25 files changed, 811 insertions, 39 deletions

diff --git a/engine/lib/actions.php b/engine/lib/actions.php
index 56936f582..8047914ac 100644
--- a/engine/lib/actions.php
+++ b/engine/lib/actions.php
@@ -364,16 +364,19 @@ function generate_action_token($timestamp) {
 }
 
 /**
- * Initialise the site secret hash.
+ * Initialise the site secret (32 bytes: "z" to indicate format + 186-bit key in Base64 URL).
  *
  * Used during installation and saves as a datalist.
  *
+ * Note: Old secrets were hex encoded.
+ *
  * @return mixed The site secret hash or false
  * @access private
  * @todo Move to better file.
  */
 function init_site_secret() {
-	$secret = md5(rand() . microtime());
+	$secret = 'z' . ElggCrypto::getRandomString(31);
+
 	if (datalist_set('__site_secret__', $secret)) {
 		return $secret;
 	}
@@ -400,6 +403,26 @@ function get_site_secret() {
 }
 
 /**
+ * Get the strength of the site secret
+ *
+ * @return string "strong", "moderate", or "weak"
+ * @access private
+ */
+function _elgg_get_site_secret_strength() {
+	$secret = get_site_secret();
+	if ($secret[0] !== 'z') {
+		$rand_max = getrandmax();
+		if ($rand_max < pow(2, 16)) {
+			return 'weak';
+		}
+		if ($rand_max < pow(2, 32)) {
+			return 'moderate';
+		}
+	}
+	return 'strong';
+}
+
+/**
  * Check if an action is registered and its script exists.
  *
  * @param string $action Action name
diff --git a/engine/lib/admin.php b/engine/lib/admin.php
index 7f82108c0..f36f29668 100644
--- a/engine/lib/admin.php
+++ b/engine/lib/admin.php
@@ -236,6 +236,7 @@ function admin_init() {
 	elgg_register_action('admin/site/update_advanced', '', 'admin');
 	elgg_register_action('admin/site/flush_cache', '', 'admin');
 	elgg_register_action('admin/site/unlock_upgrade', '', 'admin');
+	elgg_register_action('admin/site/regenerate_secret', '', 'admin');
 
 	elgg_register_action('admin/menu/save', '', 'admin');
 
@@ -291,6 +292,7 @@ function admin_init() {
 	elgg_register_admin_menu_item('configure', 'settings', null, 100);
 	elgg_register_admin_menu_item('configure', 'basic', 'settings', 10);
 	elgg_register_admin_menu_item('configure', 'advanced', 'settings', 20);
+	elgg_register_admin_menu_item('configure', 'advanced/site_secret', 'settings', 25);
 	elgg_register_admin_menu_item('configure', 'menu_items', 'appearance', 30);
 	elgg_register_admin_menu_item('configure', 'profile_fields', 'appearance', 40);
 	// default widgets is added via an event handler elgg_default_widgets_init() in widgets.php
diff --git a/engine/lib/annotations.php b/engine/lib/annotations.php
index 124e67e0f..5e9b530de 100644
--- a/engine/lib/annotations.php
+++ b/engine/lib/annotations.php
@@ -249,9 +249,13 @@ function elgg_disable_annotations(array $options) {
 	if (!elgg_is_valid_options_for_batch_operation($options, 'annotations')) {
 		return false;
 	}
+	
+	// if we can see hidden (disabled) we need to use the offset
+	// otherwise we risk an infinite loop if there are more than 50
+	$inc_offset = access_get_show_hidden_status();
 
 	$options['metastring_type'] = 'annotations';
-	return elgg_batch_metastring_based_objects($options, 'elgg_batch_disable_callback', false);
+	return elgg_batch_metastring_based_objects($options, 'elgg_batch_disable_callback', $inc_offset);
 }
 
 /**
diff --git a/engine/lib/database.php b/engine/lib/database.php
index 37dfb8f8d..a7949788d 100644
--- a/engine/lib/database.php
+++ b/engine/lib/database.php
@@ -129,7 +129,7 @@ function establish_db_link($dblinkname = "readwrite") {
 	// Set up cache if global not initialized and query cache not turned off
 	if ((!$DB_QUERY_CACHE) && (!$db_cache_off)) {
 		// @todo if we keep this cache in 1.9, expose the size as a config parameter
-		$DB_QUERY_CACHE = new ElggLRUCache(200);		
+		$DB_QUERY_CACHE = new ElggLRUCache(200);
 	}
 }
 
@@ -399,14 +399,14 @@ function elgg_query_runner($query, $callback = null, $single = false) {
 
 	// Since we want to cache results of running the callback, we need to
 	// need to namespace the query with the callback and single result request.
-	// http://trac.elgg.org/ticket/4049
+	// https://github.com/elgg/elgg/issues/4049
 	$hash = (string)$callback . (int)$single . $query;
 
 	// Is cached?
 	if ($DB_QUERY_CACHE) {
 		if (isset($DB_QUERY_CACHE[$hash])) {
 			elgg_log("DB query $query results returned from cache (hash: $hash)", 'NOTICE');
-			return $DB_QUERY_CACHE[$hash];			
+			return $DB_QUERY_CACHE[$hash];
 		}
 	}
 
@@ -524,7 +524,7 @@ function delete_data($query) {
 
 /**
  * Invalidate the query cache
- * 
+ *
  * @access private
  */
 function _elgg_invalidate_query_cache() {
@@ -533,7 +533,7 @@ function _elgg_invalidate_query_cache() {
 		$DB_QUERY_CACHE->clear();
 		elgg_log("Query cache invalidated", 'NOTICE');
 	} elseif ($DB_QUERY_CACHE) {
-		// In case someone sets the cache to an array and primes it with data 
+		// In case someone sets the cache to an array and primes it with data
 		$DB_QUERY_CACHE = array();
 		elgg_log("Query cache invalidated", 'NOTICE');
 	}
@@ -668,7 +668,7 @@ function run_sql_script($scriptlocation) {
 
