Currently only one custom theme may be uploaded per site, saved with the name 'custom' and stored into the local/themes subdirectory.
Administrators can upload a .ZIP archive containing a theme through the design admin panel; its contents are validated to ensure that only legit files are saved, and a 5M size quota is enforced.
Theme upload requires the zip extension for PHP; if not present, theme uploading is disabled by default.
Uploading and the custom CSS can be controlled via $config['theme_upload']['enabled'] and $config['custom_css']['enabled'].
Configurable directory/path/server for 'local' subdirectory (currently only as used for themes; local plugins not yet switched over)
Can set $config['local']['dir'] etc; not currently exposed in the admin panels.
Per-site directories on a separate themes server could be set up such as:
$config['local']['dir'] = '/path/to/themes/local/' . $_nickname;
$config['local']['server'] = 'themes.example.com';
$config['local']['path'] = '/local/' . $_nickname;
$config['local']['ssl'] = 'never';
Fixed typo in RedirectingAction when no return-to data provided in form submission.
RedirectingAction::returnToArgs() has been renamed to returnToPrevious() to avoid conflict with Action::returnToArgs() which returns arguments to be passed to other actions as return-to arguments. All callers should now be updated.
More profile settings actions will now redirect through a login form if visited as a GET request, as would be expected from a bookmark, link sent in e-mail etc.
The forms would already submit to SSL, but people are happier if they start on a secure page!
Note: this really should be done for sensitive/all URLs in index.php, but it seems a bit awkward to reconstruct the SSL version of the link atm. Cleanup todo!
I added the statusnet: prefix to the xml output. This prefix should
be declared on the root element of all relevant XML output.
I also added two StatusNet-specific fields:
* statusnet:html - rendered HTML. Clients shouldn't have to guess
at the correct HTML rendering for notices, especially since some
of the links depend on context.
* statusnet:profile_url - profile URL for a user. You can't count
on a user being a local user in a distributed microblogging world.
So, this shows the explicit profile_url.
Note that much of that form is duplicated several times for Twitter, Facebook, and OpenID registrations -- these need to be refactored to avoid having multiple out-of-sync copies of code and messages.
Refactored some of the returnto handling code. It looks like we have several different ways of handling this in the software, icky!
Marked the session-based functions with fixmes (they'll stomp on other forms when multiple tabs/windows are used) and combined some commonish bits of code between ProfileFormAction and the group block & makeadmin actions where they're using hidden form parameters. Extended that to allow passing dynamic parameters (eg 'page') as well as static ones (action, target user/group).
