Totara Release Notes

Security Releases for Totara 2.2.40, 2.4.33, 2.5.30, 2.6.23 and 2.7.6 released 18th August 2015

 
Sam Hemelryk
Security Releases for Totara 2.2.40, 2.4.33, 2.5.30, 2.6.23 and 2.7.6 released 18th August 2015
על ידי Sam Hemelryk בתאריך 17/08/2015, 23:26
קבוצה Totara

Hello everyone,

The following versions of Totara have now been released:

  • 2.7.6
  • 2.6.23
  • 2.5.30
  • 2.4.33
  • 2.2.40

These versions do contain security fixes and for this reason we strongly recommend upgrading.
Each release also includes bug fixes and improvements.

Thanks to Chris Wharton at Catalyst, Haitham Gasim at Kineo, Jo Jones at Kineo, Joby Harding at Mindclick and Russell England at Vision by Deloitte for their contributions.

Changelogs are as follows: 

Release 2.7.6

Security issues:

    TL-7157        Added a new workaround for password autocompletion issues in some modern browsers

                   This fix works around an issue whereby some modern browsers would
                   automatically fill any password field in any form with a users stored
                   password for the site.
                   This would only occur after the user had made the decision to save Totara
                   authentication credentials within the browser.
                   Previously implemented directives telling the browser to not automatically
                   fill in the field are now ignored.


Improvements:

    TL-3202        HR Import now correctly enforces required user fields

                   It was previously possible to not include some required user fields when
                   using HR Import.
                   First and last name columns are now automatically required if user creation
                   is allowed, and the email field is automatically required if duplicate
                   emails are not allowed and user creation is allowed.
                   It is possible to exclude the first name, last name and email columns if
                   only the user update and/or delete options are enabled.

    TL-5955        Added new events for the creation and deletion of RPL course and activity completions
    TL-6436        Added an option to reset notifications to default for Face-to-face notifications

                   Sites that have been upgraded through Totara 2.4 may have Face-to-face
                   activities that do not have the complete series of notifications a newly
                   created Face-to-face activity would have.
                   This improvement introduces a means of resetting the default notifications
                   allowing those sites that have Face-to-face activities with missing
                   notifications to reset the default notifications if they wish in order to
                   get them back.

    TL-6807        Added a date format setting for HR Import of users when using an external database source
    TL-6817        Added new capabilities to allow the delegation of language settings control

                   Two new capabilities have been added to allow delegation of control of
                   language settings and language packs.
                   Previously this was controlled by the site config capability.
                   By default only site administrators have these new capabilities.
                   The two new capabilities are:

                   * totara/core:langconfig - Allow access to edit language settings.
                   * tool/langimport:managelanguages - Allow installing and uninstalling of
                   language packs.

    TL-6929        Improved Behat tests that use Totara navigation
    TL-6994        Improved the performance of scheduled reports if the export to file system option is enabled

                   Previously scheduled reports with the export to file system option turned
                   on would be generated twice, once for the recipient of the report and once
                   for the file system.
                   The code now only generates the report once and uses it for both the
                   recipient and the file system.

    TL-7109        Changed audience strings to reflect what start and end dates actually do
    TL-7130        Improved the redirect on saving changes when editing Totara menu items

                   The current behaviour is that you will get redirected back to the index
                   page when you save any settings. This means that you will have to go back
                   to the edit page and then navigate to the "Access" tab in order to set
                   custom access rules after having set the visibility to "Use custom access
                   rules".
                   The new behaviour is to redirect to the "Access" tab when the visibility
                   setting is changed to "Use custom access rules".



Bug fixes:

    TL-3550        Fixed the incorrect removal of completed Feedback 360 requests if JavaScript is disabled

                   This issue was caused by behaviour inconsistency between JS being enabled
                   and disabled.
                   If JS was enabled when editing a Feedback 360 with completed requests and
                   the user clicked add users the page would be lost and the completed
                   requests would be incorrectly removed.
                   The basic interface now behaves in the same way as the enhanced interface.

    TL-6455        Fixed the formatting of report names used within in the Graphical Reports block

                   Report names that contain special characters are now displayed correctly
                   within the Graphical Reports block.

    TL-6487        Fixed the display of competencies achieved through course completion on the My Team page

                   Previously the number of competencies achieved for each team member was
                   been incorrectly displayed on the My Team page if one or more competencies
                   had been achieved through course completion due to stats not being
                   correctly recorded.
                   This has been fixed and an upgrade step ensures all stats are correct.


