Hello everyone,
The following versions of Totara have now been released:
- 2.7.5
- 2.6.22
- 2.5.29
- 2.4.32
- 2.2.39
These versions do contain security fixes and for this reason we strongly recommend upgrading.
Each release also includes bug fixes and improvements.
Thanks to Sergey Vidusov at Androgogic and Russell England at Vision By Deloitte for their contributions this release.
Changelogs are as follows:
Release 2.7.5 (21st July 2015):
Security issues:
TL-5289 Missing database record errors no longer contain the database table name
TL-6469 Fixed missing session key error when setting up scheduled reports
This occurred if a user search resulted in more than one page of results
and one of the page links was clicked. Session key checking was also added
to the audience dialog on this page.
TL-6823 Improved access control handling in Appraisal and Feedback360 assignments
Two scripts in Appraisal and two scripts in Feedback360 were identified as
having insufficient access control checks.
This has now being remedied and all required access control checks are now
being made in the four identified scripts.
TL-6927 Fixed incorrect synchronisation of suspended users in course meta enrolments
TL-6930 Fixed incorrect protocol handling in the curl library
Prior to this patch use of CURLOPT_PROTOCOLS and CURLOPT_REDIR_PROTOCOLS
were limited by the existence of the CURLOPT_PROTOCOLS define.
This restriction has been removed as it was no longer necessary.
TL-7032 Improved the generation of random strings within core
It was brought to our attention that in some situations the random string
generation used during processes such as resetting of user passwords could
be predicted and possible exploits crafted.
Prior to this patch random string generation used the PHP built in mt_rand
function.
After this change we use a variety of methods and fall back to our own
unpredictable generation.
Bug fixes:
TL-5562 Fixed a potential problem when inserting multiple records in a batch
This fixes a potential problem when importing a broken CSV file into course
completion and a potential minor problem when upgrading multiple custom
menu fields in Facetoface module.
TL-6338 Fixed behaviour of "send all to waitlist" Facetoface setting when manager approval is required
Previously when manger approval was required and the send all to waitlist
setting was enabled, when a user request was approved they were then
booked. This fixes the behaviour so the user is correctly put onto the
waitlist when their request is approved.
TL-6347 Fixed "Dropdown menu" profile custom fields always saving the first option
TL-6378 Fixed report builder display of columns showing 0, 0% or No when the data is empty
If a database column contains no value and a Reportbuilder report is using
a number, time, grade, percentage or yes/no display function then the cell
in the report will now show "-" or will be empty, rather than showing 0, 0%
or No. If a custom report expected to display 0, 0% or No, then it should
be changed to return a value of 0 when the data contains null or an empty
string, e.g. "CASE WHEN val IS NULL OR val = '' THEN 0 ELSE val END AS
val".
TL-6513 Fixed issue causing Certification expiry periods to double
If the Certification Completion Upload tool was used uploading completion
records for users who were already assigned to the Certification, an issue
could arise where the life of the certification would be incorrectly
doubled.
TL-6527 Fixed events not being called when audiences were unenrolled from courses
Some problems relating to Facetoface events were also fixed,
including users not being removed from future sessions when they were
removed in bulk from courses, and ensuring that users are only removed once
their last enrolment was removed.
This patch also includes changes to unenrol_user_bulk to prevent sql errors
caused by unassigning huge numbers of users at once, and adds tests to ensure
that individual and bulk unassigning is working correctly.
TL-6709 Fixed wrapping of long question titles in Appraisal PDF exports
TL-6745 Fixed an access control bug preventing a manager's manager from reviewing a learner's goals in appraisals
The permissions checks to determine who can view goals didn't allow a
manager's manager to view a learner's goals and incorrectly displayed a
permissions error when they tried to do so.
TL-6774 Fixed the display of buttons on the manage courses and category page
If a user didn't have the correct capabilities there would be 3 buttons
displayed with the text "Add new category" that didn't function correctly
due to a permissions issue. These buttons now only show when a user has the
correct permissions and function as expected.
TL-6776 Fixed fatal error when viewing competency records within a learning plan
TL-6784 Fixed the display of unassigned programs on the record of learning: programs report
The record of learning was not displaying programs assigned via learning
plans, or completed programs that the user was unassigned from.
