Totara Release Notes

Security releases for Totara 2.7.7, 2.6.24, 2.5.31, 2.4.34, and 2.2.41 released 22 September 2015

 
Sam Hemelryk
Security releases for Totara 2.7.7, 2.6.24, 2.5.31, 2.4.34, and 2.2.41 released 22 September 2015
di Sam Hemelryk - Tuesday, 22 September 2015, 00:11
Gruppo Totara

Hello everyone,

The following versions of Totara have now been released:

  • 2.7.7
  • 2.6.24
  • 2.5.31
  • 2.4.34
  • 2.2.41

These versions do contain security fixes and for this reason we strongly recommend upgrading.
Each release also includes bug fixes and improvements.

Thanks to the following people for there contributions: Andrew Hancox at Synergy Learning, Carlos Jurado at Kineo UK, Eugene Venter at Catalyst, Pavel Tsakalidis at Kineo UK.

Release 2.7.7 (22nd September 2015):

Improvements:

    TL-6484        Totara Connect Server 

                   Totara Connect makes it possible to connect one or more Totara LMS or
                   Totara Social installations to a master Totara LMS installation.
                   This connection allows for users, and audiences to be synchronised from the
                   master to all connected client sites.
                   Once synchronised users can move between the connected sites with ease
                   thanks to the single sign on system accompanying Totara Connect.

    TL-6599        Changes to program assignment dates now override previous exceptions

                   When the completion date of an assignment in a program or certification is
                   changed, any previous exceptions that the related users had will be
                   removed, the specified date will be applied, and exceptions will be
                   recalculated. As a result, exceptions that were previously resolved using
                   "Dismiss and take no action" might reoccur, but this change is providing a
                   means to re-assign those users which was previously not possible (unless
                   the user was completely removed). This patch also enforces the rule that
                   due dates can only be increased (even if an earlier assignment date is set)
                   - previously it was unintentionally possible to decrease them under certain
                   circumstances.

    TL-6634        Added a new capability for managing user profile fields

                   Added totara/core:manageprofilefields capability to allow managing of user
                   profile fields. By default it is not enabled for anyone

    TL-6939        Added a warning that column aggregation options may not be compatible with reports that use aggregation internally
    TL-6965        Reduced the number of DB queries used when triggering events on update of Face-to-face signups
    TL-7151        Added additional settings to the Custom Totara Responsive theme

                   Custom Totara responsive now has the ability to change the text colour,
                   background colour, background image, background image location, and add a
                   footnote.

    TL-7269        Added help text to timezones and times in Face-to-face sessions
    TL-7272        Improved the layout of docked blocks
    TL-7378        Improved the behaviour of the audience-based visibility section of the edit course form


Bug fixes:

    TL-4527        Corrected PHP syntax error when using Hierarchy bulk actions.
    TL-5822        Added a warning to pre-install environment checks if the max_input_vars setting is too low.
    TL-6195        Fixed duplicate messages being sent to managers by Face-to-face when the user has an invalid email address
    TL-6265        Fixed navigation by month in the Face-to-face calendar block
    TL-6632        Fixed the generation of unique tokens within core libraries

                   There were several cases of uniqid being used to generate unique
                   identifiers or tokens.
                   These calls have now been improved to use a method that ensures a truly
                   unique identifier or token is generated.

    TL-6659        Refactored program assignment code

                   Refactored program assignment code to make it more efficient and easier to
                   maintain. It will also prevent sql problems, which could occur on some
                   systems with some configurations, when assigning large numbers of users to
                   programs and certifications (such as using an audience). Performance for
                   adding and removing users has been improved by about a factor of two, while
                   performance when reprocessing existing user assignments (happens during
                   nightly cron) has been significantly improved (from 3 database queries per
                   user assignment down to zero). This should greatly reduce problems
                   experienced with long nightly cron jobs on large sites.

    TL-6804        Fixed competencies in a learning plan showing linked courses even when the course was hidden
    TL-6940        Fixed permissions handling when using the multiple hierarchy dialog

                   The multi hierarchy dialog extends the standard hierarchy dialog but failed
                   to pass through the fourth parameter. This caused the permissions to be
                   incorrectly checked resulting in a false permissions error.

