Make ajax get_string work for logged-out users

We had a discussion about whether there would be any additional security risk in making this action accessible to logged-out users. I think it would be safe. Here's my analysis:

1. The "section" argument is used as a portion of a filename, but it's limited to specific directories and filtered to the characters [-_.A-Za-z0-9], and the filename will have ".php" added to the end, so that's pretty safe.

2. You can use a parameterized string to generate an arbitrary JSON response, (i.e. https://vegas.wgtn.cat-it.co.nz/mahara/htdocs/lang/get_string.php?section=mahara&string=deletespecific&args[]=%3Cscript%20type=%22text/javascript%22%3Ealert%28%27hey!%27%29%3C/script%3E ), but the response header has "Content-Type: application/json", so the browser won't parse any HTML or Javascript in the response if you hit it directly. So that's pretty safe.

So in the end, it seems like the biggest risk here, is that you could use this string to find out the value of every language string in the site. The only scenario I can think of where that would cause a problem, is if a site is using custom language strings, and putting sensitive data into them. Like "Welcome to Wells University! Remember, everyone's default password is "password123"!".

But that seems like a really bad idea anyway, so I don't think it's a scenario we need to worry about too much.

Patch for "master" branch: https://reviews.mahara.org/5003

To test:

1. Add this to the bottom of index.tpl:

<h1 id="putithere">Test: </h1>
 {include file="footer.tpl"}
<script>
jQuery(function() {
    jQuery('#putithere').append(get_string_ajax('youhaveviews','view','5'));
});
</script>

2. Log out of Mahara
3. View the Mahara home page

Expected result: At the bottom of the page, you'll see: "Test: You have 5 pages."
Actual result: At the bottom of the page you just see "Test:"

Correction to the previous comment. You should add this to the bottom of index.tpl instead:

<h1 id="putithere">Test: </h1>
<script>
jQuery(function() {
    jQuery('#putithere').append(get_string_ajax('youhaveviews','view','5'));
});
</script>

Reviewed: https://reviews.mahara.org/5003
Committed: https://git.nzoss.org.nz/mahara/mahara/commit/a8deec91f7cb7c9b53d7ffa9f16097d2bf11ba56
Submitter: Robert Lyon (<email address hidden>)
Branch: master

commit a8deec91f7cb7c9b53d7ffa9f16097d2bf11ba56
Author: Aaron Wells <email address hidden>
Date: Wed Jul 22 17:52:56 2015 +1200

Let get_string_ajax() work for logged-out users (Bug 1476925)

(behatnotneeded)

Change-Id: I0fb5a8cd2f35afbcfa86ed21560a72cf40112c72