Totara 2.2.38, 2.4.31, 2.5.28, 2.6.21 and 2.7.4 are all security releases because they include security fixes. We strongly recommend upgrading to these versions. These versions also contain various bug fixes and improvements.
Hugh Davenport at Catalyst NZ, Pavel Tsakalidis at Kineo UK, Rickard Skiold at xtractor, Russell England at Vision NV, and Tom Black at Kineo UK all have contributions in these releases - further details in the changelogs:
Release 2.7.4 (23rd June 2015):
==================================================
Security issues:
TL-6566 Improved XSS prevention checks when serving untrusted files in IE
TL-6576 Ensured Audience description is sanitised before display
Thanks to Hugh Davenport at Catalyst NZ for reporting and providing a fix
for this issue.
TL-6613 Improved validation of local URLs
TL-6614 Added a warning when a site is not using HTTPS and secure cookies.
TL-6617 Added username enumeration warnings to the Security Overview report if self-registration is active or protectusernames is disabled.
Improvements:
TL-5130 Added suspended user rule to dynamic Audiences
It is now possible to include or exclude users from a dynamic audience
based on whether or not they are suspended
TL-6133 Improved performance of the main menu resulting in fewer database queries and file includes on each page view
TL-6255 Added setting to allow users with inactive enrolments to be shown on course completion reports
Normally the course completion and activity completion reports within a
course do not show completion information for learners who do not have
existing active enrolments, but who may have completed activities in the
past when enrolled. Disabling this option on both reports will display all
completion data in these reports including for those learners with
suspended, expired or removed enrolments.
TL-6303 Improved PDF export of Appraisals when question content results in a page break.
TL-6329 Added "Use fixed expiry date" recertification option in Certifications
This adds a third option for how the expiry dates on certifications are
calculated. Details are provided in the help popups in the 'Certification'
tab when editing a certification. This patch also slightly changes the
behaviour of 'Use certification expiry date' - if a user's assignment (on
the 'Assignments' tab) has a completion due date then this date will be
used to calculate the expiry date the first time that the user certifies,
rather than just using the date that the user completed the certification.
The certification import tool has also been updated to support these
changes.
TL-6358 Added config option to control the display of Hierarchy framework, type and item shortcodes
Previously whether Hierarchy shortcodes were displayed was defined in code.
This patch adds a new config setting under Advanced Features. If you had
previously made a customisation to the code (by setting constant
HIERARCHY_DISPLAY_SHORTNAMES in totara/hierarchy/lib.php to true) to enable
the display of Hierarchy shortcodes, you will need to re-enable the display
of shortcodes using the new configuation setting.
TL-6452 Improved the performance of the course completion scheduled task
TL-6523 Allowed users to navigate away from long-running report exports in Reportbuilder
Attempting to export a large report and then navigate away to any other
page while the export was still processing would result in an error: "Timed
out while waiting for session lock. Wait for your current requests to
finish and try again later." and then the system could then become unusable
for that user. Now the user can navigate away from the export safely (which
would cancel the export), or continue navigating the site in a different
browser window/tab (while waiting for the export window to complete).
TL-6544 Changed certification Status strings in certification reports to better reflect the actual statuses
"Assigned" was changed to "Not certified"
"Completed" was changed to "Certified"
"Expired" and "In progress" were unchanged.
TL-6558 Improved scalability of query in course completion
This was causing a database error on some platforms due to an oversized IN
query with large data sets.
TL-6582 Fixed inconsistencies in site manager appearance-related capabilities
Previously the appearance related permission for a site manager was not
consistent comparing a new install and a permission reset. The
totara/core:appearance capabilty is now consistently used across all roles.
TL-6604 Improved appearance of Learning Plans tables on the My Learning pages for RTL languages
TL-6626 Added new capability controls for access to activity modules plugin settings
TL-6639 Updated the default content options for the My Team report to include temporary assignments
This change will only affect future installs and My Team reports that are
reset to default settings, to apply this change manually you can edit the
My Team report and on the content tab tick the "Records for user's
temporary reports" option.