TL-6786 Fixed empty usernames bug in reports for users uploaded with empty name fields
TL-6797 Fixed the access denied error message for appraisals
TL-6799 Fixed course creator role capabilities for managing audiences
TL-6802 Fixed a fatal error with learning plan enrolments when a course is included in multiple plans
TL-6808 Fixed missing calendar icon when adding a set completion date to an audiences enrolled learning
TL-6816 Fixed fatal error on cron task when calling function dp_plan_item_updated
TL-6818 Fixed handling of Facetoface completion records when changing attendance for a user
TL-6819 Changes in memcached connection settings are now applied immediately
Prior to this patch changes to memcached cache store settings were not
applied immediately.
These settings are now applied immediately after changing memcached cache
store settings.
Please note you still need to restart memcached server manually if the data
storage format changes.
TL-6833 Fixed a regression where the definition of user profile fields could not be edited
Code changes associated with TL-6600 resulted in a regression being
introduced that prevented site administrators from being able to edit the
definition of a custom user profile field.
TL-6940 Fixed permission handling when using multiple hierarchy dialog
The multi hierarchy dialog extends the standard hierarchy dialog but fails
to pass through the fourth parameter. This causes the permissions to be
incorrectly checked resulting in a false permissions error.
TL-6960 Fixed alignment of row headings in course completion report
TL-6976 Fixed issue where trainers were unable to annotate PDF's submited as part of an assignment
TL-6979 Fixed Facetoface archive when certification window period equals active period
If a facetoface belonged to course which belonged to a certification, and
the certification window open period was the same as the active period,
then when the course was reset to allow recertification, the facetoface
activity was automatically re-triggering completion and recertification.
TL-6997 Fix prog_get_all_programs incorrectly applying visibility
On sites which had switched from normal visibility settings to using
audience-based visibility, if a program had previously been set to
"hidden", progress was not being updated when users completed courses.
TL-7028 Fixed handling of incorrectly defined embedded reports
This patch fixed a fatal error that would be experienced on the
Reportbuilder manage reports screen if the site contained an incorrectly
defined embedded report.
This is a regression from performance improvements made in the last minor
release.
Improvements:
TL-5736 Course and certification completion import reports can now filter errors
A new 'errors' filter has been added to course and certification completion
import reports
TL-6333 Improved robustness of completion and conditional activities in the SCORM module
Under cases of heavy learner load, or a misconfigured server, causing
errors and communication timeouts the SCORM instant completion could be
fragile, which could cause knock-on problems with the opening of any
subsequent conditional activities . These changes minimise the consequences
of any communication errors within the SCORM process.
TL-6573 Improved support for RTL languages in reportbuilder graphs
TL-6820 Improve performance when approving audience ruleset changes
TL-6829 Added an option to the SCORM activity to ignore mastery score when saving state
Prior to this patch when a SCORM package provided a mastery score, and
LMSFinish was called, and if a raw score had been determined then the
status was being recalculated using the raw score and the mastery score.
Any status provided by the SCORM (including "incomplete") was being
overridden.
Turning this option off (it is on by default, to maintain previous
behaviour) will prevent this override.
This is only applicable to SCORM 1.2 packages.
TL-6932 Added a link to the manage extension page in the program extension request emails
TL-6933 Fixed a regression that prevented managers from approving Facetoface requests without enrolling into the course
Contributions:
* Sergey Vidusov of Androgogic - TL-6820
* Russell England at Vision By Deloitte - TL-6932
Release 2.6.22 (21st July 2015):
Bug fixes:
TL-4479 Fixed bug with poorly wrapped forum subjects when sent as an email
TL-5552 Fixed manager approval being skipped when changing the date/time of a session
TL-5562 Fixed a potential problem when inserting multiple records in a batch
This fixes a potential problem when importing a broken CSV file into course
completion and a potential minor problem when upgrading multiple custom
menu fields in Facetoface module.
TL-6513 Fixed issue causing Certification expiry periods to double
If the Certification Completion Upload tool was used uploading completion
records for users who were already assigned to the Certification, an issue
could arise where the life of the certification would be incorrectly
doubled.
TL-6527 Fixed events not being called when audiences were unenrolled from courses
Some problems relating to Facetoface events were also fixed,
including users not being removed from future sessions when they were
removed in bulk from courses, and ensuring that users are only removed once
their last enrolment was removed.
This patch also include changes to unenrol_user_bulk to prevent sql errors caused
by unassigning huge numbers of users at once, and adds tests to ensure that
individual and bulk unassigning is working correctly.
TL-6709 Fixed wrapping of long question titles in Appraisal PDF exports
TL-6745 Fixed an access control bug preventing a manager's manager from reviewing a learner's goals in appraisals
The permissions checks to determine who can view goals didn't allow a
manager's manager to view a learner's goals and incorrectly displayed a
permissions error when they tried to do so.