 /**
  * Format a query string for logging
- * 
+ *
  * @param string $query Query string
  * @return string
  * @access private
diff --git a/engine/lib/deprecated-1.7.php b/engine/lib/deprecated-1.7.php
index 519eea89d..ee95b5611 100644
--- a/engine/lib/deprecated-1.7.php
+++ b/engine/lib/deprecated-1.7.php
@@ -1137,6 +1137,7 @@ function make_register_object($register_name, $register_value, $children_array =
  * @param int $guid GUID
  *
  * @return 1
+ * @deprecated 1.7
  */
 function delete_object_entity($guid) {
 	system_message(elgg_echo('deprecatedfunction', array('delete_user_entity')));
@@ -1154,6 +1155,7 @@ function delete_object_entity($guid) {
  * @param int $guid User GUID
  *
  * @return 1
+ * @deprecated 1.7
  */
 function delete_user_entity($guid) {
 	system_message(elgg_echo('deprecatedfunction', array('delete_user_entity')));
diff --git a/engine/lib/deprecated-1.8.php b/engine/lib/deprecated-1.8.php
index 6aa42a81d..91068d047 100644
--- a/engine/lib/deprecated-1.8.php
+++ b/engine/lib/deprecated-1.8.php
@@ -3414,6 +3414,7 @@ function list_annotations($entity_guid, $name = "", $limit = 25, $asc = true) {
  * @param unknown_type $timeupper
  * @param unknown_type $calculation
  * @internal Don't use this at all.
+ * @deprecated 1.8 Use elgg_get_annotations()
  */
 function elgg_deprecated_annotation_calculation($entity_guid = 0, $entity_type = "", $entity_subtype = "",
 $name = "", $value = "", $value_type = "", $owner_guid = 0, $timelower = 0,
@@ -4667,6 +4668,7 @@ function display_widget(ElggObject $widget) {
  *
  * @param ElggEntity $entity
  * @return int Number of comments
+ * @deprecated 1.8 Use ElggEntity->countComments()
  */
 function elgg_count_comments($entity) {
 	elgg_deprecated_notice('elgg_count_comments() is deprecated by ElggEntity->countComments()', 1.8);
diff --git a/engine/lib/deprecated-1.9.php b/engine/lib/deprecated-1.9.php
new file mode 100644
index 000000000..31d03428f
--- /dev/null
+++ b/engine/lib/deprecated-1.9.php
@@ -0,0 +1,582 @@
+<?php
+/**
+ * Return a timestamp for the start of a given day (defaults today).
+ *
+ * @param int $day   Day
+ * @param int $month Month
+ * @param int $year  Year
+ *
+ * @return int
+ * @access private
+ * @deprecated 1.9
+ */
+function get_day_start($day = null, $month = null, $year = null) {
+	elgg_deprecated_notice('get_day_start() has been deprecated', 1.9);
+	return mktime(0, 0, 0, $month, $day, $year);
+}
+
+/**
+ * Return a timestamp for the end of a given day (defaults today).
+ *
+ * @param int $day   Day
+ * @param int $month Month
+ * @param int $year  Year
+ *
+ * @return int
+ * @access private
+ * @deprecated 1.9
+ */
+function get_day_end($day = null, $month = null, $year = null) {
+	elgg_deprecated_notice('get_day_end() has been deprecated', 1.9);
+	return mktime(23, 59, 59, $month, $day, $year);
+}
+
+/**
+ * Return the notable entities for a given time period.
+ *
+ * @param int     $start_time     The start time as a unix timestamp.
+ * @param int     $end_time       The end time as a unix timestamp.
+ * @param string  $type           The type of entity (eg "user", "object" etc)
+ * @param string  $subtype        The arbitrary subtype of the entity
+ * @param int     $owner_guid     The GUID of the owning user
+ * @param string  $order_by       The field to order by; by default, time_created desc
+ * @param int     $limit          The number of entities to return; 10 by default
+ * @param int     $offset         The indexing offset, 0 by default
+ * @param boolean $count          Set to true to get a count instead of entities. Defaults to false.
+ * @param int     $site_guid      Site to get entities for. Default 0 = current site. -1 = any.
+ * @param mixed   $container_guid Container or containers to get entities from (default: any).
+ *
+ * @return array|false
+ * @access private
+ * @deprecated 1.9
+ */
+function get_notable_entities($start_time, $end_time, $type = "", $subtype = "", $owner_guid = 0,
+$order_by = "asc", $limit = 10, $offset = 0, $count = false, $site_guid = 0,
+$container_guid = null) {
+	elgg_deprecated_notice('get_notable_entities() has been deprecated', 1.9);
+	global $CONFIG;
+
+	if ($subtype === false || $subtype === null || $subtype === 0) {
+		return false;
+	}
+
+	$start_time = (int)$start_time;
+	$end_time = (int)$end_time;
+	$order_by = sanitise_string($order_by);
+	$limit = (int)$limit;
+	$offset = (int)$offset;
+	$site_guid = (int) $site_guid;
+	if ($site_guid == 0) {
+		$site_guid = $CONFIG->site_guid;
+	}
+
+	$where = array();
+
+	if (is_array($type)) {
+		$tempwhere = "";
+		if (sizeof($type)) {
+			foreach ($type as $typekey => $subtypearray) {
+				foreach ($subtypearray as $subtypeval) {
+					$typekey = sanitise_string($typekey);
+					if (!empty($subtypeval)) {
+						$subtypeval = (int) get_subtype_id($typekey, $subtypeval);
+					} else {
+						$subtypeval = 0;
+					}
+					if (!empty($tempwhere)) {
+						$tempwhere .= " or ";
+					}
+					$tempwhere .= "(e.type = '{$typekey}' and e.subtype = {$subtypeval})";
+				}
+			}
+		}
+		if (!empty($tempwhere)) {
+			$where[] = "({$tempwhere})";
+		}
+	} else {
+		$type = sanitise_string($type);
+		$subtype = get_subtype_id($type, $subtype);
+
+		if ($type != "") {
+			$where[] = "e.type='$type'";
+		}
+
+		if ($subtype !== "") {
+			$where[] = "e.subtype=$subtype";
+		}
+	}
+
+	if ($owner_guid != "") {
+		if (!is_array($owner_guid)) {
+			$owner_array = array($owner_guid);
+			$owner_guid = (int) $owner_guid;
+			$where[] = "e.owner_guid = '$owner_guid'";
+		} else if (sizeof($owner_guid) > 0) {
+			$owner_array = array_map('sanitise_int', $owner_guid);
+			// Cast every element to the owner_guid array to int
+			$owner_guid = implode(",", $owner_guid);
+			$where[] = "e.owner_guid in ({$owner_guid})";
+		}
+		if (is_null($container_guid)) {
+			$container_guid = $owner_array;
+		}
+	}
+
+	if ($site_guid > 0) {
+		$where[] = "e.site_guid = {$site_guid}";
+	}
+
+	if (!is_null($container_guid)) {
+		if (is_array($container_guid)) {
+			foreach ($container_guid as $key => $val) {
+				$container_guid[$key] = (int) $val;
+			}
+			$where[] = "e.container_guid in (" . implode(",", $container_guid) . ")";
+		} else {
+			$container_guid = (int) $container_guid;
+			$where[] = "e.container_guid = {$container_guid}";
+		}
+	}
+
+	// Add the calendar stuff
+	$cal_join = "
+		JOIN {$CONFIG->dbprefix}metadata cal_start on e.guid=cal_start.entity_guid
+		JOIN {$CONFIG->dbprefix}metastrings cal_start_name on cal_start.name_id=cal_start_name.id
+		JOIN {$CONFIG->dbprefix}metastrings cal_start_value on cal_start.value_id=cal_start_value.id
+
+		JOIN {$CONFIG->dbprefix}metadata cal_end on e.guid=cal_end.entity_guid
+		JOIN {$CONFIG->dbprefix}metastrings cal_end_name on cal_end.name_id=cal_end_name.id
+		JOIN {$CONFIG->dbprefix}metastrings cal_end_value on cal_end.value_id=cal_end_value.id
+	";
+	$where[] = "cal_start_name.string='calendar_start'";
+	$where[] = "cal_start_value.string>=$start_time";
+	$where[] = "cal_end_name.string='calendar_end'";
+	$where[] = "cal_end_value.string <= $end_time";
+
+
+	if (!$count) {
+		$query = "SELECT e.* from {$CONFIG->dbprefix}entities e $cal_join where ";
+	} else {
+		$query = "SELECT count(e.guid) as total from {$CONFIG->dbprefix}entities e $cal_join where ";
+	}
+	foreach ($where as $w) {
+		$query .= " $w and ";
+	}
+
+	$query .= get_access_sql_suffix('e'); // Add access controls
+
+	if (!$count) {
+		$query .= " order by n.calendar_start $order_by";
+		// Add order and limit
+		if ($limit) {
+			$query .= " limit $offset, $limit";
+		}
+		$dt = get_data($query, "entity_row_to_elggstar");
+
+		return $dt;
+	} else {
+		$total = get_data_row($query);
+		return $total->total;
+	}
+}
+
+/**
+ * Return the notable entities for a given time period based on an item of metadata.
+ *
+ * @param int    $start_time     The start time as a unix timestamp.
+ * @param int    $end_time       The end time as a unix timestamp.
+ * @param mixed  $meta_name      Metadata name