TL-6650 Changed program user assignments to defer large changes to happen on the next cron run
Previously, when saving changes to user assignments in a Program or
Certification, the new users were assigned when the save button was
clicked. This was causing pages to time out when assigning large audiences.
Now, the contents of the assignment tab are saved immediately but the users
are not assigned to the program until the next cron run occurs. On-screen
notifications have been added to indicate if pending assignments are
waiting for a cron run.
TL-6735 Added logging whenever activity completion is unlocked
TL-6756 Improved information provided by webservices logging
Bug fixes:
TL-5978 Fixed inconsistent access control checks for Learning Plans
The behaviour has now been standardised throughout the code. Granting the
totara/plan:manageanyplan capability allows users to create and edit plans for any user.
Granting totara/plan:accessplan allows users to see and modify their own plans,
and allows staff managers to create and edit the plans of their staff.
TL-6222 Fixed courses incorrectly being visible in the Courses section of the Navigation block when using audience-based visibility
TL-6263 Fixed reaggregation of course completion
Course completion records would never be reaggregated on the cron run, if
the "Completion begins on enrolment" course setting was turned off when
course completion criteria were unlocked.
TL-6319 Fixed rules for dynamic Audiences based on a text input user profile/custom field being empty
TL-6360 Fixed setting of cancellation custom field value when calling facetoface_user_cancel_submission.
TL-6372 Fixed course deletion so that deleting a course now removes that course from Programs and Certifications
Previously if a course was deleted and it was part of a program or
certification, then some actions e.g. setting up recertification would
cause an error on cron run. This patch ensures that no new orphaned
references will be created and also fixes any that currently exist.
TL-6374 Fixed Reportbuilder 'last/next X days' date filters
The 'Is between today and X days before/after today' filters were
internally using a specific date rather than a relative number, resulting
in saved searches not working as intended. This filter will now always be
relative to the date on which it is used. Existing saved searches have been
converted, but it is possible that some may be incorrect (although all were
wrong without this patch). We advise that users check that saved searches
which contain date filters have the intended values.
Note that any users that are logged in and using these filters during the
upgrade progress may need to log out and back in to see the correct values.
TL-6403 Fixed error message when displaying categories that contain only hidden courses
TL-6419 Removed Temporary manager expiry date from Learner's position page when no temporary manager is assigned
TL-6438 Fixed parameter validation when using the create/update courses web services
TL-6440 Fixed create/edit capability permissions for Programs and Certifications
TL-6466 Fixed dynamic Audience rules based off date/time custom fields
If the date/time custom field was set to a date after 2038 the rule
comparison broke, we switched the cast2int function to use bigint so the
comparison can take place.
TL-6473 Fixed display of Reportbuilder report graph block for reports where a default sort column is specified
TL-6508 Fixed unenrolled courses showing in My Current Courses home page block
TL-6515 Fixed scheduling of HR Import, Reportbuilder export and Reportbuilder caching.
HR Import scheduling is now using the system timezone. Scheduled reports
are now using timezone of the user that created them.
TL-6516 Fixed resetting of Certification message logs when the recertification window opens
When the window opens it tried to delete message logs for the users manager
as well as the user even though the manager records were never created.
TL-6521 Fixed dynamic Audience date-based rules for first and last login dates
TL-6539 Fixed Program due messages being sent to users who have current exceptions
TL-6559 Fixed the Evidence report source showing records for deleted users
TL-6560 Totara Messaging now consistently uses the support user email as the from address when no from user is provided
When sending a message, we now use the support_user email if no user is
specified. Send functions will also now support NOREPLY_USER.
TL-6561 Added additional validation when trying to activate Appraisals containing aggregation questions
Stops activation of appraisals containing aggregation questions with no
selected aggregations
TL-6562 Fixed Facetoface session custom fields showing PHP Notice and Warning errors when creating a new session
TL-6579 Fixed ability to add aggregate rating questions to Appraisals when using a non-English language pack
TL-6581 Improved handling of and recovery from missing Certification completion records
Due to various causes such as page timeouts, it is possible that some
certification completion records are not being created. This patch ensures
that the records are created when users access their certifications. A
check has been added to the certification cron task which will find any
users who are missing these records and will create them.
