Hello everyone,
The following versions of Totara have now been released:
- 2.7.8
- 2.6.25
- 2.5.32
- 2.4.35
- 2.2.42
These versions do contain security fixes and for this reason we strongly recommend upgrading.
Each release also includes bug fixes and improvements.
Thanks to the following people for there contributions: Amir Elion at Kineo Israel, Joby Harding from Mindclick and Eugene Venter from Catalyst NZ
Release 2.7.8 (20th October 2015):
Security issues:
TL-7112 Added options to secure how referrer information is sent to external sites
TL-7138 Improved the cleaning of dynamically generated module names
Calling "required_param('module', PARAM_COMPONENT)" actually restricts the
allowable characters in a module name and the function returns an empty
string upon detecting an invalid module name. In the past, there was no
check if an empty string was indeed returned. Now, the code throws an
"invalid_parameter_exception" if the required_param() call returns an empty
string.
TL-7152 Added workaround for known security issues with Flowplayer
TL-7377 Fixed the capability moodle/cohort:view allowing a user to edit global audience settings
Improvements:
TL-6570 Added events to the Totara Alerts and Tasks APIs
TL-6821 Added full textual representation for the 'month of year' and for the 'weekday' within report builder reports
TL-7089 Added support for external Oracle databases in HR Import
TL-7298 Implemented access to courses with "enrolled only" visibility via visible programs
Previously, if users were assigned to a program containing courses with
visibility settings of "enrolled users only" or "enrolled users and members
of selected audiences" where they weren't a member of the selected
audience(s) and weren't already assigned to the courses, the users couldn't
launch the courses because they were hidden. Launching the course from the
record of learning and required learning pages now process enrolments
before checking visibility, allowing users access to the course.
TL-7316 Added 'Percentage Completed via RPL' column to 'Course completion by RPL' report source
TL-7397 Reduced the memory usage of program assignment completion date calculations
These functions were loading huge amounts of data in an attempt to improve
speed, much of which was never going to be used, and resulted in memory
overflows in some large sites. They now load smaller chunks of data which
are more likely to be used, this should result in a better balance between
speed and memory use.
TL-7402 Improved the fixed expiry minimum calculation to be relative to completion date
Previously, the "Minimum active period" was being calculated relative to
the current date. This worked fine for users completing their
certifications within Totara, but completion uploads resulted in unexpected
results. Now, the calculation will ensure that the new expiry date is at
least "Minimum active period" away from the completion date. If the
completion date was far in the past, the calculated expiry date may also be
in the past. This change will have little effect on users completing their
certifications within Totara (the exception being where an activity reports
completion to have occurred some time in the past, such as Face to face).
TL-7413 Improved the completion upload instructions for the certifications "duedate" column
TL-7419 Improved scheduled tasks error logging
TL-7511 Improved the layout of the dock when using the Kiwifruit responsive theme
TL-7512 Increased the size of icons within the enhanced catalogue when using the Kiwifruit responsive theme
TL-7528 Removed the gap between toolbars and editor content in the Kiwifruit responsive theme
TL-7576 Improved the performance of the prog_get_all_programs function
This change should improve the performance of the Record of Learning
Programs & Certifications tabs, along with the required learning page. This
will be most noticeable for larger mysql sites.
TL-7613 Improved right-to-left language support within the my team report
TL-7656 Added docs explaining that db row locking is not reliable
Documentation on lock factories has been expanded to explain that database
locking is not reliable and should only be used as a last option.
The main reason for this is that the cleanup of locks may be delayed until
shutdown, this can lead to locks not being released in the following
situations:
* If PHP segfaults, as in this situation shutdown handlers are not
executed.
* The database connection is dropped or closed prior to the shutdown
handlers finishing their execution.
* Incorrect configuration of FastCGI (especially on IIS) can lead to cron
scripts terminating prematurely after a relatively short period of time.
* If PHP runs out of memory during its operation.
Bug fixes:
TL-4379 Fixed the behaviour of Face-to-face notification templates
Face-to-face notifications are now linked to Face-to-face templates. This
allows updates to templates to also update linked notifications. This also
means when creating a new Face-to-face activity the there will be
notifications for all templates.
TL-5226 Fixed incorrect email footer when a Feedback360 request is sent to external users
TL-5261 Made the course upload tool respect the defaults for course completion settings
TL-5730 Scheduled Face-to-face notifications are now only sent to users who were eligible at the time
Previously, if a notification was scheduled to be sent out a certain amount
of time prior to the start of the Face-to-face session, this notification
would also be sent to any new users who signed up after the scheduled time.
Now, even if cron is run much later, these notifications will only go to
users who were eligible to receive the notification at the time it was due
to be sent.
The condition still exists that they must currently be eligible. For
example, if a notification is to be sent to booked users only, and a booked
user cancels before the notification is sent out, that user will not
receive the notification.