+ * @param mixed  $meta_value     Metadata value
+ * @param string $entity_type    The type of entity to look for, eg 'site' or 'object'
+ * @param string $entity_subtype The subtype of the entity.
+ * @param int    $owner_guid     Owner GUID
+ * @param int    $limit          Limit
+ * @param int    $offset         Offset
+ * @param string $order_by       Optional ordering.
+ * @param int    $site_guid      Site to get entities for. Default 0 = current site. -1 = any.
+ * @param bool   $count          If true, returns count instead of entities. (Default: false)
+ *
+ * @return int|array A list of entities, or a count if $count is set to true
+ * @access private
+ * @deprecated 1.9
+ */
+function get_notable_entities_from_metadata($start_time, $end_time, $meta_name, $meta_value = "",
+$entity_type = "", $entity_subtype = "", $owner_guid = 0, $limit = 10, $offset = 0, $order_by = "",
+$site_guid = 0, $count = false) {
+	elgg_deprecated_notice('get_notable_entities_from_metadata() has been deprecated', 1.9);
+
+	global $CONFIG;
+
+	$meta_n = get_metastring_id($meta_name);
+	$meta_v = get_metastring_id($meta_value);
+
+	$start_time = (int)$start_time;
+	$end_time = (int)$end_time;
+	$entity_type = sanitise_string($entity_type);
+	$entity_subtype = get_subtype_id($entity_type, $entity_subtype);
+	$limit = (int)$limit;
+	$offset = (int)$offset;
+	if ($order_by == "") {
+		$order_by = "e.time_created desc";
+	}
+	$order_by = sanitise_string($order_by);
+	$site_guid = (int) $site_guid;
+	if ((is_array($owner_guid) && (count($owner_guid)))) {
+		foreach ($owner_guid as $key => $guid) {
+			$owner_guid[$key] = (int) $guid;
+		}
+	} else {
+		$owner_guid = (int) $owner_guid;
+	}
+
+	if ($site_guid == 0) {
+		$site_guid = $CONFIG->site_guid;
+	}
+
+	//$access = get_access_list();
+
+	$where = array();
+
+	if ($entity_type != "") {
+		$where[] = "e.type='$entity_type'";
+	}
+
+	if ($entity_subtype) {
+		$where[] = "e.subtype=$entity_subtype";
+	}
+
+	if ($meta_name != "") {
+		$where[] = "m.name_id='$meta_n'";
+	}
+
+	if ($meta_value != "") {
+		$where[] = "m.value_id='$meta_v'";
+	}
+
+	if ($site_guid > 0) {
+		$where[] = "e.site_guid = {$site_guid}";
+	}
+
+	if (is_array($owner_guid)) {
+		$where[] = "e.container_guid in (" . implode(",", $owner_guid) . ")";
+	} else if ($owner_guid > 0) {
+		$where[] = "e.container_guid = {$owner_guid}";
+	}
+
+	// Add the calendar stuff
+	$cal_join = "
+		JOIN {$CONFIG->dbprefix}metadata cal_start on e.guid=cal_start.entity_guid
+		JOIN {$CONFIG->dbprefix}metastrings cal_start_name on cal_start.name_id=cal_start_name.id
+		JOIN {$CONFIG->dbprefix}metastrings cal_start_value on cal_start.value_id=cal_start_value.id
+
+		JOIN {$CONFIG->dbprefix}metadata cal_end on e.guid=cal_end.entity_guid
+		JOIN {$CONFIG->dbprefix}metastrings cal_end_name on cal_end.name_id=cal_end_name.id
+		JOIN {$CONFIG->dbprefix}metastrings cal_end_value on cal_end.value_id=cal_end_value.id
+	";
+
+	$where[] = "cal_start_name.string='calendar_start'";
+	$where[] = "cal_start_value.string>=$start_time";
+	$where[] = "cal_end_name.string='calendar_end'";
+	$where[] = "cal_end_value.string <= $end_time";
+
+	if (!$count) {
+		$query = "SELECT distinct e.* ";
+	} else {
+		$query = "SELECT count(distinct e.guid) as total ";
+	}
+
+	$query .= "from {$CONFIG->dbprefix}entities e"
+	. " JOIN {$CONFIG->dbprefix}metadata m on e.guid = m.entity_guid $cal_join where";
+
+	foreach ($where as $w) {
+		$query .= " $w and ";
+	}
+
+	// Add access controls
+	$query .= get_access_sql_suffix("e");
+	$query .= ' and ' . get_access_sql_suffix("m");
+
+	if (!$count) {
+		// Add order and limit
+		$query .= " order by $order_by limit $offset, $limit";
+		return get_data($query, "entity_row_to_elggstar");
+	} else {
+		if ($row = get_data_row($query)) {
+			return $row->total;
+		}
+	}
+
+	return false;
+}
+
+/**
+ * Return the notable entities for a given time period based on their relationship.
+ *
+ * @param int     $start_time           The start time as a unix timestamp.
+ * @param int     $end_time             The end time as a unix timestamp.
+ * @param string  $relationship         The relationship eg "friends_of"
+ * @param int     $relationship_guid    The guid of the entity to use query
+ * @param bool    $inverse_relationship Reverse the normal function of the query to say
+ *                                      "give me all entities for whom $relationship_guid is a
+ *                                      $relationship of"
+ * @param string  $type                 Entity type
+ * @param string  $subtype              Entity subtype
+ * @param int     $owner_guid           Owner GUID
+ * @param string  $order_by             Optional Order by
+ * @param int     $limit                Limit
+ * @param int     $offset               Offset
+ * @param boolean $count                If true returns a count of entities (default false)
+ * @param int     $site_guid            Site to get entities for. Default 0 = current site. -1 = any
+ *
+ * @return array|int|false An array of entities, or the number of entities, or false on failure
+ * @access private
+ * @deprecated 1.9
+ */
+function get_noteable_entities_from_relationship($start_time, $end_time, $relationship,
+$relationship_guid, $inverse_relationship = false, $type = "", $subtype = "", $owner_guid = 0,
+$order_by = "", $limit = 10, $offset = 0, $count = false, $site_guid = 0) {
+	elgg_deprecated_notice('get_noteable_entities_from_relationship() has been deprecated', 1.9);
+
+	global $CONFIG;
+
+	$start_time = (int)$start_time;
+	$end_time = (int)$end_time;
+	$relationship = sanitise_string($relationship);
+	$relationship_guid = (int)$relationship_guid;
+	$inverse_relationship = (bool)$inverse_relationship;
+	$type = sanitise_string($type);
+	$subtype = get_subtype_id($type, $subtype);
+	$owner_guid = (int)$owner_guid;
+	if ($order_by == "") {
+		$order_by = "time_created desc";
+	}
+	$order_by = sanitise_string($order_by);
+	$limit = (int)$limit;
+	$offset = (int)$offset;
+	$site_guid = (int) $site_guid;
+	if ($site_guid == 0) {
+		$site_guid = $CONFIG->site_guid;
+	}
+
+	//$access = get_access_list();
+
+	$where = array();
+
+	if ($relationship != "") {
+		$where[] = "r.relationship='$relationship'";
+	}
+	if ($relationship_guid) {
+		$where[] = $inverse_relationship ?
+			"r.guid_two='$relationship_guid'" : "r.guid_one='$relationship_guid'";
+	}
+	if ($type != "") {
+		$where[] = "e.type='$type'";
+	}
+	if ($subtype) {
+		$where[] = "e.subtype=$subtype";
+	}
+	if ($owner_guid != "") {
+		$where[] = "e.container_guid='$owner_guid'";
+	}
+	if ($site_guid > 0) {
+		$where[] = "e.site_guid = {$site_guid}";
+	}
+
+	// Add the calendar stuff
+	$cal_join = "
+		JOIN {$CONFIG->dbprefix}metadata cal_start on e.guid=cal_start.entity_guid
+		JOIN {$CONFIG->dbprefix}metastrings cal_start_name on cal_start.name_id=cal_start_name.id
+		JOIN {$CONFIG->dbprefix}metastrings cal_start_value on cal_start.value_id=cal_start_value.id
+
+		JOIN {$CONFIG->dbprefix}metadata cal_end on e.guid=cal_end.entity_guid
+		JOIN {$CONFIG->dbprefix}metastrings cal_end_name on cal_end.name_id=cal_end_name.id
+		JOIN {$CONFIG->dbprefix}metastrings cal_end_value on cal_end.value_id=cal_end_value.id
+	";
+	$where[] = "cal_start_name.string='calendar_start'";
+	$where[] = "cal_start_value.string>=$start_time";
+	$where[] = "cal_end_name.string='calendar_end'";
+	$where[] = "cal_end_value.string <= $end_time";
+
+	// Select what we're joining based on the options
+	$joinon = "e.guid = r.guid_one";
+	if (!$inverse_relationship) {
+		$joinon = "e.guid = r.guid_two";
+	}
+
+	if ($count) {
+		$query = "SELECT count(distinct e.guid) as total ";
+	} else {
+		$query = "SELECT distinct e.* ";
+	}
+	$query .= " from {$CONFIG->dbprefix}entity_relationships r"
+	. " JOIN {$CONFIG->dbprefix}entities e on $joinon $cal_join where ";
+
+	foreach ($where as $w) {
+		$query .= " $w and ";
+	}
+	// Add access controls
+	$query .= get_access_sql_suffix("e");
+	if (!$count) {