TL-6774 Fixed the display of buttons on the manage courses and category page
If a user didn't have the correct capabilities there would be 3 buttons
displayed with the text "Add new category" that didn't function correctly
due to a permissions issue. These buttons now only show when a user has the
correct permissions and function as expected.
TL-6776 Fixed fatal error when viewing competency records within a learning plan
TL-6784 Fixed the display of unassigned programs on the record of learning: programs report
The record of learning was not displaying programs assigned via learning
plans, or completed programs that the user was unassigned from.
TL-6799 Fixed course creator role capabilities for managing audiences
TL-6802 Fixed a fatal error with learning plan enrolments when a course is included in multiple plans
TL-6818 Fixed handling of Facetoface completion records when changing attendance for a user
TL-6819 Changes in memcached connection settings are now applied immediately
Prior to this patch changes to memcached cache store settings were not
applied immediately.
These settings are now applied immediately after changing memcached cache
store settings.
Please note you still need to restart memcached server manually if the data
storage format changes.
TL-6832 Fixed course breadcrumbs not showing with audience visibility enabled
If a course's Visibility was set to Hidden and then Audience Based
Visibility was enabled, the breadcrumbs were not showing when a learner
viewed the course.
TL-6979 Fixed Facetoface archive when certification window period equals active period
If a facetoface belonged to course which belonged to a certification, and
the certification window open period was the same as the active period,
then when the course was reset to allow recertification, the facetoface
activity was automatically re-triggering completion and recertification.
TL-6997 Fix prog_get_all_programs incorrectly applying visibility
On sites which had switched from normal visibility settings to using
audience-based visibility, if a program had previously been set to
"hidden", progress was not being updated when users completed courses.
TL-7028 Fixed handling of incorrectly defined embedded reports
This patch fixed a fatal error that would be experienced on the
Reportbuilder manage reports screen if the site contained an incorrectly
defined embedded report.
This is a regression from performance improvements made in the last minor
release.
Security issues:
TL-5289 Missing database record errors no longer contain the database table name
TL-6823 Improved access control handling in Appraisal and Feedback360 assignments
Two scripts in Appraisal and two scripts in Feedback360 were identified as
having insufficient access control checks.
This has now being remedied and all required access control checks are now
being made in the four identified scripts.
TL-6927 Fixed incorrect synchronisation of suspended users in course meta enrolments
TL-6930 Fixed incorrect protocol handling in the curl library
Prior to this patch use of CURLOPT_PROTOCOLS and CURLOPT_REDIR_PROTOCOLS
were limited by the existence of the CURLOPT_PROTOCOLS define.
This restriction has been removed as it was no longer necessary.
TL-7032 Improved the generation of random strings within core
It was brought to our attention that in some situations the random string
generation used during processes such as resetting of user passwords could
be predicted and possible exploits crafted.
Prior to this patch random string generation used the PHP built in mt_rand
function.
After this change we use a variety of methods and fall back to our own
unpredictable generation.
Improvements:
TL-5736 Course and certification completion import reports can now filter errors
A new 'errors' filter has been added to course and certification completion
import reports
TL-6333 Improved robustness of completion and conditional activities in the SCORM module
Under cases of heavy learner load, or a misconfigured server, causing
errors and communication timeouts the SCORM instant completion could be
fragile, which could cause knock-on problems with the opening of any
subsequent conditional activities . These changes minimise the consequences
of any communication errors within the SCORM process.
TL-6829 Added an option to the SCORM activity to ignore mastery score when saving state
Prior to this patch when a SCORM package provided a mastery score, and
LMSFinish was called, and if a raw score had been determined then the
status was being recalculated using the raw score and the mastery score.
Any status provided by the SCORM (including "incomplete") was being
overridden.
Turning this option off (it is on by default, to maintain previous
behaviour) will prevent this override.
This is only applicable to SCORM 1.2 packages.
TL-6932 Added a link to the manage extension page in the program extension request emails
TL-6933 Fixed a regression that prevented managers from approving Facetoface requests without enrolling into the course
TL-7040 Improved default capabilities for totara sync
Contributions:
* Russell England at Vision By Deloitte - TL-6932
Release 2.5.29 (21st July 2015):
Bug fixes:
TL-4479 Fixed bug with poorly wrapped forum subjects when sent as an email
TL-5552 Fixed manager approval being skipped when changing the date/time of a session
TL-5562 Fixed a potential problem when inserting multiple records in a batch
This fixes a potential problem when importing a broken CSV file into course
completion and a potential minor problem when upgrading multiple custom
menu fields in Facetoface module.