TL-6587 Fixed HR Import log message if a user cannot be deleted
TL-6589 Removed invalid CSS declaration
There was an @charset declaration in a certifications CSS stylesheet that
would cause invalid CSS when theme designer mode is turned off. This has
been removed.
TL-6591 Removed unused CSS declarations
There were some unused Mozzilla Firefox CSS declarations that were causing
issues with custom CSS in Custom Totara Responsive
TL-6592 Fixed the display of the completion status for deleted users in Record of Learning reports
TL-6596 Fixed the unassigning of Audience members from system roles when an Audience is deleted
TL-6597 Fixed blank rows appearing in the sorting default column on Reportbuilder columns tab
TL-6598 Fixed Facetoface fullname column always showing 'reserved' in reports
TL-6600 Fixed error when trying to create a user profile custom field after using the browser back button
TL-6606 Fixed sending of course Reminder messages
When a feedback activity is added to a course, invitation and reminder
messages would sometimes not be sent, depending on the "Personal messages
between users" message output config settings. These reminder messages have
now been converted to standard Totara Alerts.
TL-6608 Fixed order of icons for RTL languages in the Tasks block
TL-6619 Fixed the error message when trying to delete an unknown post in the Forum
TL-6628 Fixed error when trying to close an active Appraisal with no assigned users
TL-6631 Fixed the line wrapping and display of preformatted text in Labels
TL-6635 Fixed the formatting of exported columns in the Record of Learning: Certifications report
Removes the "overdue" and "X days remaining" warnings displayed on the
window opens and expiration date columns for exports of reports based off
the Record of Learning: Certifications source.
TL-6647 Fixed the selection of stages to print when printing Appraisals
TL-6652 Fixed the display of the 'roles that can view' column on the edit Appraisal page
TL-6661 Fixed alphabetic ordering of user list when using 'Allocate spaces for team' page in a Facetoface session, when manager reservations are enabled
TL-6680 Improved display when adding a random quiz question to a quiz when using RTL languages
TL-6681 Fixed behaviour of Feedback activity forms when form_change_checker is disabled
The form change checker detects if any form elements on the page have been
changed since last load. If the form change checker is disabled some of the
Feedback activity forms were generating errors.
TL-6694 Prevented incorrect room booking conflicts from being shown when creating a Facetoface session
TL-6697 Fixed Facetoface custom rooms on session duplication
If you duplicated a Facetoface session with a custom room, the room was not
duplicated leaving you with 2 sessions using the same custom room. If you
then removed the custom room from one session it was deleted, breaking the
other session.
TL-6705 Fixed incorrect risk flag on Plan Evidence capability
totara/plan:editownsiteevidence capability was incorrectly marked as a
dataloss risk, which made the Security Overview report say the
Authenticated User role was incorrectly defined
TL-6711 Fixed display of course default section title when using multilang filter on a course using the Demo course format
TL-6720 Fixed role-based visibility access checks on the frontpage
TL-6744 Fixed error message when adding linked courses to Learning Plan competencies or objectives
Contributions:
* Hugh Davenport at Catalyst NZ - TL-6576
* Pavel Tsakalidis at Kineo UK - TL-6452
* Rickard Skiold at xtractor - TL-6560
* Russell England at Vision NV - TL-6360
* Tom Black at Kineo UK - TL-6516
Release 2.6.21 (23rd June 2015):
==================================================
Security issues:
TL-6566 Improved XSS prevention checks when serving untrusted files in IE
TL-6576 Ensured Audience description is sanitised before display
Thanks to Hugh Davenport at Catalyst NZ for reporting and providing a fix
for this issue.
TL-6613 Improved validation of local URLs
Improvements:
TL-5130 Added suspended user rule to dynamic Audiences
It is now possible to include or exclude users from a dynamic audience
based on whether or not they are suspended
TL-6303 Improved PDF export of Appraisals when question content results in a page break.