+		$query .= " order by $order_by limit $offset, $limit"; // Add order and limit
+		return get_data($query, "entity_row_to_elggstar");
+	} else {
+		if ($count = get_data_row($query)) {
+			return $count->total;
+		}
+	}
+	return false;
+}
+
+/**
+ * Get all entities for today.
+ *
+ * @param string  $type           The type of entity (eg "user", "object" etc)
+ * @param string  $subtype        The arbitrary subtype of the entity
+ * @param int     $owner_guid     The GUID of the owning user
+ * @param string  $order_by       The field to order by; by default, time_created desc
+ * @param int     $limit          The number of entities to return; 10 by default
+ * @param int     $offset         The indexing offset, 0 by default
+ * @param boolean $count          If true returns a count of entities (default false)
+ * @param int     $site_guid      Site to get entities for. Default 0 = current site. -1 = any
+ * @param mixed   $container_guid Container(s) to get entities from (default: any).
+ *
+ * @return array|false
+ * @access private
+ * @deprecated 1.9
+ */
+function get_todays_entities($type = "", $subtype = "", $owner_guid = 0, $order_by = "",
+$limit = 10, $offset = 0, $count = false, $site_guid = 0, $container_guid = null) {
+	elgg_deprecated_notice('get_todays_entities() has been deprecated', 1.9);
+
+	$day_start = get_day_start();
+	$day_end = get_day_end();
+
+	return get_notable_entities($day_start, $day_end, $type, $subtype, $owner_guid, $order_by,
+		$limit, $offset, $count, $site_guid, $container_guid);
+}
+
+/**
+ * Get entities for today from metadata.
+ *
+ * @param mixed  $meta_name      Metadata name
+ * @param mixed  $meta_value     Metadata value
+ * @param string $entity_type    The type of entity to look for, eg 'site' or 'object'
+ * @param string $entity_subtype The subtype of the entity.
+ * @param int    $owner_guid     Owner GUID
+ * @param int    $limit          Limit
+ * @param int    $offset         Offset
+ * @param string $order_by       Optional ordering.
+ * @param int    $site_guid      Site to get entities for. Default 0 = current site. -1 = any.
+ * @param bool   $count          If true, returns count instead of entities. (Default: false)
+ *
+ * @return int|array A list of entities, or a count if $count is set to true
+ * @access private
+ * @deprecated 1.9
+ */
+function get_todays_entities_from_metadata($meta_name, $meta_value = "", $entity_type = "",
+$entity_subtype = "", $owner_guid = 0, $limit = 10, $offset = 0, $order_by = "", $site_guid = 0,
+$count = false) {
+	elgg_deprecated_notice('get_todays_entities_from_metadata() has been deprecated', 1.9);
+
+	$day_start = get_day_start();
+	$day_end = get_day_end();
+
+	return get_notable_entities_from_metadata($day_start, $day_end, $meta_name, $meta_value,
+		$entity_type, $entity_subtype, $owner_guid, $limit, $offset, $order_by, $site_guid, $count);
+}
+
+/**
+ * Get entities for today from a relationship
+ *
+ * @param string  $relationship         The relationship eg "friends_of"
+ * @param int     $relationship_guid    The guid of the entity to use query
+ * @param bool    $inverse_relationship Reverse the normal function of the query to say
+ *                                      "give me all entities for whom $relationship_guid is a
+ *                                      $relationship of"
+ * @param string  $type                 Entity type
+ * @param string  $subtype              Entity subtype
+ * @param int     $owner_guid           Owner GUID
+ * @param string  $order_by             Optional Order by
+ * @param int     $limit                Limit
+ * @param int     $offset               Offset
+ * @param boolean $count                If true returns a count of entities (default false)
+ * @param int     $site_guid            Site to get entities for. Default 0 = current site. -1 = any
+ *
+ * @return array|int|false An array of entities, or the number of entities, or false on failure
+ * @access private
+ * @deprecated 1.9
+ */
+function get_todays_entities_from_relationship($relationship, $relationship_guid,
+$inverse_relationship = false, $type = "", $subtype = "", $owner_guid = 0,
+$order_by = "", $limit = 10, $offset = 0, $count = false, $site_guid = 0) {
+	elgg_deprecated_notice('get_todays_entities_from_relationship() has been deprecated', 1.9);
+
+	$day_start = get_day_start();
+	$day_end = get_day_end();
+
+	return get_notable_entities_from_relationship($day_start, $day_end, $relationship,
+		$relationship_guid,	$inverse_relationship, $type, $subtype, $owner_guid, $order_by,
+		$limit, $offset, $count, $site_guid);
+}
+
+/**
+ * Returns a viewable list of entities for a given time period.
+ *
+ * @see elgg_view_entity_list
+ *
+ * @param int     $start_time     The start time as a unix timestamp.
+ * @param int     $end_time       The end time as a unix timestamp.
+ * @param string  $type           The type of entity (eg "user", "object" etc)
+ * @param string  $subtype        The arbitrary subtype of the entity
+ * @param int     $owner_guid     The GUID of the owning user
+ * @param int     $limit          The number of entities to return; 10 by default
+ * @param boolean $fullview       Whether or not to display the full view (default: true)
+ * @param boolean $listtypetoggle Whether or not to allow gallery view
+ * @param boolean $navigation     Display pagination? Default: true
+ *
+ * @return string A viewable list of entities
+ * @access private
+ * @deprecated 1.9
+ */
+function list_notable_entities($start_time, $end_time, $type= "", $subtype = "", $owner_guid = 0,
+$limit = 10, $fullview = true, $listtypetoggle = false, $navigation = true) {
+	elgg_deprecated_notice('list_notable_entities() has been deprecated', 1.9);
+
+	$offset = (int) get_input('offset');
+	$count = get_notable_entities($start_time, $end_time, $type, $subtype,
+		$owner_guid, "", $limit, $offset, true);
+
+	$entities = get_notable_entities($start_time, $end_time, $type, $subtype,
+		$owner_guid, "", $limit, $offset);
+
+	return elgg_view_entity_list($entities, $count, $offset, $limit,
+		$fullview, $listtypetoggle, $navigation);
+}
+
+/**
+ * Return a list of today's entities.
+ *
+ * @see list_notable_entities
+ *
+ * @param string  $type           The type of entity (eg "user", "object" etc)
+ * @param string  $subtype        The arbitrary subtype of the entity
+ * @param int     $owner_guid     The GUID of the owning user
+ * @param int     $limit          The number of entities to return; 10 by default
+ * @param boolean $fullview       Whether or not to display the full view (default: true)
+ * @param boolean $listtypetoggle Whether or not to allow gallery view
+ * @param boolean $navigation     Display pagination? Default: true
+ *
+ * @return string A viewable list of entities
+ * @access private
+ * @deprecated 1.9
+ */
+function list_todays_entities($type= "", $subtype = "", $owner_guid = 0, $limit = 10,
+$fullview = true, $listtypetoggle = false, $navigation = true) {
+	elgg_deprecated_notice('list_todays_entities() has been deprecated', 1.9);
+
+	$day_start = get_day_start();
+	$day_end = get_day_end();
+
+	return list_notable_entities($day_start, $day_end, $type, $subtype, $owner_guid, $limit,
+		$fullview, $listtypetoggle, $navigation);
+}
diff --git a/engine/lib/elgglib.php b/engine/lib/elgglib.php
index b5ef7e572..34111c69d 100644
--- a/engine/lib/elgglib.php
+++ b/engine/lib/elgglib.php
@@ -746,7 +746,7 @@ function elgg_unregister_event_handler($event, $object_type, $callback) {
  * @tip When referring to events, the preferred syntax is "event, type".
  *
  * @internal Only rarely should events be changed, added, or removed in core.
- * When making changes to events, be sure to first create a ticket in trac.
+ * When making changes to events, be sure to first create a ticket on Github.
  *
  * @internal @tip Think of $object_type as the primary namespace element, and
  * $event as the secondary namespace.
@@ -1350,7 +1350,7 @@ function full_url() {
 		"" : (":" . $_SERVER["SERVER_PORT"]);
 