    TL-6970        Fixed hierarchy page not loading due to MySQL join limit

                   MySQL has a limit of 61 tables in a join. When viewing a hierarchy
                   framework, when 60 or more custom fields were defined (across one or more
                   types), the page was failing to load. The query has been changed to prevent
                   this problem.

    TL-6980        Fixed the "Show only active enrolments" option in the Grader Report 
    TL-7023        The "Upcoming Certifications" block will now be hidden when "Enable Certifications" is set to Hide or Disable.
    TL-7035        Fixed inconsistent date fields in Excel exports from the Record of Learning - Certifications report source
    TL-7039        Prevented Face-to-face from sending booking confirmations for past sessions

                   When turning off "Approval required" for a Face-to-face activity a booking
                   notification was being sent for sessions in the past. This is now
                   prevented.

    TL-7045        Enable content restriction options for the Face-to-face interest report source
    TL-7074        Fixed the context for capability checks for the display of the button to create new courses, programs and certifications. 

                   Users who had been assigned a role with permissions to create programs,
                   certifications or courses within specific categories would not have the
                   relevant "Create" button within the enhanced catalog. Now if they have
                   permissions to create a program, certification or course within any
                   category, this button will appear. 

    TL-7114        See details

                   2.6, 2.5: 
                   Message: Show hidden programs to enrolled users in the Record of Learning
                   Details: Several problems were fixed relating to course, program and
                   certification visibility, in relation to the normal and audience based
                   visibility settings. In some situations, the normal visibility setting was
                   being used when audience visibility was enabled. As a consequence, hidden
                   assigned programs will now be visible in the Record of Learning, bringing
                   them in line with courses and certifications. As before this patch, hidden
                   assigned courses will not be accessible, but hidden assigned programs and
                   certifications will be.
                   
                   2.7:
                   Message: Show hidden courses, programs and certifications to enrolled users
                   in the Record of Learning
                   Details: Several problems were fixed relating to course, program and
                   certification visibility, in relation to the normal and audience based
                   visibility settings. In some situations, the normal visibility setting was
                   being used when audience visibility was enabled. As a consequence, hidden
                   assigned courses, programs and certifications will now be visible in the
                   Record of Learning, restoring the behaviour from Totara 2.6. As before this
                   patch, hidden assigned courses will not be accessible, but hidden assigned
                   programs and certifications will be.

    TL-7121        Fixed Programs that are potentially stuck as unavailable

                   In 2.6.10, we removed the "availability" checkbox, so that availability is
                   now controlled via the available from/until date fields. This upgrade
                   catches any programs left as unavailable without availability dates. Any
                   issues found will be output to the screen during the upgrade and saved to
                   the upgrade_logs.

    TL-7164        Fixed pagination on the Record of Learning course, program and certification history pages
    TL-7166        Added course reminders to the course backup and restore functionality
    TL-7186        Fixed the translation of generic error messages within totara dialogs
    TL-7191        Fixed a missing sesskey in ajax requests when creating a filter in report builder reports

                   The sesskey and relevant checks were missing in ajax requests involved in
                   adding some audience filters to the report builder.  These have now been
                   put in place. 

    TL-7206        Fixed the default end date for learning plans not defaulting to the end date of the associated learning plan template
    TL-7215        Fixed reportbuilder filters for "Menu of choices" custom fields with values containing a comma
    TL-7220        Fixed the Foreign key checks for Totara Dashboards in the XMLDB editor
    TL-7222        Removed the dashboards link from the navigation node when a user has no dashboards assigned
    TL-7224        Fixed the display of Certificates where the "Print Date" depends on a deleted activity
    TL-7234        Fixed the caching of custom Totara Menu urls with course id parameter
    TL-7235        Fixed an error on repository settings pages for hidden but enabled repositories
    TL-7248        Reverted change causing an inability to see uploaded images in Internet Explorer
    TL-7263        Fixed the restoration of course backups containing invalid audience visibility settings

                   If you backup a course with audience visibility it includes the ids of all
                   selected audiences, previously if you attempted to restore this backup
                   without matching audiences it would fail, now it logs a warning and
                   continues restoring the course. It is important to note if you are moving
                   backups between sites the audience ids might not match the expected
                   audiences.

