FlightPath 6.x-6.7

Referenced project: 
Release version: 
Release type: 
Bug fixes and new features
Release notes: 

In addition to patching a privacy vulnerability (only exploitable by logged-in users, not anonymous users), this release also contains new features and bug fixes:

Added more permissions and security checks when accessing files and content, especially of the user is a student and just trying out
URLs. We make sure they do not have access to any content, comments, or files they aren't supposed to see.

Added icon for encryption module, removed old, unused settings from hook_menu items throughout FlightPath.

Adding new module to core: encryption, and setting up key variable in settings.php on installation (giving it a random string value at the time of

Adding ability to save all content files as encrypted, and properly decrypt them for end user, based on if the user has permission to view
the original content it was attached to.

Adding ability to have encrypted files for content_files. Also, that table tells which piece of content the file belongs to, if any.

Made it so if $content->title is unset, false, or null, then on save we give a simple default value. This is to stop of mysql integrity
constraint where the title cannot be null.

Altered engagements so that received files (via email or SMS) go to temp directory on server first, before we then attach them to a piece
of content via its cid in the content_files table.

Fixed minor sorting issue on Engagements main tab screen.

Altered content module's install so that is_encrypted and cid are both in the table, so we can figure out which piece of content (and therefor, permissions)
the file is related to.

Added a strip_tags() call in course_search module, just to make sure we do not display dangerous user-supplied input.

Stored results of content_get_types() to a simple GLOBALS cache to reduce amount of times we look for it.

Altered Calendar module to include instructions for de-authorizing Zoom.

Fixed bug in Calendar where Zoom was hardcoded to look for user 1 (admin) tokens.

Moved all Zoom functionality into its own (private) module called zoomapi. Updated other core modules to adjust and check for zoomapi before trying to call

Fixed bug in system_enable_module() where status was being sent the schema value instead of "1"

Cleaned up old comments.

Fixed bug where we were determing a course's transfer eqv. It was failing even though the souce hours were within the range
of min and max hours. (We were only looking at == max hours, rather than a range from min to max).

Fixed bug so that the "mini search" at top of the screen will cause the Students tab to "remember" last search.

Added concept of "return to student" to the top nav of all pages, so you can quickly return to the last student you had pulled up.
This only works for faculty users with something in $_SESSION['last_student_selected'].

Added "E" to default enrolled grades, and "F,W,I" to default retake grades.

We now log (as WATCHDOG_DEBUG) when user tries to access a page and gets either a 404 Not Found or 403 Access Denied.

Suppress rare warning when calling session_destroy().

Adding some extra instructions for the edit groups page.

Fixed bug where courses worth less than 1 credit hour were not showing as repeatable in groups, even when the "set catalog repeats" box was checked.

Adding concept of "delete_flag" to advising_sessions table, similar to the advising_comments table. Also added permission to let users delete advising sessions
for up to 3 months after posting, again, similar to the comments module.

Updated comments module to make sure only the original author of a comment can delete it.

Added extra protection in our _fp_error_handler to not accidentally log passwords in plaintext.

Fixed small bug in viewing watchdog entries where page was set to 1, always sending us to the second page
of results if we clicked the Watchdog breadcrumb.

Added code to create /custom/files/content_uploads/ folder. Updated content module and engagements module
to place uploaded files there.

Fixed spelling of "README" file.

In calendar, when parsing ical feeds, we now correctly ignore time marked as "free" (transp == TRANSPARENT in the event). Also fixed bug where you couldn't schedule appointments
on the exact start and stop hour of a date's availability window (based on the "default" setting for that unavail time).

Altered the way Zoom API works to better support api specs for Zoom marketplace apps.

If SMS is not enabled, then txt messages cannot be selected as a default notification method.

Added more watchdog (debug) statements having to do with checking IMAP server for messages.