected values that were part of the request are kept into their original form fields so the user can rework them and resubmit

2) Other parts of the page, such as the page title, are NOT influenced by data that faild to validate

Rationale: displaying unvalidated information as part of the response can be interpreted as a page injection.

In current codebase, that the title was changed indicates, that rejected information made its way into the :title object member of the FormPage.

The potential consequences of the FormPage setting unvalidated information into its members depends on a number of factors such as formfield logics, callbacks and proper page quoting (to name a few).

Replace permission::require_write_permission with permission::require_permission across the calendar package

Rationale: permission::require_write_permission assumes the object creator to have write permission on the object. Instead, we should rely on permissions to be set correctly on the calendar. permission::require_write_permission also performs an additional query to retrieve the object creator.

It is unclear whether permission::require_write_permission makes sense at all as an api, but we leave this to a future post-release reform.

    • -3
    • +11
Reduced attack vectors for query and form variables while keeping semantics

- improve form_parameter and query variable validation

- revert partly change: it is intentional that in case of validation errors, the

instances variables of the in-memory object contain invalid data in order

to be able to show the use the invalid data in the form.

- prefer "string first" idiom over regular expression

fix typo

Move test from acs-kernel to acs-tcl, add remarks

Fix typo

Bring the logics to parse a datetime from lc_time_fmt into an own private utility lc_datetime_to_clock and reuse it also when we convert from one timezone to another

Test cornercase encountered in practice: a user claims a timezone different to that of the system and creates a calendar item in various formats

This test currently fails, because when we convert the time between the user and the system timezone, we are too strict and allow only the "long" timestamp format "%Y-%m-%d %H:%M:%S"

Allow also dates in the "short" time format, as they may be supplied to the api in such form e.g. by the calendar package

Fixes lang_test__lc_procs automated test

Extend test suite to check that also dates in the "short" time format are supported

This test will fail

Extend test cases

Assume a cal_item is also an acs_object

Qualify source tables in query

Extend testing of data validation

removed obsolete code

update CDN source

The previous CDN site stopped working

generalized handling of error pages in disconnected stage

    • -12
    • +8
Cleanup leftover library: latest javascript assumes XMLHttpRequest is supported

Reimplementation of the captcha

We drop the previous awkward implementations that would either not scale or require external dependencies. Instead, we adopt the approach in use at https://fossil-scm.org/, where a random string is converted to an ASCII art.

The ASCII art itself comes from the Fossil source code.

    • -13
    • +10
    • -202
    • +343
Fix selector for the click all list callback

Chat reform

The goal of these changes is to reduce the "mode" specific javascript code in the chat implementation and reduce server-side guessing of browser capabilities.

- In the MessageRelay class from xotcl-core, we rework the javascript code sent to the connection when doing scripted streaming to make less assumptions about the functions defined in the parent scope

- In the chat code from xowiki, we move most of the logics to guess the mode into javascript, where we can test the actual capabilities of the browser without relying on the user agent

- The previously 4 javascript files dependant on the chat mode have been made into one

    • -3
    • +3
    • -112
    • +17
When the mode is "streaming", use Server Sent Events instead of a "plain" endless request

This has the advantage of a clearer, less hacky api, which, for instance, does not require manual parsing of the partial response.

    • -3
    • +3
    • -10
    • +9
Cleanup leftover method: its logics were moved to the MessageRelay class

    • -15
    • +1
Prefer portable idiom

Replace deprecated idiom