    TL-7265        Improved the layout of tabs when viewing a SCORM
    TL-7275        Fixed case sensitivity for the search within Hierarchy bulk actions.
    TL-7281        Fixed Face-to-face signup process when approval is required for a session with no date

                   This issue occurred when a user signed up to a Face-to-face session that
                   required approval but did not yet have a date. When the manager approved
                   the signup request they were incorrectly booked into the session instead of
                   waitlisted.

    TL-7283        Fixed the field mapping for Organisation and Position imports using a database source
    TL-7292        Fixed a display issue with the file manager when loaded in an iframe

                   When loading the file manager within an atto editor instance and attempting
                   to upload a new file, the display was inconsistent with other file editors.
                   This patch fixes that issue

    TL-7295        Remove unused function rb_display_certification_duedate from base source
    TL-7296        Fixed the minimum Totara 2.2 version in the UPGRADE.txt file
    TL-7303        Fixed hours_minutes display function in the report builder
    TL-7319        Fixed the display of custom fields in the report builder when using a non-English language
    TL-7323        Added checks for https:// links in the learning plans evidence link functionality
    TL-7328        Fixed checks for the course custom fields create, update, and delete capabilities
    TL-7333        Reset cache for current session if required and do not show a menu item if it is disabled through an "Advanced features" setting
    TL-7351        Fixed icon display when managing courses and categories
    TL-7360        Consistently prevent suspended and deleted users from getting any emails
    TL-7362        Updated INSTALL.txt to reflect support for IE8


Contributions:

    * Andrew Hancox at Synergy Learning - TL-6195
    * Carlos Jurado at Kineo UK - TL-6265
    * Eugene Venter at Catalyst - TL-7166
    * Pavel Tsakalidis at Kineo UK - TL-7164
Release 2.6.24 (22nd September 2015):

Security issues:

    TL-7373        Fixed potential XSS through grouping description
    TL-7374        Fixed the display of the manage files button in editors


Bug fixes:

    TL-4527        Corrected PHP syntax error when using Hierarchy bulk actions.
    TL-5822        Added a warning to pre-install environment checks if the max_input_vars setting is too low.
    TL-6195        Fixed duplicate messages being sent to managers by Face-to-face when the user has an invalid email address
    TL-6265        Fixed navigation by month in the Face-to-face calendar block
    TL-6632        Fixed the generation of unique tokens within core libraries

                   There were several cases of uniqid being used to generate unique
                   identifiers or tokens.
                   These calls have now been improved to use a method that ensures a truly
                   unique identifier or token is generated.

    TL-6659        Refactored program assignment code

                   Refactored program assignment code to make it more efficient and easier to
                   maintain. It will also prevent sql problems, which could occur on some
                   systems with some configurations, when assigning large numbers of users to
                   programs and certifications (such as using an audience). Performance for
                   adding and removing users has been improved by about a factor of two, while
                   performance when reprocessing existing user assignments (happens during
                   nightly cron) has been significantly improved (from 3 database queries per
                   user assignment down to zero). This should greatly reduce problems
                   experienced with long nightly cron jobs on large sites.

    TL-6804        Fixed competencies in a learning plan showing linked courses even when the course was hidden
    TL-6940        Fixed permissions handling when using the multiple hierarchy dialog

                   The multi hierarchy dialog extends the standard hierarchy dialog but failed
                   to pass through the fourth parameter. This caused the permissions to be
                   incorrectly checked resulting in a false permissions error.

    TL-7035        Fixed inconsistent date fields in Excel exports from the Record of Learning - Certifications report source
    TL-7039        Prevented Face-to-face from sending booking confirmations for past sessions

                   When turning off "Approval required" for a Face-to-face activity a booking
                   notification was being sent for sessions in the past. This is now
                   prevented.

