Totara Release Notes

Emergency release of 2.7.5.1, 2.6.22.1, and 2.5.29.1 - Released 29th July 2015

 
Sam Hemelryk
Emergency release of 2.7.5.1, 2.6.22.1, and 2.5.29.1 - Released 29th July 2015
by Sam Hemelryk - Sunday, 26 July 2015, 5:25 PM
Group Totara

We've had reports of a data loss bug with dynamic audiences that have been configured with a rule to search custom user profile text fields using a list of comma separated values.

A fix for this issue is now being worked on and tested.
We are also developing a solution for those sites that have had audience members incorrectly unassigned.
An emergency release will be made either today or tomorrow, as soon as the fix has been reviewed, tested and merged.

Details of the bug are as follows:

Description:

Users are being incorrectly added to a dynamic audience that has been configured with with a rule that searches a custom user profile field (type has to be text) looking for a comma separated list of values.

Versions:

This bug was introduce in Totara 2.7.4, 2.6.21, 2.5.28.
All versions greater than this will be affected.
This bug will be fixed in Totara 2.7.5.1, 2.6.22.1, 2.5.29.1.

Reproduction:

Preparation:

  1. Create 3 users e.g. User 1, User 2 and User 3.
  2. Browse to Site administration > Users > Accounts > User profile fields.
  3. Select `Text input` from the `Create a new profile field` drop-down.
  4. Provide a name and short name, leave all other options and select *Save changes*.
  5. Edit the profile for users 1 and 2, supply a value of `1` for your first test user and `2` for your second test user for the profile field you just created and select `Save changes`.
  6. Go to Site administration > Users > Accounts > Audiences and select `Add new audience`.
  7. Give the audience a name, set the type to `Dynamic` and select `Save changes`.
    (i) You will be taken straight to the *Rule sets* tab.

To reproduce:

  1. Select the `Add rule` drop-down and under `User custom fields`, select the custom field you created with a value of `[custom field name] (Text)`.
  2. The `Add rule` dialog will pop-up. Select `Contains` from the drop-down, add the values `1, 2` to the field and select `Save`.
  3. Select `Approve changes`.
  4. Select the `Members` tab.
  5. See behaviour below

Behaviour:

All users will be returned instead of just users 1 and 2 that contained the values *1* and *2* in their profile for the custom user profile field.

Expected behaviour:

Just users 1 and 2 that contained the values *1* and *2* in their profile for the custom user profile field should be returned.

Effect:

Users will be incorrectly added to an audience, this is far from ideal but not data loss in itself, it can however lead to users being enrolled in or given access to things they may not already have access to.
If a site has configured audiences such that Audience A contains all users with 1 or 2, and Audience B contains all users not in Audience A then users will be incorrectly removed from Audience B. This can lead to data loss.

Code notes:

SQL aggregation for a single rule is not being correctly encapsulated. Combinations of rules continue to work as expected, but any single rule that required OR aggregation will lead to a regression.
A very simple fix is required to properly encapsulate conditions being required for a rule.

Kind regards

Sam

 
Permalink
Sam Hemelryk
Re: Emergency release of 2.7.5.1, 2.6.22.1, and 2.5.29.1 - Released 29th July 2015
by Sam Hemelryk - Wednesday, 29 July 2015, 12:51 AM
Group Totara

The 2.7.5.1, 2.6.22.1, and 2.5.29.1 releases have now been published, 29th July 2015.

Details of the issue that lead to this emergency release can be found in the post above.

The changelogs for this release are as follows:

 

Release 2.7.5.1 (29th July 2015):

Bug fixes:

    TL-6763        Fixed the display of the main menu when an item with children was not visible to the user

                   A problem was identified with the Totara main menu when the current user
                   could not see a top level menu item that had sub menu items that were still
                   visible.
                   Visibility was not being inherited by sub menu items correctly and this
                   resulted in a coding error.
                   This was fixed by ensuring that visibility gets inherited by sub menu
                   items.

    TL-7044        Fixed rules for dynamic audiences based on a text input user profile field having multiple values

                   A bug was discovered with dynamic audiences which had been configured with
                   one or more rules on custom user profile fields with a series of comma
                   separated values.
                   When configured in this way users may be incorrectly added and/or removed
                   from the audience.
                   This could lead to users having access to things that they should not
                   otherwise have access to or for users to lose state and data if they were
                   incorrectly removed.

                   The fix for this includes a large number of new automated tests to ensure
                   that this does not happen again.

    TL-7061        Fixed incorrect triggering of the report_created event

                   The report_created event was being incorrectly triggered when embedded
                   reports were being created.
                   This would occur the first time an embedded report was used.
                   The report_created event is now only ever triggered when the user creates a
                   new custom report.

Release 2.6.22.1 (29th July 2015):

Bug fixes:

    TL-7044        Fixed rules for dynamic audiences based on a text input user profile field having multiple values

                   A bug was discovered with dynamic audiences which had been configured with
                   one or more rules on custom user profile fields with a series of comma
                   separated values.
                   When configured in this way users may be incorrectly added and/or removed
                   from the audience.
                   This could lead to users having access to things that they should not
                   otherwise have access to or for users to lose state and data if they were
                   incorrectly removed.

                   The fix for this includes a large number of new automated tests to ensure
                   that this does not happen again.


Release 2.5.29.1 (29th July 2015):

Bug fixes:

    TL-7017        Fixed Totara Sync incorrectly deleting existing users when the CSV source has invalid values

                   A bug was found in Totara Sync when 'Source contains all records' has been
                   turned on, the 'Delete' sync action has been enabled, and a user in the
                   source has an invalid manager.
                   In this situation the user record would be incorrectly deleted.

    TL-7044        Fixed rules for dynamic audiences based on a text input user profile field having multiple values

                   A bug was discovered with dynamic audiences which had been configured with
                   one or more rules on custom user profile fields with a series of comma
                   separated values.
                   When configured in this way users may be incorrectly added and/or removed
                   from the audience.
                   This could lead to users having access to things that they should not
                   otherwise have access to or for users to lose state and data if they were
                   incorrectly removed.

                   The fix for this includes a large number of new automated tests to ensure
                   that this does not happen again.

Kind regards
Sam

 
Permalink | Show parent