Mahara 16.04.2

* Bug 1463203: Upgrade Behat to 3.0
 * Bug 1515929: Duplicate records in usr_custom_layout cause fatal crash when copying a collection
 * Bug 1521818: Tagged journal entries block granting access to all entries in the journal
 * Bug 1528351: Block order numbers out of sync with number of blocks in a cell
 * Bug 1528993: Objectionable content URL doesn't work with Clean URL
 * Bug 1529753: Real name is displayed when it shouldn't be
 * Bug 1531987: Review HTTP headers to improve security
 * Bug 1534081: Fullscreen button is missing in embedded Vimeo video
 * Bug 1537912: No login link when "Links and resources" block is present
 * Bug 1542786: Institution statistics don't show proper names
 * Bug 1558361: XSS vulnerability due to window.opener (target="_blank" and window.open())
 * Bug 1510082: Dashboard inbox & notifications not working.
 * Bug 1513716: Intermittent error "Call to a member function StartTrans() on a non-object" when saving a blog post in 15.04
 * Bug 1520011: copying and pasting text with quots is displaying as '"Note"'
 * Bug 1523719: Sorting blocks in column not working correctly
 * Bug 1540722: Behat step for entering text into a dynamically named TinyMCE field
 * Bug 1541174: Update Readme to handle supported Internet Explorer browsers better
 * Bug 1547441: The texte "Image formatting options" is not translable
 * Bug 1556692: Problem with MNet usernames greater than 30 characters, when $CFG->usersuniquebyusername is used
 * Bug 1499572: array to string conversion on SQLExceptions/ADODB_Exceptions
 * Bug 1523499: Broken links in installer
 * Bug 1524601: Speed up minaccept by only linting changed files
 * Bug 1558387: Use $CFG->cacheversion for HTMLPurifier revision number
 * First release candidate for 16.04
 *
 * First release candidate for 1.4
 *
 * Please test and report issues to https://bugs.launchpad.net/mahara
 * Bug 1566366: Session referer check should not be set if using SAML
 * Bug 1415247: Behat uploading a file step is currently broken
 * Bug 1508721: Session setting should be more secure
 * Bug 1509129: Crash when posting a public comment that no one will be notified about
 * Bug 1517478: No button for choose a folder
 * Bug 1560633: Increase column event_log.data to "longtext"
 * Bug 1565669: External video doesn't play when block is on auto-retract
 * Bug 1567100: $user->find_by_username is NOT case insensitive
 * Bug 1567186: Passwords can accidentially end up in logs from badly made plugins
 * Bug 1567784: Session ID's not being regenerated
 * Bug 1570640: Badly setup authinstance can cause 'This Auth plugin has not been initialised' error
 * Bug 1570744: Duplicate session headers not removed in PHP 5.3
 * Bug 1571421: Illegal join expression when searching shared-with-me
 * Bug 1572377: autocomplete / select2 not using current language
 * Bug 1575969: PHP7 exception handler needs to accept Throwables
 * Bug 1503103: When new accounts are created, default storage quota is not applied
 * Bug 1528986: Ojectionable content modal's text box doesn't resize properly
 * Bug 1530606: Internal image slideshow doesn't have "First" and "Last" buttons anymore
 * Bug 1555407: image gallery display bug in Safari 8.0.4
 * Bug 1561239: Remove target="_blank" link from webservices OAuth page
 * Bug 1566127: PHP 5.3 incompatible array declarations
 * Bug 1568631: Allow skins on group homepages
 * Bug 1570667: Image gallery arrow issues with descriptions / dark images
 * Bug 1575955: PHP7 compatibility problems with function parameters
 * Bug 1482473: Reword block position selection combobox
 * Bug 1514641: Blocktype rendering error when artefact is not found
 * Bug 1515473: 15.04 Unit tests fail using MySql
 * Bug 1518842: No Readme.Mahara file for Fontawesome
 * Bug 1553860: Bottom line missing for sent message on first message in sent box
 * Bug 1415247: Behat uploading a file step is currently broken
 * Bug 1561239: Remove target="_blank" link from webservices OAuth page
 * Bug 1575955: PHP7 compatibility problems with function parameters
 * Bug 1566366: Session referer check should not be set if using SAML
 * Bug 1508721: Session setting should be more secure
 * Bug 1560633: Increase column event_log.data to "longtext"
 * Bug 1567100: $user->find_by_username is NOT case insensitive
 * Bug 1567186: Passwords can accidentially end up in logs from badly made plugins
 * Bug 1567784: Session ID's not being regenerated
 * Bug 1570640: Badly setup authinstance can cause 'This Auth plugin has not been initialised' error
 * Bug 1570744: Duplicate session headers not removed in PHP 5.3
 * Bug 1575969: PHP7 exception handler needs to accept Throwables