 	// This is here to prevent XSS in poorly written browsers used by 80% of the population.
-	// {@trac [5813]}
+	// https://github.com/Elgg/Elgg/commit/0c947e80f512cb0a482b1864fd0a6965c8a0cd4a
 	$quotes = array('\'', '"');
 	$encoded = array('%27', '%22');
 
@@ -2249,7 +2249,7 @@ function elgg_api_test($hook, $type, $value, $params) {
  *
  * @warning ACCESS_DEFAULT is a place holder for the input/access view. Do not
  * use it when saving an entity.
- * 
+ *
  * @var int
  */
 define('ACCESS_DEFAULT', -1);
diff --git a/engine/lib/entities.php b/engine/lib/entities.php
index 997db79d2..4fcf1c657 100644
--- a/engine/lib/entities.php
+++ b/engine/lib/entities.php
@@ -791,7 +791,7 @@ function get_entity($guid) {
 
 	if ($shared_cache) {
 		$cached_entity = $shared_cache->load($guid);
-		// @todo store ACLs in memcache http://trac.elgg.org/ticket/3018#comment:3
+		// @todo store ACLs in memcache https://github.com/elgg/elgg/issues/3018#issuecomment-13662617
 		if ($cached_entity) {
 			// @todo use ACL and cached entity access_id to determine if user can see it
 			return $cached_entity;
diff --git a/engine/lib/input.php b/engine/lib/input.php
index 2d9bae4dd..80b0b8766 100644
--- a/engine/lib/input.php
+++ b/engine/lib/input.php
@@ -60,8 +60,8 @@ function get_input($variable, $default = NULL, $filter_result = TRUE) {
  *
  * Note: this function does not handle nested arrays (ex: form input of param[m][n])
  *
- * @param string $variable The name of the variable
- * @param string $value    The value of the variable
+ * @param string          $variable The name of the variable
+ * @param string|string[] $value    The value of the variable
  *
  * @return void
  */
diff --git a/engine/lib/memcache.php b/engine/lib/memcache.php
index f79fba4a9..79b87e850 100644
--- a/engine/lib/memcache.php
+++ b/engine/lib/memcache.php
@@ -35,3 +35,23 @@ function is_memcache_available() {
 
