Totara Release Notes

Security releases for Totara 2.9.1, 2.7.9, 2.6.26, 2.5.33, 2.4.36, and 2.2.43 released 16 November 2015

 
Simon Player
Security releases for Totara 2.9.1, 2.7.9, 2.6.26, 2.5.33, 2.4.36, and 2.2.43 released 16 November 2015
by Simon Player - Monday, 16 November 2015, 8:53 AM
Group Totara

Hello everyone,

The following versions of Totara have now been released:

    2.9.1
    2.7.9
    2.6.26
    2.5.33
    2.4.36
    2.2.43

These versions do contain security fixes and for this reason we strongly recommend upgrading.
Each release also includes bug fixes and improvements.

Thanks to Eugene Venter from Catalyst NZ for his contribution.

 

Release 2.9.1 (16th November 2015):

Security issues:

    TL-7829        Removed reliance on url parameter for choosing table

                   The script for getting the positions and organisations to assign to a
                   program relied on a url parameter to choose which table to access. The
                   table is now chosen according to the type of hierarchy that the query is
                   for. 

    TL-7886        Fixed access checks for the position assignment AJAX script

New features:

    TL-7850        Merged Moodle 2.9.3

                   Security related issues:
                   * MDL-51861 enrol: Don't get all parts in get_enrolled_users with groups
                   * MDL-51684 badges: Make sure 'moodle/badges:viewbadges' is respected
                   * MDL-51569 mod_choice: validate user actions and availability
                   * MDL-51091 core_registration: session key check in registration.
                   * MDL-51000 editor_atto: No autosave for guests
                   * MDL-50837 mod_scorm: Fix availability checks
                   * MDL-50426 messaging: Fix permissions checks when sending messages
                   * MDL-49940 mod_survey: Fix XSS
                   * MDL-48109 mod_lesson: prevent CSRF on password protected lesson



Improvements:

    TL-6282        Improved handling and displaying of the user's name in Core dialogs
    TL-6529        Added the manager's email as a selectable column for reports that include user's position fields
    TL-6657        Added actual due dates to program Assignments and audience Enrolled Learning tabs

                   The Assignments tab in programs and certifications and the Enrolled
                   Learning tab in audiences now include a column "Actual due date". This new
                   column shows the due date that the user will see. For group assignments
                   (such as audiences or organisations), clicking the "View dates" link will
                   show a popup with a list of all assigned users relating to that group
                   assignment. The help popup for the "Actual due date" column explains why
                   assignment due dates may be different from the actual due dates. After
                   upgrading, the "Actual due date" field can be manually added to the
                   "Audience: Enrolled Learning" embedded report, or you can reset it to the
                   default to have it automatically added.

    TL-7183        Trigger updates to program user assignments when changing assignments via the audience Enrolled Learning tab

                   When you make a change in an audience's Enrolled Learning tab, it will
                   immediately trigger an update of program and certification user
                   assignments. If there are less than 200 total users involved in the program
                   then the users will be processed immediately, otherwise the update will be
                   deferred. By default, deferred program user assignments are processed the
                   next time cron runs. This patch makes the behaviour consistent with making
                   changes in a program's Assignments tab.

    TL-7256        Mark programs for deferred user assignment update when assignment membership changes

                   This patch includes several improvements which cause program and
                   certification memberships to be updated sooner:
                   * When audience membership changes, either by a user manually editing an
                   audience or when a dynamic audience's membership is automatically updated,
                   related programs and certifications will be marked as having user
                   assignment changes deferred.
                   * When a user's assigned position, organisation or manager change, programs
                   and certifications related to the old and new positions, organisations and
                   management hierarchy are marked as having user assignment changes
                   deferred.
                   
                   With this change in place, all changes to program membership should now be
                   detected as they occur and are either processed immediately or by the
                   "Deferred program assignments changes" scheduled task. As such, we
                   recommend setting the related tasks to their default schedules: "Deferred
                   program assignments changes" can be run every time cron runs, while
                   "Program user assignments" only needs to be run once per day.