TL-6358 Added config option to control the display of Hierarchy framework, type and item shortcodes
Previously whether Hierarchy shortcodes were displayed was defined in code.
This patch adds a new config setting under Advanced Features. If you had
previously made a customisation to the code (by setting constant
HIERARCHY_DISPLAY_SHORTNAMES in totara/hierarchy/lib.php to true) to enable
the display of Hierarchy shortcodes, you will need to re-enable the display
of shortcodes using the new configuation setting.
TL-6523 Allowed users to navigate away from long-running report exports in Reportbuilder
Attempting to export a large report and then navigate away to any other
page while the export was still processing would result in an error: "Timed
out while waiting for session lock. Wait for your current requests to
finish and try again later." and then the system could then become unusable
for that user. Now the user can navigate away from the export safely (which
would cancel the export), or continue navigating the site in a different
browser window/tab (while waiting for the export window to complete).
TL-6544 Changed certification Status strings in certification reports to better reflect the actual statuses
"Assigned" was changed to "Not certified"
"Completed" was changed to "Certified"
"Expired" and "In progress" were unchanged.
TL-6558 Improved scalability of query in course completion
This was causing a database error on some platforms due to an oversized IN
query with large data sets.
TL-6604 Improved appearance of Learning Plans tables on the My Learning pages for RTL languages
TL-6650 Changed program user assignments to defer large changes to happen on the next cron run
Previously, when saving changes to user assignments in a Program or
Certification, the new users were assigned when the save button was
clicked. This was causing pages to time out when assigning large audiences.
Now, the contents of the assignment tab are saved immediately but the users
are not assigned to the program until the next cron run occurs. On-screen
notifications have been added to indicate if pending assignments are
waiting for a cron run.
TL-6735 Added logging whenever activity completion is unlocked
Bug fixes:
TL-5978 Fixed inconsistent access control checks for Learning Plans
The behaviour has now been standardised throughout the code. Granting the
totara/plan:manageanyplan capability allows users to create and edit plans for any user.
Granting totara/plan:accessplan allows users to see and modify their own plans,
and allows staff managers to create and edit the plans of their staff.
TL-6222 Fixed courses incorrectly being visible in the Courses section of the Navigation block when using audience-based visibility
TL-6263 Fixed reaggregation of course completion
Course completion records would never be reaggregated on the cron run, if
the "Completion begins on enrolment" course setting was turned off when
course completion criteria were unlocked.
TL-6319 Fixed rules for dynamic Audiences based on a text input user profile/custom field being empty
TL-6372 Fixed course deletion so that deleting a course now removes that course from Programs and Certifications
Previously if a course was deleted and it was part of a program or
certification, then some actions e.g. setting up recertification would
cause an error on cron run. This patch ensures that no new orphaned
references will be created and also fixes any that currently exist.
TL-6374 Fixed Reportbuilder 'last/next X days' date filters
The 'Is between today and X days before/after today' filters were
internally using a specific date rather than a relative number, resulting
in saved searches not working as intended. This filter will now always be
relative to the date on which it is used. Existing saved searches have been
converted, but it is possible that some may be incorrect (although all were
wrong without this patch). We advise that users check that saved searches
which contain date filters have the intended values.
Note that any users that are logged in and using these filters during the
upgrade progress may need to log out and back in to see the correct values.
TL-6419 Removed Temporary manager expiry date from Learner's position page when no temporary manager is assigned
TL-6440 Fixed create/edit capability permissions for Programs and Certifications
TL-6466 Fixed dynamic Audience rules based off date/time custom fields
If the date/time custom field was set to a date after 2038 the rule
comparison broke, we switched the cast2int function to use bigint so the
comparison can take place.
TL-6516 Fixed resetting of Certification message logs when the recertification window opens
When the window opens it tried to delete message logs for the users manager
as well as the user even though the manager records were never created.