 	return $memcache_available;
 }
+
+/**
+ * Invalidate an entity in memcache
+ *
+ * @param int $entity_guid The GUID of the entity to invalidate
+ *
+ * @return void
+ * @access private
+ */
+function _elgg_invalidate_memcache_for_entity($entity_guid) {
+	static $newentity_cache;
+	

+	if ((!$newentity_cache) && (is_memcache_available())) {

+		$newentity_cache = new ElggMemcache('new_entity_cache');

+	}
+	

+	if ($newentity_cache) {

+		$newentity_cache->delete($entity_guid);

+	}
+}
\ No newline at end of file
diff --git a/engine/lib/metadata.php b/engine/lib/metadata.php
index d2f8d4cd4..fdb1b85f6 100644
--- a/engine/lib/metadata.php
+++ b/engine/lib/metadata.php
@@ -333,9 +333,13 @@ function elgg_disable_metadata(array $options) {
 	}
 
 	elgg_get_metadata_cache()->invalidateByOptions('disable', $options);
+	
+	// if we can see hidden (disabled) we need to use the offset
+	// otherwise we risk an infinite loop if there are more than 50
+	$inc_offset = access_get_show_hidden_status();
 
 	$options['metastring_type'] = 'metadata';
-	return elgg_batch_metastring_based_objects($options, 'elgg_batch_disable_callback', false);
+	return elgg_batch_metastring_based_objects($options, 'elgg_batch_disable_callback', $inc_offset);
 }
 
 /**
diff --git a/engine/lib/notification.php b/engine/lib/notification.php
index b6399b3c6..be0c359d4 100644
--- a/engine/lib/notification.php
+++ b/engine/lib/notification.php
@@ -110,12 +110,15 @@ function notify_user($to, $from, $subject, $message, array $params = NULL, $meth
 			// Are we overriding delivery?
 			$methods = $methods_override;
 			if (!$methods) {
-				$tmp = (array)get_user_notification_settings($guid);
+				$tmp = get_user_notification_settings($guid);
 				$methods = array();
-				foreach ($tmp as $k => $v) {
-					// Add method if method is turned on for user!
-					if ($v) {
-						$methods[] = $k;
+				// $tmp may be false. don't cast
+				if (is_object($tmp)) {
+					foreach ($tmp as $k => $v) {
+						// Add method if method is turned on for user!
+						if ($v) {
+							$methods[] = $k;
+						}
 					}
 				}
 			}
@@ -165,7 +168,7 @@ function notify_user($to, $from, $subject, $message, array $params = NULL, $meth
  *
  * @param int $user_guid The user id
  *
- * @return stdClass
+ * @return stdClass|false
  */
 function get_user_notification_settings($user_guid = 0) {
 	$user_guid = (int)$user_guid;
diff --git a/engine/lib/output.php b/engine/lib/output.php
index 6172a5c8d..de4f911fb 100644
--- a/engine/lib/output.php
+++ b/engine/lib/output.php
@@ -421,6 +421,25 @@ function _elgg_html_decode($string) {
 }
 
 /**
+ * Prepares query string for output to prevent CSRF attacks.
+ * 
+ * @param string $string
+ * @return string
+ *
+ * @access private
+ */
+function _elgg_get_display_query($string) {
+	//encode <,>,&, quotes and characters above 127
+	if (function_exists('mb_convert_encoding')) {

+		$display_query = mb_convert_encoding($string, 'HTML-ENTITIES', 'UTF-8');

+	} else {

+		// if no mbstring extension, we just strip characters

+		$display_query = preg_replace("/[^\x01-\x7F]/", "", $string);

+	}

+	return htmlspecialchars($display_query, ENT_QUOTES, 'UTF-8', false);
+}
+
+/**
  * Unit tests for Output
  *
  * @param string  $hook   unit_test
diff --git a/engine/lib/plugins.php b/engine/lib/plugins.php
index 74bce45fd..d5d3db466 100644
--- a/engine/lib/plugins.php
+++ b/engine/lib/plugins.php
@@ -1105,6 +1105,49 @@ function plugins_test($hook, $type, $value, $params) {
 }
 