    TL-6512        Fixed course reminder escalation messages being sent for all historical course completions
    TL-6575        Fixed report builder column order when exporting to Excel in RTL languages
    TL-6645        Changed Certification Completion report source columns to use certification status rather than program status

                   Several fields in the certification completion report source were changed
                   so that their information is determined by the certification status value
                   rather than the program status. The Status column now shows the same data
                   as the Record of Learning: Certifications Status column. Is Complete was
                   changed to Is Certified and Is Not Complete to Is Not Certified. Those two,
                   as well as Is In Progress and Is Not Started were changed to reflect the
                   correct state of the certification. Columns and filters in existing reports
                   have been converted, but customised column headers need to be updated
                   manually to reflect the change. Users should check any saved searches which
                   use these filters, as they may no longer show the information that is
                   expected.

    TL-6708        Fixed course custom field data being saved after events

                   Course custom field data is now being saved before the course_created and
                   course_updated events, allowing observers of those events to access custom
                   field data.

    TL-6767        Fixed HR Import producing a fatal error if more than 65336 import errors were encountered
    TL-6811        Fixed an undefined variable notice when editing a course
    TL-6908        Fixed the display of stage titles when exporting an Appraisal

                   When an Appraisal had a long stage title and either a short description or
                   no description at all the title would sometimes be cut off in the PDF that
                   was produced by the export.
                   This was affecting the interface and PDF snapshots.

    TL-6955        Fixed Face-to-face Session report source Role columns and filters not working

                   These columns and filters are now selectable and use language strings.

    TL-6964        Improved validation when creating main menu items with custom access rules

                   This changes improves the validation of main menu custom access rules to
                   ensure items cannot be created within invalid rules.

    TL-6983        Fixed non-unique query parameter names in report builder filters

                   Report builder filters were previously attempting to generate unique
                   parameter names by hashing a combination of information about the filter.
                   This could lead to duplicate parameter names being generated on occasion
                   causing an error.
                   This has been fixed to use sequential param names instead ensuring a
                   parameter name is always unique.

    TL-6986        Fixed the Face-to-face Manager approval radio button disappearing when user signup note is disabled
    TL-6989        Fixed conflicting content option aliases for report builder reports
    TL-7046        Fixed client side form validation on forms without a header
    TL-7048        Fixed the sending of certification alerts so that suspended users are excluded
    TL-7083        Fixed a missing include when trying to search for a program or certification
    TL-7095        Removed all uses of the sql_fullname function from within the Site Logs report source
    TL-7099        Fixed over restrictive capability checks when uploading custom certificate images

                   User with the totara/core:modconfig capability may now upload custom
                   certificate images through the certificates module setting.
                   This makes it consistent with the other module settings.

    TL-7102        Fixed the cancel button when editing a course section summary

                   Previously the cancel button when editing a course section summary would
                   not cancel the action but instead complete it.
                   The cancel button now correctly disregards any changes the user has made.

    TL-7110        Fixed program exceptions not being triggered when creating new a assignment

                   Previously if an assignment was added to a program or certification, and a
                   completion date was set, all in one step (without saving in between) then
                   exceptions for those assignments were not being checked.
                   The fix for this issue ensures exceptions are correctly checked and
                   triggered.

    TL-7122        Removed the incorrect commas at the end of lines for when displaying Face-to-face room details
    TL-7142        Added a new capability for the certificate modules "email teachers" setting and updated its language strings

                   Previously the setting was sending notifications to everyone with the
                   mod/certificate:manage capability, which resulted in all site managers
                   receiving the messages.
                   The setting is now called send notifications and it uses a new capability
                   mod/certificate:receivenotification which defaults to only the editing and
                   non-editing trainer roles, if you want your site managers or custom roles
                   to receive these notifications you will have to give them the capability.

    TL-7149        Fixed the display of certification status within report builder filters
    TL-7156        Fixed the display of certification renewal status in the Record of Learning report
    TL-7196        Reset Required Learning menu item cache when programs or certifications are completed

                   When the last Required Learning program or certification was completed, the
                   Required Learning menu item was not being immediately removed. This was
                   causing an error message if it was subsequently selected.