    TL-7074        Fixed the context for capability checks for the display of the button to create new courses, programs and certifications. 

                   Users who had been assigned a role with permissions to create programs,
                   certifications or courses within specific categories would not have the
                   relevant "Create" button within the enhanced catalog. Now if they have
                   permissions to create a program, certification or course within any
                   category, this button will appear. 

    TL-7114        See details

                   2.6, 2.5: 
                   Message: Show hidden programs to enrolled users in the Record of Learning
                   Details: Several problems were fixed relating to course, program and
                   certification visibility, in relation to the normal and audience based
                   visibility settings. In some situations, the normal visibility setting was
                   being used when audience visibility was enabled. As a consequence, hidden
                   assigned programs will now be visible in the Record of Learning, bringing
                   them in line with courses and certifications. As before this patch, hidden
                   assigned courses will not be accessible, but hidden assigned programs and
                   certifications will be.
                   
                   2.7:
                   Message: Show hidden courses, programs and certifications to enrolled users
                   in the Record of Learning
                   Details: Several problems were fixed relating to course, program and
                   certification visibility, in relation to the normal and audience based
                   visibility settings. In some situations, the normal visibility setting was
                   being used when audience visibility was enabled. As a consequence, hidden
                   assigned courses, programs and certifications will now be visible in the
                   Record of Learning, restoring the behaviour from Totara 2.6. As before this
                   patch, hidden assigned courses will not be accessible, but hidden assigned
                   programs and certifications will be.

    TL-7121        Fixed Programs that are potentially stuck as unavailable

                   In 2.6.10, we removed the "availability" checkbox, so that availability is
                   now controlled via the available from/until date fields. This upgrade
                   catches any programs left as unavailable without availability dates. Any
                   issues found will be output to the screen during the upgrade and saved to
                   the upgrade_logs.

    TL-7164        Fixed pagination on the Record of Learning course, program and certification history pages
    TL-7191        Fixed a missing sesskey in ajax requests when creating a filter in report builder reports

                   The sesskey and relevant checks were missing in ajax requests involved in
                   adding some audience filters to the report builder.  These have now been
                   put in place. 

    TL-7224        Fixed the display of Certificates where the "Print Date" depends on a deleted activity
    TL-7248        Reverted change causing an inability to see uploaded images in Internet Explorer
    TL-7265        Improved the layout of tabs when viewing a SCORM
    TL-7275        Fixed case sensitivity for the search within Hierarchy bulk actions.
    TL-7281        Fixed Face-to-face signup process when approval is required for a session with no date

                   This issue occurred when a user signed up to a Face-to-face session that
                   required approval but did not yet have a date. When the manager approved
                   the signup request they were incorrectly booked into the session instead of
                   waitlisted.

    TL-7283        Fixed the field mapping for Organisation and Position imports using a database source
    TL-7319        Fixed the display of custom fields in the report builder when using a non-English language
    TL-7323        Added checks for https:// links in the learning plans evidence link functionality
    TL-7360        Consistently prevent suspended and deleted users from getting any emails
    TL-7362        Updated INSTALL.txt to reflect support for IE8


Contributions:

    * Andrew Hancox at Synergy Learning - TL-6195
    * Carlos Jurado at Kineo UK - TL-6265
    * Pavel Tsakalidis at Kineo UK - TL-7164
Release 2.5.31 (22nd September 2015):

Security issues:

    TL-7373        Fixed potential XSS through grouping description


Bug fixes:

    TL-4527        Corrected PHP syntax error when using Hierarchy bulk actions.
    TL-5822        Added a warning to pre-install environment checks if the max_input_vars setting is too low.
    TL-6195        Fixed duplicate messages being sent to managers by Face-to-face when the user has an invalid email address
    TL-6632        Fixed the generation of unique tokens within core libraries

                   There were several cases of uniqid being used to generate unique
                   identifiers or tokens.
                   These calls have now been improved to use a method that ensures a truly
                   unique identifier or token is generated.