 /**
+ * Checks on deactivate plugin event if disabling it won't create unmet dependencies and blocks disable in such case.
+ *
+ * @param string $event  deactivate
+ * @param string $type   plugin
+ * @param array  $params Parameters array containing entry with ELggPlugin instance under 'plugin_entity' key
+ * @return bool  false to block plugin deactivation action
+ *
+ * @access private
+ */
+function _plugins_deactivate_dependency_check($event, $type, $params) {
+	$plugin_id = $params['plugin_entity']->getManifest()->getPluginID();
+	$plugin_name = $params['plugin_entity']->getManifest()->getName();
+
+	$active_plugins = elgg_get_plugins();
+
+	$dependents = array();
+	foreach ($active_plugins as $plugin) {
+		$manifest = $plugin->getManifest();
+		$requires = $manifest->getRequires();
+
+		foreach ($requires as $required) {
+			if ($required['type'] == 'plugin' && $required['name'] == $plugin_id) {
+				// there are active dependents
+				$dependents[$manifest->getPluginID()] = $plugin;
+			}
+		}
+	}
+
+	if ($dependents) {
+		$list = '<ul>';
+		// construct error message and prevent disabling
+		foreach ($dependents as $dependent) {
+			$list .= '<li>' . $dependent->getManifest()->getName() . '</li>';
+		}
+		$list .= '</ul>';
+
+		register_error(elgg_echo('ElggPlugin:Dependencies:ActiveDependent', array($plugin_name, $list)));
+
+		return false;
+	}
+}
+
+/**
  * Initialize the plugin system
  * Listens to system init and registers actions
  *
@@ -1115,6 +1158,10 @@ function plugin_init() {
 	run_function_once("plugin_run_once");
 
 	elgg_register_plugin_hook_handler('unit_test', 'system', 'plugins_test');
+	
+	// note - plugins are booted by the time this handler is registered
+	// deactivation due to error may have already occurred
+	elgg_register_event_handler('deactivate', 'plugin', '_plugins_deactivate_dependency_check');
 
 	elgg_register_action("plugins/settings/save", '', 'admin');
 	elgg_register_action("plugins/usersettings/save");
diff --git a/engine/lib/river.php b/engine/lib/river.php
index 4926a85c4..e92040eb7 100644
--- a/engine/lib/river.php
+++ b/engine/lib/river.php
@@ -120,7 +120,7 @@ $posted = 0, $annotation_id = 0) {
  *   subtypes             => STR|ARR Entity subtype string(s)
  *   type_subtype_pairs   => ARR     Array of type => subtype pairs where subtype
  *                                   can be an array of subtype strings
- * 
+ *
  *   posted_time_lower    => INT     The lower bound on the time posted
  *   posted_time_upper    => INT     The upper bound on the time posted
  *
@@ -434,8 +434,13 @@ function elgg_list_river(array $options = array()) {
 		'pagination' => TRUE,
 		'list_class' => 'elgg-list-river elgg-river', // @todo remove elgg-river in Elgg 1.9
 	);
-
+	
 	$options = array_merge($defaults, $options);
+	
+	if (!$options["limit"] && !$options["offset"]) {

+		// no need for pagination if listing is unlimited

+		$options["pagination"] = false;

+	}
 
 	$options['count'] = TRUE;
 	$count = elgg_get_river($options);
@@ -445,6 +450,7 @@ function elgg_list_river(array $options = array()) {
 
 	$options['count'] = $count;
 	$options['items'] = $items;
+	
 	return elgg_view('page/components/list', $options);
 }
 
diff --git a/engine/lib/sessions.php b/engine/lib/sessions.php
index fb28e1e9a..e3d5ce9cd 100644
--- a/engine/lib/sessions.php
+++ b/engine/lib/sessions.php
@@ -326,6 +326,12 @@ function login(ElggUser $user, $persistent = false) {
 	set_last_login($_SESSION['guid']);
 	reset_login_failure_count($user->guid); // Reset any previous failed login attempts
 
+	// if memcache is enabled, invalidate the user in memcache @see https://github.com/Elgg/Elgg/issues/3143
+	if (is_memcache_available()) {
+		// this needs to happen with a shutdown function because of the timing with set_last_login()
+		register_shutdown_function("_elgg_invalidate_memcache_for_entity", $_SESSION['guid']);
+	}
+	
 	return true;
 }
 
diff --git a/engine/lib/system_log.php b/engine/lib/system_log.php
index 5a153afb2..84302632e 100644
--- a/engine/lib/system_log.php
+++ b/engine/lib/system_log.php
@@ -187,7 +187,16 @@ function system_log($object, $event) {
 		$object_subtype = $object->getSubtype();
 		$event = sanitise_string($event);
 		$time = time();
-		$ip_address = sanitise_string($_SERVER['REMOTE_ADDR']);
+
+		if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
+			$ip_address = array_pop(explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']));
+		} elseif (!empty($_SERVER['HTTP_X_REAL_IP'])) {
+			$ip_address = array_pop(explode(',', $_SERVER['HTTP_X_REAL_IP']));
+		} else {
+			$ip_address = $_SERVER['REMOTE_ADDR'];
+		}
+		$ip_address = sanitise_string($ip_address);
+
 		$performed_by = elgg_get_logged_in_user_guid();
 
 		if (isset($object->access_id)) {
diff --git a/engine/lib/upgrade.php b/engine/lib/upgrade.php
index 0cc1e64dc..158ec9ec1 100644
--- a/engine/lib/upgrade.php
+++ b/engine/lib/upgrade.php
@@ -245,7 +245,7 @@ function version_upgrade() {
 
 	// No version number? Oh snap...this is an upgrade from a clean installation < 1.7.
 	// Run all upgrades without error reporting and hope for the best.
-	// See http://trac.elgg.org/elgg/ticket/1432 for more.
+	// See https://github.com/elgg/elgg/issues/1432 for more.
 	$quiet = !$dbversion;
 
 	// Note: Database upgrades are deprecated as of 1.8.  Use code upgrades.  See #1433
diff --git a/engine/lib/upgrades/2010033101.php b/engine/lib/upgrades/2010033101.php
index 0bffee001..4779295fd 100644
--- a/engine/lib/upgrades/2010033101.php
+++ b/engine/lib/upgrades/2010033101.php
@@ -1,7 +1,7 @@
 <?php
 
 /**
- * Conditional upgrade for UTF8 as described in http://trac.elgg.org/ticket/1928
+ * Conditional upgrade for UTF8 as described in https://github.com/elgg/elgg/issues/1928
  */
 