    TL-7575        Removed Totara menu from the print layout
    TL-7741        Removed HTML table behind the Weekend Days setting
    TL-7745        Added labels to settings on Site administration > Front page > Front page settings
    TL-7748        Improved Accessibility when editing the Site administration > Plugins > Activity modules > Quiz Settings
    TL-7750        Improved layout of "User Fullname (with links to learning components)" Report builder column
    TL-7792        Added settings to enforce https access and prevent embedding of content in external Flash and PDF files
    TL-7813        Reduced events triggered when program user assignments are updated

                   Some events were being triggered unnecessarily when updating program and
                   certification user assignments. They will now only be triggered if it is
                   certain that there are changes that need to be signalled.
                   
                   Please remember that user_assignments_task by default is scheduled to
                   execute just once per day, whereas assignments_deferred_task is designed to
                   be run every time cron runs.

    TL-7824        Moved program user assignment deferred flag reset to start of functon

                   If changes are made to a program's assignments while the function is
                   running in cron, those changes will be processed the next time cron runs,
                   rather than having to wait until the nightly cron or another change is
                   made.

    TL-7878        Added a page title when adding and removing Feedback360 requests with javascript turned off

Bug fixes:

    TL-6936        Face-to-face direct enrolment plugin allows users to signup to more then one Face-to-face.

                   Users can now sign up to one session per Face-to-face in the course via the
                   Face-to-face direct enrolment plugin. If at least one of the session
                   signups was successful then user will be enrolled to the course.
                   
                   If all successful signups require managers approval then course enrolment
                   will be pending. T&Cs when enabled are required and will be checked before
                   any signups or enrolments are processed.

    TL-6957        Display correct due date value in the upcoming certifications block
    TL-6981        Reaggregate course completion when activity completion criteria are unlocked without deletion

                   Previously, course completion status was only reaggregated if "unlock with
                   delete" was used. If "unlock without delete" was used, it was possible that
                   users who meet the new completion criteria were not marked complete, and
                   this would not be fixed by any cron task. This could lead to users being
                   stuck with an incomplete status. Now, the records will be marked for
                   reaggregation and will be processed by the completion cron task.

    TL-7273        Corrected the help text for Report builder simple select filters

                   Filters that use a drop-down select with no additional options such as 'not
                   equal to' now have correct corresponding help text, rather than referring
                   to additional options that do not exist.

    TL-7437        Switched the badges backpack URL to use HTTPS
    TL-7514        Fixed the display order of Face-to-face sessions for the Face-to-face direct enrolment plugin

                   Sessions will now be displayed in order of their start date/times instead
                   of when they were created

    TL-7559        Enabled the transfer of position and organistion custom fields for the database source of HR Sync
    TL-7562        Fixed strings for audience rules based on course and program completion
    TL-7594        Fixed users booked on a Face-to-face session with no dates being incorrectly removed when another user cancels their booking
    TL-7602        Re-enabled the Save and Cancel buttons for the Face-to-face take attendance tab

                   Save and Cancel buttons present in previous versions have been reintroduced
                   to the Face-to-face take attendance tab. Save must be clicked in order to
                   update attendance records.

    TL-7611        Fixed the handling of username and suspended fields for external database sources in HR Import
    TL-7644        Corrected the amount of white space in the 'recordoflearning' language string
    TL-7659        Prevented cancellation notifications being sent to users booked in completed Face-to-face sessions when the course is deleted
    TL-7660        Fixed the behaviour of pagination on hierarchy index pages

                   When viewing Positions, Organisations, Competencies or Goals within a
                   framework, pagination was not working correctly and instead was displaying
                   all of the items even though the paging bar was displaying the correct
                   number of pages.

    TL-7664        Fixed dynamic audience rules based upon checkbox position custom fields
    TL-7675        Fixed the display of an aggregation warning for Report builder columns

                   The warning that column aggregation options may not be compatible with
                   reports that use aggregation internally is now shown only for reports that
                   actually use aggregation internally.

    TL-7676        Fixed the display of duplicate categories in pie charts
    TL-7686        Fixed URL validation when adding new links to the quicklinks block
    TL-7695        Re-aggregate when course completion criteria is changed without deletion

                   When changing course completion criteria, and unlocking without deleting
                   existing completion data, re-aggregation was not being performed. Now,
                   users who are assigned but not complete and match the new criteria will be
                   marked complete after cron re-aggregates them. To fix any users affected by
                   this problem, an upgrade script will mark all incomplete users in all
                   courses for re-aggregation, which will be performed by cron, and may take a
                   while to process on larger sites.