TL-6877 Allow a user to enter a Face-to-face signup note when using the direct enrolment plugin
TL-6909 Fixed dynamic audience rules based upon checkbox organisation custom fields
TL-7134 Fixed the 'Force password change' flag which was being incorectly set for single sign on authentication types
TL-7181 Fixed and restored recipients default values for Face-to-face automatic notifications if they were updated
TL-7286 Fixed HR Import to properly handle csv files with UTF BOM encoding
TL-7306 Fixed Face-to-face notifications showing a timezone of 99 when set to display in the user's timezone.
Previously, Face-to-face notifications that used the [alldates] placeholder
would show '99' in place of the timezone when a session was set to display
in the user's timezone. This has been fixed so that they properly show the
user's timezone.
TL-7308 Fixed possible timeouts when activating appraisals and creating appraisal snapshots
TL-7317 Prevented a scenario in the question bank where it was possible to make a question category one of its own children
It was possible for a question category to be a parent of its own child if
two people had the edit page open at the same time. This can no longer
happen and an appropriate error message will be displayed instead.
TL-7334 Fixed the user selector to respect the user identity settings
TL-7338 Removed blank lines from error cells when exporting completion upload reports
TL-7365 Fixed the display of the task block when empty yet configured to show
TL-7391 Fixed current session pagination to hide/show reportbuilder columns
TL-7414 Fixed view hidden learning capabilities when managing learning
The capabilities 'moodle/course:viewhiddencourses',
'totara/program:viewhiddenprograms' and
'totara/certification:viewhiddencertifications' were not being checked
correctly when viewing the old course, program or certification catalogs or
managing courses, programs or certifications. This prevented users who had
been granted one of these capabilities at a category level from viewing the
corresponding content at that level or below.
Note: This still will not work for the enhanced catalog, due to
restrictions with capability checks in report builder sources.
TL-7431 Fixed the vaildation of position start and end date when importing users via HR Import
TL-7435 Fixed the misalignment of table cells on the Face-to-face attendance page
TL-7436 Fixed the editing of a user's position so that the description field is now saved the first time it is edited
TL-7442 Audience management tabs now correctly check moodle/cohort:view
The cabability 'moodle/cohort:view' now allows a user to view, but not
edit, the tabs for enrolled learning, visible learning and goals. This
works in both system and category contexts.
TL-7447 Added help icons to Totara Connect client edit form
TL-7448 Prevented historical Face-to-face session completions from overriding more recent ones
There were a couple of problems with Face-to-face session completions. If
you marked attendance for a user in a recent session, then later marked
their attendance in an older session, then the older session date was being
used when calculating completion. This caused a problem when the course had
been reset as part of a certification, or when activity completion criteria
were unlocked and deleted.
TL-7450 Prevent incorrect notifications from being sent to users when acting upon a Face-to-face booking request task
When a booking request is approved or declined via the tasks block in My
Learning, but the request had already been actioned directly via the
Approval required tab in the Face-to-face activity an incorrect
notification would be sent to the learner.
TL-7484 Fixed regression in phpunit tests with incorrect file location
TL-7499 Fixed which users get shown in the recipients fields when manually awarding a badge
TL-7500 Fixed program availability with available from date only
TL-7517 Fixed the sync password setting for Totara Connect server
TL-7522 Fixed the export of user reports where the User ID was being exported instead of the user's fullname
TL-7534 Fixed the HR Import of custom user date fields when some values are missing from the CSV file
TL-7554 Fixed the use of a PHP short tag when adding a menu of choices custom field filter in report builder
TL-7563 Enabled dock in older versions of internet explorer (IE8 & IE9)
TL-7570 Fixed the display of Positions and Organisations within the administration block
Previously users with permission to view positions and organisations were
not always shown these items within the administration settings block.
These pages are now correctly shown to users who have permission to view
them.
TL-7573 Improved right-to-left language support within multi-select dialogs
TL-7592 Fixed room checks to prevent the double booking of rooms
TL-7650 Increased the length of some database fields in appraisals
Short field lengths for scale values and sorting could lead to database
errors if adding more than 99 questions to a single page in an appraisal,
or more than 99 values to a single scale.
This has been fixed by increasing the size of the sortorder and scaletype
fields within appraisals.
API changes:
TL-7502 Embedding of Youtube content now uses the current Google API
This is a backport of MDL-50176. Google has switched off support for the
API Totara was previously using for Youtube.
The current API is now in place and being used for all embedded Youtube
content.
Contributions:
* Amir Elion at Kineo Israel - TL-7613
* Joby Harding from Mindclick - TL-6570
Release 2.6.25 (20th October 2015):
Security issues:
TL-7138 Improved the cleaning of dynamically generated module names
Calling "required_param('module', PARAM_COMPONENT)" actually restricts the
allowable characters in a module name and the function returns an empty
string upon detecting an invalid module name. In the past, there was no
check if an empty string was indeed returned. Now, the code throws an
"invalid_parameter_exception" if the required_param() call returns an empty
string.
TL-7152 Added workaround for known security issues with Flowplayer
TL-7377 Fixed the capability moodle/cohort:view allowing a user to edit global audience settings
Bug fixes:
TL-5226 Fixed incorrect email footer when a Feedback360 request is sent to external users
TL-5261 Made the course upload tool respect the defaults for course completion settings
TL-5730 Scheduled Face-to-face notifications are now only sent to users who were eligible at the time
Previously, if a notification was scheduled to be sent out a certain amount
of time prior to the start of the Face-to-face session, this notification
would also be sent to any new users who signed up after the scheduled time.