TL-6539 Fixed Program due messages being sent to users who have current exceptions
TL-6540 Fixed shortname type for Face-to-face custom fields
If there is a problem saving your Face-to-face session with Custom session
field, please update Custom session field shortname and then update
Face-to-face session.
TL-6559 Fixed the Evidence report source showing records for deleted users
TL-6560 Totara Messaging now consistently uses the support user email as the from address when no from user is provided
When sending a message, we now use the support_user email if no user is
specified. Send functions will also now support NOREPLY_USER.
TL-6581 Improved handling of and recovery from missing Certification completion records
Due to various causes such as page timeouts, it is possible that some
certification completion records are not being created. This patch ensures
that the records are created when users access their certifications. A
check has been added to the certification cron task which will find any
users who are missing these records and will create them.
TL-6587 Fixed Totara Sync log message if a user cannot be deleted
TL-6596 Fixed the unassigning of Audience members from system roles when an Audience is deleted
TL-6598 Fixed Facetoface fullname column always showing 'reserved' in reports
TL-6606 Fixed sending of course Reminder messages
When a feedback activity is added to a course, invitation and reminder
messages would sometimes not be sent, depending on the "Personal messages
between users" message output config settings. These reminder messages have
now been converted to standard Totara Alerts.
TL-6608 Fixed order of icons for RTL languages in the Tasks block
TL-6631 Fixed the line wrapping and display of preformatted text in Labels
TL-6633 Fixed sharing of config and dbmeta caches by version
Configuring the config or database meta information caches to be shared by
version could lead to a notice and caches being over-shared regardless of
version.
This fix ensure that the version is properly loaded in early initialisation
situations when sharing has been configured to include version for these
two sites.
TL-6635 Fixed the formatting of exported columns in the Record of Learning: Certifications report
Removes the "overdue" and "X days remaining" warnings displayed on the
window opens and expiration date columns for exports of reports based off
the Record of Learning: Certifications source.
TL-6661 Fixed alphabetic ordering of user list when using 'Allocate spaces for team' page in a Facetoface session, when manager reservations are enabled
TL-6663 Fixed enforcement of required custom profile fields when self-registration is enabled and the registering user is currently logged-in as a guest
TL-6680 Improved display when adding a random quiz question to a quiz when using RTL languages
TL-6697 Fixed Facetoface custom rooms on session duplication
If you duplicated a Facetoface session with a custom room, the room was not
duplicated leaving you with 2 sessions using the same custom room. If you
then removed the custom room from one session it was deleted, breaking the
other session.
TL-6744 Fixed error message when adding linked courses to Learning Plan competencies or objectives
Contributions:
* Hugh Davenport at Catalyst NZ - TL-6576
* Rickard Skiold at xtractor - TL-6560
* Tom Black at Kineo UK - TL-6516
Release 2.5.28 (23rd June 2015):
==================================================
Security issues:
TL-6566 Improved XSS prevention checks when serving untrusted files in IE
TL-6576 Ensured Audience description is sanitised before display
Thanks to Hugh Davenport at Catalyst NZ for reporting and providing a fix
for this issue.
TL-6613 Improved validation of local URLs
Improvements:
TL-6358 Added config option to control the display of Hierarchy framework, type and item shortcodes
Previously whether Hierarchy shortcodes were displayed was defined in code.
This patch adds a new config setting under Advanced Features. If you had
previously made a customisation to the code (by setting constant
HIERARCHY_DISPLAY_SHORTNAMES in totara/hierarchy/lib.php to true) to enable
the display of Hierarchy shortcodes, you will need to re-enable the display
of shortcodes using the new configuation setting.
TL-6544 Changed certification Status strings in certification reports to better reflect the actual statuses
"Assigned" was changed to "Not certified"
"Completed" was changed to "Certified"
"Expired" and "In progress" were unchanged.
TL-6558 Improved scalability of query in course completion
This was causing a database error on some platforms due to an oversized IN
query with large data sets.
TL-6650 Changed program user assignments to defer large changes to happen on the next cron run
Previously, when saving changes to user assignments in a Program or
Certification, the new users were assigned when the save button was
clicked. This was causing pages to time out when assigning large audiences.