    TL-6659        Refactored program assignment code

                   Refactored program assignment code to make it more efficient and easier to
                   maintain. It will also prevent sql problems, which could occur on some
                   systems with some configurations, when assigning large numbers of users to
                   programs and certifications (such as using an audience). Performance for
                   adding and removing users has been improved by about a factor of two, while
                   performance when reprocessing existing user assignments (happens during
                   nightly cron) has been significantly improved (from 3 database queries per
                   user assignment down to zero). This should greatly reduce problems
                   experienced with long nightly cron jobs on large sites.

    TL-6804        Fixed competencies in a learning plan showing linked courses even when the course was hidden
    TL-7039        Prevented Face-to-face from sending booking confirmations for past sessions

                   When turning off "Approval required" for a Face-to-face activity a booking
                   notification was being sent for sessions in the past. This is now
                   prevented.

    TL-7114        See details

                   2.6, 2.5: 
                   Message: Show hidden programs to enrolled users in the Record of Learning
                   Details: Several problems were fixed relating to course, program and
                   certification visibility, in relation to the normal and audience based
                   visibility settings. In some situations, the normal visibility setting was
                   being used when audience visibility was enabled. As a consequence, hidden
                   assigned programs will now be visible in the Record of Learning, bringing
                   them in line with courses and certifications. As before this patch, hidden
                   assigned courses will not be accessible, but hidden assigned programs and
                   certifications will be.
                   
                   2.7:
                   Message: Show hidden courses, programs and certifications to enrolled users
                   in the Record of Learning
                   Details: Several problems were fixed relating to course, program and
                   certification visibility, in relation to the normal and audience based
                   visibility settings. In some situations, the normal visibility setting was
                   being used when audience visibility was enabled. As a consequence, hidden
                   assigned courses, programs and certifications will now be visible in the
                   Record of Learning, restoring the behaviour from Totara 2.6. As before this
                   patch, hidden assigned courses will not be accessible, but hidden assigned
                   programs and certifications will be.

    TL-7191        Fixed a missing sesskey in ajax requests when creating a filter in report builder reports

                   The sesskey and relevant checks were missing in ajax requests involved in
                   adding some audience filters to the report builder.  These have now been
                   put in place. 

    TL-7224        Fixed the display of Certificates where the "Print Date" depends on a deleted activity
    TL-7248        Reverted change causing an inability to see uploaded images in Internet Explorer
    TL-7265        Improved the layout of tabs when viewing a SCORM
    TL-7360        Consistently prevent suspended and deleted users from getting any emails


Contributions:

    * Andrew Hancox at Synergy Learning - TL-6195
Release 2.4.34 (22nd September 2015):

Security issues:

    TL-7043        Fixed course creator role capabilities for managing audiences
    TL-7373        Fixed potential XSS through grouping description


Bug fixes:

    TL-4527        Corrected PHP syntax error when using Hierarchy bulk actions.
    TL-7039        Prevented Face-to-face from sending booking confirmations for past sessions

                   When turning off "Approval required" for a Face-to-face activity a booking
                   notification was being sent for sessions in the past. This is now
                   prevented.

    TL-7191        Fixed a missing sesskey in ajax requests when creating a filter in report builder reports

                   The sesskey and relevant checks were missing in ajax requests involved in
                   adding some audience filters to the report builder.  These have now been
                   put in place. 

    TL-7224        Fixed the display of Certificates where the "Print Date" depends on a deleted activity
    TL-7248        Reverted change causing an inability to see uploaded images in Internet Explorer
    TL-7358        Fixed a database error in the assignment module during course restore
Release 2.2.41 (22nd September 2015):


Security issues:

    TL-7043        Fixed course creator role capabilities for managing audiences
    TL-7373        Fixed potential XSS through grouping description


Bug fixes:

    TL-4527        Corrected PHP syntax error when using Hierarchy bulk actions.
    TL-7191        Fixed a missing sesskey in ajax requests when creating a filter in report builder reports

                   The sesskey and relevant checks were missing in ajax requests involved in
                   adding some audience filters to the report builder.  These have now been
                   put in place. 

    TL-7248        Reverted change causing an inability to see uploaded images in Internet Explorer