Now, even if cron is run much later, these notifications will only go to
users who were eligible to receive the notification at the time it was due
to be sent.
The condition still exists that they must currently be eligible. For
example, if a notification is to be sent to booked users only, and a booked
user cancels before the notification is sent out, that user will not
receive the notification.
TL-6909 Fixed dynamic audience rules based upon checkbox organisation custom fields
TL-7171 Fixed calls to send email when the user does not have an email address
Totara Sync allows users to be created without an email address.
This was leading to issues when processing certification messages if the
user had not logged in and set an email address.
In this case a notification was added for them by each cron run, every 15
minutes.
If they then logged in they would be presented with repeated
notifications.
The root of this issue was the email processor expecting a valid email
address.
TL-7181 Fixed and restored recipients default values for Face-to-face automatic notifications if they were updated
TL-7286 Fixed HR Import to properly handle csv files with UTF BOM encoding
TL-7299 Fixed display of newline characters in reportbuilder pdf (landscape) exports
TL-7308 Fixed possible timeouts when activating appraisals and creating appraisal snapshots
TL-7365 Fixed the display of the task block when empty yet configured to show
TL-7436 Fixed the editing of a user's position so that the description field is now saved the first time it is edited
TL-7448 Prevented historical Face-to-face session completions from overriding more recent ones
There were a couple of problems with Face-to-face session completions. If
you marked attendance for a user in a recent session, then later marked
their attendance in an older session, then the older session date was being
used when calculating completion. This caused a problem when the course had
been reset as part of a certification, or when activity completion criteria
were unlocked and deleted.
TL-7500 Fixed program availability with available from date only
TL-7522 Fixed the export of user reports where the User ID was being exported instead of the user's fullname
TL-7570 Fixed the display of Positions and Organisations within the administration block
Previously users with permission to view positions and organisations were
not always shown these items within the administration settings block.
These pages are now correctly shown to users who have permission to view
them.
API changes:
TL-7502 Embedding of Youtube content now uses the current Google API
This is a backport of MDL-50176. Google has switched off support for the
API Totara was previously using for Youtube.
The current API is now in place and being used for all embedded Youtube
content.
Contributions:
* Eugene Venter from Catalyst NZ - TL-7299
Release 2.5.32 (20th October 2015):
Security issues:
TL-7138 Improved the cleaning of dynamically generated module names
Calling "required_param('module', PARAM_COMPONENT)" actually restricts the
allowable characters in a module name and the function returns an empty
string upon detecting an invalid module name. In the past, there was no
check if an empty string was indeed returned. Now, the code throws an
"invalid_parameter_exception" if the required_param() call returns an empty
string.
TL-7152 Added workaround for known security issues with Flowplayer
TL-7377 Fixed the capability moodle/cohort:view allowing a user to edit global audience settings
Bug fixes:
TL-5730 Scheduled Face-to-face notifications are now only sent to users who were eligible at the time
Previously, if a notification was scheduled to be sent out a certain amount
of time prior to the start of the Face-to-face session, this notification
would also be sent to any new users who signed up after the scheduled time.
Now, even if cron is run much later, these notifications will only go to
users who were eligible to receive the notification at the time it was due
to be sent.
The condition still exists that they must currently be eligible. For
example, if a notification is to be sent to booked users only, and a booked
user cancels before the notification is sent out, that user will not
receive the notification.
TL-6909 Fixed dynamic audience rules based upon checkbox organisation custom fields
TL-7181 Fixed and restored recipients default values for Face-to-face automatic notifications if they were updated
TL-7308 Fixed possible timeouts when activating appraisals and creating appraisal snapshots
TL-7436 Fixed the editing of a user's position so that the description field is now saved the first time it is edited
TL-7448 Prevented historical Face-to-face session completions from overriding more recent ones
There were a couple of problems with Face-to-face session completions. If
you marked attendance for a user in a recent session, then later marked
their attendance in an older session, then the older session date was being
used when calculating completion. This caused a problem when the course had
been reset as part of a certification, or when activity completion criteria
were unlocked and deleted.
TL-7570 Fixed the display of Positions and Organisations within the administration block
Previously users with permission to view positions and organisations were
not always shown these items within the administration settings block.
These pages are now correctly shown to users who have permission to view
them.
API changes:
TL-7502 Embedding of Youtube content now uses the current Google API
This is a backport of MDL-50176. Google has switched off support for the
API Totara was previously using for Youtube.
The current API is now in place and being used for all embedded Youtube
content.
Release 2.4.35 (20th October 2015):
Security issues:
TL-7152 Added workaround for known security issues with Flowplayer
TL-7377 Fixed the capability moodle/cohort:view allowing a user to edit global audience settings
Release 2.2.42 (20th October 2015):
Security issues:
TL-7152 Added workaround for known security issues with Flowplayer
TL-7377 Fixed the capability moodle/cohort:view allowing a user to edit global audience settings