Not having ppsx defined here causes WordPress? MU to throw the warning “File type does not meet security guidelines. Try another.” when uploading the file (even when the ppsx file type itself is blessed in WPMU’s admin options).

I’ve reported the bug to WordPress MU Track here:

• #1118: PPSX not defined as valid file in functions.php

Update

The fix isn’t quite so straightforward as just adding .ppsx to the list of valid PowerPoint extensions, because technically PowerPoint Shows for 2007 have their own MIME type:

• application/vnd.openxmlformats-officedocument.presentationml.slideshow

As does PowerPoint 2007:

• application/vnd.openxmlformats-officedocument.presentationml.presentation

Specifying the wrong MIME type for PowerPoint Show files caused WordPress to add a .ppt extension to the file, which played havoc with subsequent downloads. The fix was to specify the MIME type in wp_check_filetype:

• ‘ppsx’ => ‘application/vnd.openxmlformats-officedocument.presentationml.slideshow’

My bug report at WordPress MU was closed because this is technically something that needs to be changed in core WordPress; I’ll be reporting it there shortly.

• #1037 After upgrade, upgrade banner doesn’t disappear (fixed)
• #1048 WPMU 2.8.1 improperly escaping titles of newly created blogs
• #1049 Editing Blog Settings as Admin fails (fixed)

#1049 was fixed within four minutes of me posting the ticket, which is pretty darn cool.

I also encountered an issue with the Admin-SSL plugin and 2.8.1 that sets up an infinite rerewrite of the blog delete URL; I haven’t had a chance to track it down yet, but the author is working on an update of the plugin to get it working properly with 2.8.

The issue appears to be a change in the default settings for the wiki. Making the wiki configuration tweaks described in this Tracker report fixed the problem:

• MDL-10641 Wiki binary files option broken

To start, you need to understand how Moodle tolerates risks based on roles (defined under “Risks” in the Moodle Docs wiki.):

• Guest – only capabilities without any risks are allowed
• Student – certain capabilities with spam risks are allowed
• Teacher – certain capabilities with XSS and privacy risks are allowed
• Administrator – all capabilities are allowed

This is important because any custom roles you’ve created are evaluated based on the legacy role that spawned them. So if you start with a student role, and give it some more advanced teacher-like options that allow XSS capabilities, then Moodle will set a critical warning flag because its exceeded the capabilities normally associated with a student.

I need to doublecheck this, but I think that if you change the legacy role associated with the custom role in question to “teacher”, then your custom capabilities will remain the same, but the report will run against the more permissive teacher role. That said, you may not want to get rid of the warnings (since it is helpful to know what a “super student” role could get themselves into) but at least this write-up should help you understand them.

I’d love to see Moodle create a more user-friendly report that says something like:

• “Your role ‘Teacher Assistant’ is based on the legacy role ‘Student’. By default, students are not allowed to have capabilities that permit Cross Site Scripting (XSS), but your custom role allows the following XSS capabilities” — I’d then include a list of the problem capabilities.

You can contribute to improving the Security Report by reading/commenting on this tracker item:

• MDL-18078: Provide a feedback for the admin in order to explain him/her what to do to fix the security problem rised up by the security report

The problem comes when you try and delete that file — Moodle’s scripts can’t handle the special character, and refuse to allow you to move, delete or otherwise modify the file. Fortunately, a fix is coming in Moodle 1.9.5 thanks to the work of Charles Fulton of Kalamazoo College at Hack/Doc Fest III at Reed College in January 2009.

You can read about it in tracker here:

• MDL-237 Special characters left in filenames after unzipping

A patch is available via tracker. A fix will be available in Moodle 1.9.5.

• MDL-15926: WHen clicking on help for scales in forums, ALL the scales are shown, instead of just one (fixed Moodle 1.9.2, verifiedin 1.9.4+)
• Summaries don’t get imported from the source course to the destination course (fixed in Moodle 1.9.5, but available in the weekly 1.9.4+ builds)

The summaries bug has been kicking around for a long time, and is something we worked on at Hack/Doc Fest II at Kenyon College in June 2008, so it’s nice to see it finally make its way into core.

Details on how to swap out Magpie for SImplePie can be found in Moodle Tracker:

• MDL-7946: Use simplepie instead of magpie for rss parsing

This seems like a no brainer swap to me, but the tracker item could still use some vote love. The tracker doesn’t mention it, but this problem still affects Moodle 1.9.4.

A full rundown and a patch is available in Google tracker; hat tip to Charles Fulton for taking the time to debug this.

http://tracker.moodle.org/browse/MDL-2307

However, we’ve discovered that if you create a Grade Item (via Grades > Choose an Action > Categories & Items > Add Grade Item) and click on the “Scale” drop down menu, you see all the custom scales available on the site.

• Tracker: http://tracker.moodle.org/browse/MDL-16431

Update 12/2/2008

It turns this is a duplicate of an existing bug, which will be fixed in Moodle 1.9.4:

• Tracker: http://tracker.moodle.org/browse/MDL-15926

If you create a page in the Moodle wiki that includes a pound (#) sign, and then edit that page, Moodle truncates the page name, forking it and creating a new page.

The original page continues to display, but when you go to edit it, the new page appears. If you then save changes and return to the initial wiki page, the changes do not appear (because they were made to the truncated page, not the original one).

Add groups into the mix, and it gets even more fun. We spent a good amount of time chasing our tails before we realized what the problem was.

This bug is already documented in tracker by Dean Thayer:

• MDL-17237: Can’t edit a wiki with a # (hash, number sign, pound sign) in it’s name

Our exact case was a little more involved than this. We had people creating new pages that some how got the original text into the new page, which isn’t behavior I saw in my tests. Yet if I look at the initial page for these wiki pages, I can see that they started with the same text as the initial page, and I don’t think the students or instructor copied text over into the new page.

It’s very odd, but I think it all comes back to that blasted # sign.