New features:

    TL-6407        Added a new colours custom setting to graphs in report builder

                   It is now possible to specify graph series colours in the custom settings
                   for a report builder report.
                   Colours can now be specified using the following syntax in the custom
                   settings input:

                       colours = #ff0000,#00ff00,#0000ff

                   While it is possible to use any colours the browser supports we strongly
                   recommend only hexadecimal colours are used.


Contributions:

    * Chris Wharton at Catalyst NZ - TL-6964
    * Haitham Gasim at Kineo - TL-6955
    * Jo Jones at Kineo - TL-6767
    * Joby Harding at Mindclick and Russell England at Vision by Deloitte - TL-6708
Release 2.6.23

Security issues:

    TL-7157        Added a new workaround for password autocompletion issues in some modern browsers

                   This fix works around an issue whereby some modern browsers would
                   automatically fill any password field in any form with a users stored
                   password for the site.
                   This would only occur after the user had made the decision to save Totara
                   authentication credentials within the browser.
                   Previously implemented directives telling the browser to not automatically
                   fill in the field are now ignored.


Improvements:

    TL-3202        HR Import now correctly enforces required user fields

                   It was previously possible to not include some required user fields when
                   using HR Import.
                   First and last name columns are now automatically required if user creation
                   is allowed, and the email field is automatically required if duplicate
                   emails are not allowed and user creation is allowed.
                   It is possible to exclude the first name, last name and email columns if
                   only the user update and/or delete options are enabled.

    TL-6436        Added an option to reset notifications to default for Face-to-face notifications

                   Sites that have been upgraded through Totara 2.4 may have Face-to-face
                   activities that do not have the complete series of notifications a newly
                   created Face-to-face activity would have.
                   This improvement introduces a means of resetting the default notifications
                   allowing those sites that have Face-to-face activities with missing
                   notifications to reset the default notifications if they wish in order to
                   get them back.

    TL-7109        Changed audience strings to reflect what start and end dates actually do


Bug fixes:

    TL-6487        Fixed the display of competencies achieved through course completion on the My Team page

                   Previously the number of competencies achieved for each team member was
                   been incorrectly displayed on the My Team page if one or more competencies
                   had been achieved through course completion due to stats not being
                   correctly recorded.
                   This has been fixed and an upgrade step ensures all stats are correct.


    TL-6512        Fixed course reminder escalation messages being sent for all historical course completions
    TL-6575        Fixed report builder column order when exporting to Excel in RTL languages
    TL-6767        Fixed HR Import producing a fatal error if more than 65336 import errors were encountered
    TL-6908        Fixed the display of stage titles when exporting an Appraisal

                   When an Appraisal had a long stage title and either a short description or
                   no description at all the title would sometimes be cut off in the PDF that
                   was produced by the export.
                   This was affecting the interface and PDF snapshots.

    TL-6955        Fixed Face-to-face Session report source Role columns and filters not working

                   These columns and filters are now selectable and use language strings.

    TL-6983        Fixed non-unique query parameter names in report builder filters

                   Report builder filters were previously attempting to generate unique
                   parameter names by hashing a combination of information about the filter.
                   This could lead to duplicate parameter names being generated on occasion
                   causing an error.
                   This has been fixed to use sequential param names instead ensuring a
                   parameter name is always unique.

    TL-6989        Fixed conflicting content option aliases for report builder reports
    TL-7048        Fixed the sending of certification alerts so that suspended users are excluded
    TL-7102        Fixed the cancel button when editing a course section summary

                   Previously the cancel button when editing a course section summary would
                   not cancel the action but instead complete it.
                   The cancel button now correctly disregards any changes the user has made.

    TL-7110        Fixed program exceptions not being triggered when creating new a assignment

                   Previously if an assignment was added to a program or certification, and a
                   completion date was set, all in one step (without saving in between) then
                   exceptions for those assignments were not being checked.
                   The fix for this issue ensures exceptions are correctly checked and
                   triggered.

    TL-7142        Added a new capability for the certificate modules "email teachers" setting and updated its language strings

                   Previously the setting was sending notifications to everyone with the
                   mod/certificate:manage capability, which resulted in all site managers
                   receiving the messages.
                   The setting is now called send notifications and it uses a new capability
                   mod/certificate:receivenotification which defaults to only the editing and
                   non-editing trainer roles, if you want your site managers or custom roles
                   to receive these notifications you will have to give them the capability.