TL-6513 Fixed issue causing Certification expiry periods to double
If the Certification Completion Upload tool was used uploading completion
records for users who were already assigned to the Certification, an issue
could arise where the life of the certification would be incorrectly
doubled.
TL-6527 Fixed events not being called when audiences were unenrolled from courses
Some problems relating to Facetoface events were also fixed,
including users not being removed from future sessions when they were
removed in bulk from courses, and ensuring that users are only removed once
their last enrolment was removed.
TL-6653 Fixed email duplication from program enrolment messaging
TL-6709 Fixed wrapping of long question titles in Appraisal PDF exports
TL-6784 Fixed the display of unassigned programs on the record of learning: programs report
The record of learning was not displaying programs assigned via learning
plans, or completed programs that the user was unassigned from.
TL-6799 Fixed course creator role capabilities for managing audiences
TL-6802 Fixed a fatal error with learning plan enrolments when a course is included in multiple plans
TL-6979 Fixed Facetoface archive when certification window period equals active period
If a facetoface belonged to course which belonged to a certification, and
the certification window open period was the same as the active period,
then when the course was reset to allow recertification, the facetoface
activity was automatically re-triggering completion and recertification.
TL-6997 Fix prog_get_all_programs incorrectly applying visibility
On sites which had switched from normal visibility settings to using
audience-based visibility, if a program had previously been set to
"hidden", progress was not being updated when users completed courses.
Security issues:
TL-5289 Missing database record errors no longer contain the database table name
TL-6823 Improved access control handling in Appraisal and Feedback360 assignments
Two scripts in Appraisal and two scripts in Feedback360 were identified as
having insufficient access control checks.
This has now being remedied and all required access control checks are now
being made in the four identified scripts.
TL-6927 Fixed incorrect synchronisation of suspended users in course meta enrolments
TL-6930 Fixed incorrect protocol handling in the curl library
Prior to this patch use of CURLOPT_PROTOCOLS and CURLOPT_REDIR_PROTOCOLS
were limited by the existence of the CURLOPT_PROTOCOLS define.
This restriction has been removed as it was no longer necessary.
TL-7032 Improved the generation of random strings within core
It was brought to our attention that in some situations the random string
generation used during processes such as resetting of user passwords could
be predicted and possible exploits crafted.
Prior to this patch random string generation used the PHP built in mt_rand
function.
After this change we use a variety of methods and fall back to our own
unpredictable generation.
Improvements:
TL-6932 Added a link to the manage extension page in the program extension request emails
TL-7040 Improved default capabilities for totara sync
Contributions:
* Russell England at Vision By Deloitte - TL-6932
Release 2.4.32 (21st July 2015):
Security issues:
TL-5289 Missing database record errors no longer contain the database table name
TL-6927 Fixed incorrect synchronisation of suspended users in course meta enrolments
TL-6930 Fixed incorrect protocol handling in the curl library
Prior to this patch use of CURLOPT_PROTOCOLS and CURLOPT_REDIR_PROTOCOLS
were limited by the existence of the CURLOPT_PROTOCOLS define.
This restriction has been removed as it was no longer necessary.
TL-7032 Improved the generation of random strings within core
It was brought to our attention that in some situations the random string
generation used during processes such as resetting of user passwords could
be predicted and possible exploits crafted.
Prior to this patch random string generation used the PHP built in mt_rand
function.
After this change we use a variety of methods and fall back to our own
unpredictable generation.
Bug fixes:
TL-6527 Fixed events not being called when audiences were unenrolled from courses
Some problems relating to Facetoface events were also fixed,
including users not being removed from future sessions when they were
removed in bulk from courses, and ensuring that users are only removed once
their last enrolment was removed.
Release 2.2.39 (21st July 2015):
Security issues:
TL-5289 Missing database record errors no longer contain the database table name
TL-6927 Fixed incorrect synchronisation of suspended users in course meta enrolments
TL-6930 Fixed incorrect protocol handling in the curl library
Prior to this patch use of CURLOPT_PROTOCOLS and CURLOPT_REDIR_PROTOCOLS
were limited by the existence of the CURLOPT_PROTOCOLS define.
This restriction has been removed as it was no longer necessary.
TL-7032 Improved the generation of random strings within core
It was brought to our attention that in some situations the random string
generation used during processes such as resetting of user passwords could
be predicted and possible exploits crafted.
Prior to this patch random string generation used the PHP built in mt_rand
function.
After this change we use a variety of methods and fall back to our own
unpredictable generation.