Now, the contents of the assignment tab are saved immediately but the users
are not assigned to the program until the next cron run occurs. On-screen
notifications have been added to indicate if pending assignments are
waiting for a cron run.
TL-6664 Improved the performance of Reportbuilder management pages
TL-6735 Added logging whenever activity completion is unlocked
Bug fixes:
TL-5978 Fixed inconsistent access control checks for Learning Plans
The behaviour has now been standardised throughout the code. Granting the
totara/plan:manageanyplan capability allows users to create and edit plans for any user.
Granting totara/plan:accessplan allows users to see and modify their own plans,
and allows staff managers to create and edit the plans of their staff.
TL-6222 Fixed courses incorrectly being visible in the Courses section of the Navigation block when using audience-based visibility
TL-6263 Fixed reaggregation of course completion
Course completion records would never be reaggregated on the cron run, if
the "Completion begins on enrolment" course setting was turned off when
course completion criteria were unlocked.
TL-6319 Fixed rules for dynamic Audiences based on a text input user profile/custom field being empty
TL-6374 Fixed Reportbuilder 'last/next X days' date filters
The 'Is between today and X days before/after today' filters were
internally using a specific date rather than a relative number, resulting
in saved searches not working as intended. This filter will now always be
relative to the date on which it is used. Existing saved searches have been
converted, but it is possible that some may be incorrect (although all were
wrong without this patch). We advise that users check that saved searches
which contain date filters have the intended values.
Note that any users that are logged in and using these filters during the
upgrade progress may need to log out and back in to see the correct values.
TL-6440 Fixed create/edit capability permissions for Programs and Certifications
TL-6516 Fixed resetting of Certification message logs when the recertification window opens
When the window opens it tried to delete message logs for the users manager
as well as the user even though the manager records were never created.
TL-6539 Fixed Program due messages being sent to users who have current exceptions
TL-6581 Improved handling of and recovery from missing Certification completion records
Due to various causes such as page timeouts, it is possible that some
certification completion records are not being created. This patch ensures
that the records are created when users access their certifications. A
check has been added to the certification cron task which will find any
users who are missing these records and will create them.
TL-6633 Fixed sharing of config and dbmeta caches by version
Configuring the config or database meta information caches to be shared by
version could lead to a notice and caches being over-shared regardless of
version.
This fix ensure that the version is properly loaded in early initialisation
situations when sharing has been configured to include version for these
two sites.
TL-6663 Fixed enforcement of required custom profile fields when self-registration is enabled and the registering user is currently logged-in as a guest
TL-6680 Improved display when adding a random quiz question to a quiz when using RTL languages
TL-6744 Fixed error message when adding linked courses to Learning Plan competencies or objectives
Contributions:
* Hugh Davenport at Catalyst NZ - TL-6576
* Tom Black at Kineo UK - TL-6516
Release 2.4.31 (23rd June 2015):
==================================================
Security issues:
TL-6566 Improved XSS prevention checks when serving untrusted files in IE
TL-6576 Ensured Audience description is sanitised before display
Thanks to Hugh Davenport at Catalyst NZ for reporting and providing a fix
for this issue.
TL-6613 Improved validation of local URLs
Improvements:
TL-6558 Improved scalability of query in course completion
This was causing a database error on some platforms due to an oversized IN
query with large data sets.
Bug fixes:
TL-6680 Improved display when adding a random quiz question to a quiz when using RTL languages
Contributions:
* Hugh Davenport at Catalyst NZ - TL-6576
Release 2.2.38 (23rd June 2015):
==================================================
Security issues:
TL-6566 Improved XSS prevention checks when serving untrusted files in IE
TL-6576 Ensured Audience description is sanitised before display
Thanks to Hugh Davenport at Catalyst NZ for reporting and providing a fix
for this issue.
TL-6613 Improved validation of local URLs
Contributions:
* Hugh Davenport at Catalyst NZ - TL-6576