    TL-7149        Fixed the display of certification status within report builder filters
    TL-7156        Fixed the display of certification renewal status in the Record of Learning report


Contributions:

    * Haitham Gasim at Kineo - TL-6955
    * Jo Jones at Kineo - TL-6767
Release 2.5.30

Security issues:

    TL-7157        Added a new workaround for password autocompletion issues in some modern browsers

                   This fix works around an issue whereby some modern browsers would
                   automatically fill any password field in any form with a users stored
                   password for the site.
                   This would only occur after the user had made the decision to save Totara
                   authentication credentials within the browser.
                   Previously implemented directives telling the browser to not automatically
                   fill in the field are now ignored.


Improvements:

    TL-6436        Added an option to reset notifications to default for Face-to-face notifications

                   Sites that have been upgraded through Totara 2.4 may have Face-to-face
                   activities that do not have the complete series of notifications a newly
                   created Face-to-face activity would have.
                   This improvement introduces a means of resetting the default notifications
                   allowing those sites that have Face-to-face activities with missing
                   notifications to reset the default notifications if they wish in order to
                   get them back.

    TL-7109        Changed audience strings to reflect what start and end dates actually do


Bug fixes:

    TL-6512        Fixed course reminder escalation messages being sent for all historical course completions
    TL-6767        Fixed HR Import producing a fatal error if more than 65336 import errors were encountered
    TL-6908        Fixed the display of stage titles when exporting an Appraisal

                   When an Appraisal had a long stage title and either a short description or
                   no description at all the title would sometimes be cut off in the PDF that
                   was produced by the export.
                   This was affecting the interface and PDF snapshots.

    TL-7048        Fixed the sending of certification alerts so that suspended users are excluded
    TL-7085        Replaced a hardcoded "Participants" string in Appraisals with a translatable string
    TL-7102        Fixed the cancel button when editing a course section summary

                   Previously the cancel button when editing a course section summary would
                   not cancel the action but instead complete it.
                   The cancel button now correctly disregards any changes the user has made.

    TL-7110        Fixed program exceptions not being triggered when creating new a assignment

                   Previously if an assignment was added to a program or certification, and a
                   completion date was set, all in one step (without saving in between) then
                   exceptions for those assignments were not being checked.
                   The fix for this issue ensures exceptions are correctly checked and
                   triggered.

    TL-7142        Added a new capability for the certificate modules "email teachers" setting and updated its language strings

                   Previously the setting was sending notifications to everyone with the
                   mod/certificate:manage capability, which resulted in all site managers
                   receiving the messages.
                   The setting is now called send notifications and it uses a new capability
                   mod/certificate:receivenotification which defaults to only the editing and
                   non-editing trainer roles, if you want your site managers or custom roles
                   to receive these notifications you will have to give them the capability.

    TL-7149        Fixed the display of certification status within report builder filters
    TL-7156        Fixed the display of certification renewal status in the Record of Learning report
    TL-7241        Fixed the creation of embedded reports on a clean installation

                   Previously, embedded reports were only being generated the first time that
                   each report was accessed. Now, they are also all created when the Manage
                   Reports page is first accessed.



Contributions:

    * Jo Jones at Kineo - TL-6767
Release 2.4.33

Security issues:

    TL-7157        Added a new workaround for password autocompletion issues in some modern browsers

                   This fix works around an issue whereby some modern browsers would
                   automatically fill any password field in any form with a users stored
                   password for the site.
                   This would only occur after the user had made the decision to save Totara
                   authentication credentials within the browser.
                   Previously implemented directives telling the browser to not automatically
                   fill in the field are now ignored.

Bug fixes:

    TL-6512        Fixed course reminder escalation messages being sent for all historical course completions
    TL-7102        Fixed the cancel button when editing a course section summary

                   Previously the cancel button when editing a course section summary would
                   not cancel the action but instead complete it.
                   The cancel button now correctly disregards any changes the user has made.
Release 2.2.40

Security issues:

    TL-7157        Added a new workaround for password autocompletion issues in some modern browsers

                   This fix works around an issue whereby some modern browsers would
                   automatically fill any password field in any form with a users stored
                   password for the site.
                   This would only occur after the user had made the decision to save Totara
                   authentication credentials within the browser.
                   Previously implemented directives telling the browser to not automatically
                   fill in the field are now ignored.

(Edited by Andy Kirk (Totara) - original submission Tuesday, 18 August 2015, 7:26 AM)