 * Bug 1503103: When new accounts are created, default storage quota is not applied
 * Bug 1515473: 15.04 Unit tests fail using MySql
 * Bug #1397110 Cannot add image to template files
 * Bug #1415247 Behat uploading a file step is currently broken
 * Bug #1555410 unread email icon in the banner display wrong
 * Bug #1572407 Elasticsearch save config not including artefact/lib.php
 * Bug #1577259 PHP7 fixing dwoo dynamic property references
 * Bug #1578000 "Call to undefined function artefact_instance_from_id()" when deleting a profile icon
 * Bug #1578701 Butons "Select all" "Slect none" in OpenBadge displayer are not translated
 * Bug #1578995 In the skin module the background position of the image cannot be translated
 * Bug #1579628 Modern theme: disappearing password label
 * Bug #1579999 PHP Fatal error: Class 'Session' not found
 * Bug #1581183 Pagination broken in MyFriends block
 * Bug #1581262 Upgrade error with unable to execute install_system_portfolio_view
 * Bug #1582778 Japanese text jumbled when submitted with image
 * Bug #1582934 Navigation not entirely / not visible on iPad
 * Bug #1587474 No indents forum reply fails when the last post has been deleted
 * Bug #1588606 Properly checking if group template is a site template
 * Bug #1588613 Mahara not respecting session lifetime setting from admin config page
 * Bug #1354222 Files within a group aren't deleted after deleting the group
 * Bug #1530702 New messages in inbox aren't displayed in bold in "Inbox" block
 * Bug #1545375 Button border missing when no second button in web services application connections
 * Bug #1548522 Avatars overlap in friends block
 * Bug #1561239 Remove target="_blank" link from webservices OAuth page
 * Bug #1577258 More PHP7 compatibility problems with function parameters
 * Bug #1578512 Escape filenames with quotes in them, in Content-Disposition:attachment headers
 * Bug #1582039 Submitted portfolios don't appear in group pages block automatically
 * Bug #1582472 No moving of long blocks
 * Bug #1582989 Make top line on "Edit" button more visible on certain pages
 * Bug #1583433 "I trigger the cron" behat step doesn't work if you have a non-default urlsecret set.
 * Bug #1588091 StudentID not displayed in content
 * Bug #1590293 Inconsistencies in how we handle $CFG->session_timeout
 * Bug #1590300 Weirdness in edit tabs for site templates
 * Bug #1567152 Undefined property warning on "Find groups" page
 * Bug #1581227 PHP Fatal error: Call to undefined function log_()
 * Bug #1582967 Comment deletion forms & buttons with non-unique IDs
 * Bug #1583435 Make it easier to run one specific feature file
 * Bug #1531610 Clean up inconsistencies in the paginators
 * Bug 1508684: Unserialize untrusted data when importing skins
 * Bug 1565198: "Recent journal entries" block should mention journal context in config
 * Bug 1576643: TinyMCE is not available on the iPad
 * Bug 1580399: Users can login to suspended institutions via external auth under some circumstances
 * Bug 1591304: Can't edit pages if "Users can choose page themes" is enabled.
 * Bug 1591782: Default theme breaks with skin background
 * Bug 1592213: Render issue with Masonry on Skins page
 * Bug 1592236: Sessions: constantly asked to log in to access the Users Admin screen
 * Bug 1596755: Ocean theme - tabbing through unselected sub-menu items
 * Bug 1599305: $USER->get('grouproles') returning values for deleted groups
 * Bug 1599958: Embedly content will not display on profile page
 * Bug 1084336: mnet: mahara doesn't implement kill_child which results in not being logged out when logged out from a remote IdP over mnet
 * Bug 1234615: Not checking artefact permissions before exporting
 * Bug 1588599: PHP 7 unrecoverable errors in 16.04
 * Bug 1591759: Importing leap2a textbox giving error when textbox is empty
 * Bug 1592276: Still SSRF vulnerability in external feed
 * Bug 1595789: "$cfg->urlsecret = null;" doesn't work during installation
 * Bug 1597549: Share access for site wide Profile page error
 * Bug 1598974: Mahara as MNet IDP breaks because of longer session ids
 * Bug 1599373: Don't print "share page" link when viewing site template pages
 * Bug 1599375: Hide default portfolio page site template from site pages sharing list
 * Bug 1600069: See other's profile images one is not meant to
 * Bug 1590626: Field with error is not highlighted on profile wall
 * Bug 1599404: The function "get_mahara_install_subdirectory" doesn't correctly handle a URL with a missing trailing slash
 * Bug 1600668: Google drive folders no longer work in Google Apps block
 * Bug 1537908: Warnings when LDAP server is not available