 // get_version() returns the code version.
diff --git a/engine/lib/upgrades/2012041801-1.8.3-multiple_user_tokens-852225f7fd89f6c5.php b/engine/lib/upgrades/2012041801-1.8.3-multiple_user_tokens-852225f7fd89f6c5.php
index 07732f261..780038c32 100644
--- a/engine/lib/upgrades/2012041801-1.8.3-multiple_user_tokens-852225f7fd89f6c5.php
+++ b/engine/lib/upgrades/2012041801-1.8.3-multiple_user_tokens-852225f7fd89f6c5.php
@@ -3,7 +3,7 @@
  * Elgg 1.8.3 upgrade 2012041801
  * multiple_user_tokens
  *
- * Fixes http://trac.elgg.org/ticket/4291
+ * Fixes https://github.com/elgg/elgg/issues/4291
  * Removes the unique index on users_apisessions for user_guid and site_guid
  */
 
diff --git a/engine/lib/upgrades/2013060900-1.8.15-site_secret-404fc165cf9e0ac9.php b/engine/lib/upgrades/2013060900-1.8.15-site_secret-404fc165cf9e0ac9.php
new file mode 100644
index 000000000..538d74dd6
--- /dev/null
+++ b/engine/lib/upgrades/2013060900-1.8.15-site_secret-404fc165cf9e0ac9.php
@@ -0,0 +1,16 @@
+<?php
+/**
+ * Elgg 1.8.15 upgrade 2013060900
+ * site_secret
+ *
+ * Description
+ */
+
+$strength = _elgg_get_site_secret_strength();
+
+if ($strength !== 'strong') {
+	// a new key is needed immediately
+	register_translations(elgg_get_root_path() . 'languages/');
+
+	elgg_add_admin_notice('weak_site_key', elgg_echo("upgrade:site_secret_warning:$strength"));
+}
diff --git a/engine/lib/users.php b/engine/lib/users.php
index 0b4608034..a8fb9121c 100644
--- a/engine/lib/users.php
+++ b/engine/lib/users.php
@@ -553,7 +553,12 @@ function get_user($guid) {
 function get_user_by_username($username) {
 	global $CONFIG, $USERNAME_TO_GUID_MAP_CACHE;
 
-	$username = sanitise_string(rawurldecode($username));
+	// Fixes #6052. Username is frequently sniffed from the path info, which,
+	// unlike $_GET, is not URL decoded. If the username was not URL encoded,
+	// this is harmless.
+	$username = rawurldecode($username);
+
+	$username = sanitise_string($username);
 	$access = get_access_sql_suffix('e');
 
 	// Caching
@@ -1091,6 +1096,7 @@ function friends_page_handler($segments, $handler) {
  * @access private
  */
 function collections_page_handler($page_elements) {
+	gatekeeper();
 	elgg_set_context('friends');
 	$base = elgg_get_config('path');
 	if (isset($page_elements[0])) {
diff --git a/engine/lib/views.php b/engine/lib/views.php
index 65ba20204..1142461fe 100644
--- a/engine/lib/views.php
+++ b/engine/lib/views.php
@@ -218,7 +218,7 @@ function elgg_register_ajax_view($view) {
 
 /**
  * Unregister a view for ajax calls
- * 
+ *
  * @param string $view The view name
  * @return void
  * @since 1.8.3
@@ -369,7 +369,7 @@ function elgg_view_exists($view, $viewtype = '', $recurse = true) {
  * view, $view_name plugin hook.
  *
  * @warning Any variables in $_SESSION will override passed vars
- * upon name collision.  See {@trac #2124}.
+ * upon name collision.  See https://github.com/Elgg/Elgg/issues/2124
  *
  * @param string  $view     The name and location of the view to use
  * @param array   $vars     Variables to pass to the view.
@@ -795,7 +795,7 @@ function elgg_view_menu($menu_name, array $vars = array()) {
  *  - bool 'full_view' Whether to show a full or condensed view.
  *
  * @tip This function can automatically appends annotations to entities if in full
- * view and a handler is registered for the entity:annotate.  See {@trac 964} and
+ * view and a handler is registered for the entity:annotate.  See https://github.com/Elgg/Elgg/issues/964 and
  * {@link elgg_view_entity_annotations()}.
  *
  * @param ElggEntity $entity The entity to display
@@ -992,6 +992,11 @@ function elgg_view_annotation(ElggAnnotation $annotation, array $vars = array(),
 function elgg_view_entity_list($entities, $vars = array(), $offset = 0, $limit = 10, $full_view = true,
 $list_type_toggle = true, $pagination = true) {
 
+	if (!$vars["limit"] && !$vars["offset"]) {
+		// no need for pagination if listing is unlimited

+		$vars["pagination"] = false;

+	}

+		
 	if (!is_int($offset)) {
 		$offset = (int)get_input('offset', 0);
 	}
@@ -1064,8 +1069,13 @@ function elgg_view_annotation_list($annotations, array $vars = array()) {
 		'full_view' => true,
 		'offset_key' => 'annoff',
 	);
-
+	
 	$vars = array_merge($defaults, $vars);
+	
+	if (!$vars["limit"] && !$vars["offset"]) {

+		// no need for pagination if listing is unlimited

+		$vars["pagination"] = false;

+	}
 
 	return elgg_view('page/components/list', $vars);
 }
@@ -1239,7 +1249,7 @@ function elgg_view_river_item($item, array $vars = array()) {
 
 	// @todo this needs to be cleaned up
 	// Don't hide objects in closed groups that a user can see.
-	// see http://trac.elgg.org/ticket/4789
+	// see https://github.com/elgg/elgg/issues/4789
 	//	else {
 	//		// hide based on object's container
 	//		$visibility = ElggGroupItemVisibility::factory($object->container_guid);
@@ -1334,12 +1344,12 @@ function elgg_view_list_item($item, array $vars = array()) {
 
 /**
  * View one of the elgg sprite icons
- * 
+ *
  * Shorthand for <span class="elgg-icon elgg-icon-$name"></span>
- * 
+ *
  * @param string $name  The specific icon to display
  * @param string $class Additional class: float, float-alt, or custom class
- * 
+ *
  * @return string The html for displaying an icon
  */
 function elgg_view_icon($name, $class = '') {
@@ -1550,7 +1560,7 @@ function autoregister_views($view_base, $folder, $base_location_path, $viewtype)
 function elgg_views_add_rss_link() {
 	global $autofeed;
 	if (isset($autofeed) && $autofeed == true) {
-		$url = full_url();
+		$url = current_page_url();
 		if (substr_count($url, '?')) {
 			$url .= "&view=rss";
 		} else {
diff --git a/engine/lib/web_services.php b/engine/lib/web_services.php
index b440e3afb..51cad6f39 100644
--- a/engine/lib/web_services.php
+++ b/engine/lib/web_services.php
@@ -1166,6 +1166,17 @@ function list_all_apis() {
  * @access private
  */
 function auth_gettoken($username, $password) {
+	// check if username is an email address

+	if (is_email_address($username)) {

+		$users = get_user_by_email($username);

+			

+		// check if we have a unique user

+		if (is_array($users) && (count($users) == 1)) {

+			$username = $users[0]->username;

+		}

+	}

+	

+	// validate username and password
 	if (true === elgg_authenticate($username, $password)) {
 		$token = create_user_token($username);
 		if ($token) {
@@ -1195,7 +1206,7 @@ $ERRORS = array();
  *
  * @return void
  * @access private
- * 
+ *
  * @throws Exception
  */
 function _php_api_error_handler($errno, $errmsg, $filename, $linenum, $vars) {