    TL-7698        Fixed the handling of position and organisation 'Text area' custom fields within HR Import
    TL-7711        Fixed the "duedate(extra info)" column for Report builder export to pdf
    TL-7724        Fixed an error when adding audience visibility during program creation.

                   A user who was assigned the site manager role within a category context
                   would previously be presented with an error when giving audiences
                   visibility during program creation. This error no longer appears. 

    TL-7732        Allow HR import to set posenddate value as blank when posstartdate is set
    TL-7769        The Report builder "Manager's name" filter now counts users without a manager as "empty"
    TL-7770        Fixed date validation for Face-to-face sessions when removing dates or wait-listing a session
    TL-7783        Fixed the ordering of the Face-to-face waitlist

                   Previously when a user cancelled an overbooked session the Face-to-face
                   replaced them with a user from the waitlist based off the user's names, now
                   the replacement is decided based off their signup time.

    TL-7784        Fixed the help text for Face-to-face 'minimum capacity' setting
    TL-7789        Fixed the formatting of the Face-to-face intro page
    TL-7821        Fixed a Totara Connect upgrade step that introduced a non-existent local plugin
    TL-7833        Fixed cron failure when sending Face-to-face notifications

                   When scheduled Face-to-face notifications were being sent out, the cron
                   task would potentially fail if notifications were going to users who had
                   their session bookings approved by a manager. This has now been fixed,
                   notifications go out as normal, and cron is not disrupted. 

    TL-7836        Ensured images are restricted by their assigned widths

                   If an image is resized from its native dimensions and then displayed,
                   Internet Explorer would display the image at its native size, and not the
                   size that had been requested.

    TL-7844        Grader report now scrolls when it is too wide for the screen
    TL-7849        Removed reports and saved searches from the report table block when users do not have access
    TL-7851        Fixed the display of the "duedates" column for program and certification overview Report builder reports
    TL-7876        Stopped the incorrect archiving of facetoface sessions without dates

                   Previously if a user was waitlisted on a Face-to-face session which had no
                   dates set, in a Certification Course. When the user's recertification
                   window opened, the  signup would be marked as archived, meaning it would no
                   longer count towards course completion.

    TL-7881        Recreate course completion records when activity criteria are reset with deletion

                   Course completion records for users who were not complete according to the
                   new criteria were not being recreated immediately. Although the records
                   were being created when the completion cron task was run or when a user's
                   status in the course changed, it was possible that some unexpected
                   behaviour could have occurred due to the missing records.

    TL-7883        Fixed date handling on the Face-to-face block calendar page
    TL-7909        Make sure url params are passed when using report builder toolbar search
    TL-7921        Fixed regression with media playback when request_order="GPC" in PHP.ini

Release 2.7.9 (16th November 2015):

Security issues:

    TL-7829        Removed reliance on url parameter for choosing table

                   The script for getting the positions and organisations to assign to a
                   program relied on a url parameter to choose which table to access. The
                   table is now chosen according to the type of hierarchy that the query is
                   for. 

    TL-7886        Fixed access checks for the position assignment AJAX script

New features:

    TL-7868        Merged Moodle 2.7.11

                   A special note in the changelog for this one.
                   
                   Security related issues:
                   * MDL-51861 enrol: Don't get all parts in get_enrolled_users with groups
                   * MDL-51684 badges: Make sure 'moodle/badges:viewbadges' is respected
                   * MDL-51569 mod_choice: validate user actions and availability
                   * MDL-51091 core_registration: session key check in registration.
                   * MDL-50837 mod_scorm: Fix availability checks
                   * MDL-49940 mod_survey: Fix XSS
                   * MDL-48109 mod_lesson: prevent CSRF on password protected lesson



Improvements:

    TL-6282        Improved handling and displaying of the user's name in Core dialogs
    TL-6657        Added actual due dates to program Assignments and audience Enrolled Learning tabs

                   The Assignments tab in programs and certifications and the Enrolled
                   Learning tab in audiences now include a column "Actual due date". This new
                   column shows the due date that the user will see. For group assignments
                   (such as audiences or organisations), clicking the "View dates" link will
                   show a popup with a list of all assigned users relating to that group
                   assignment. The help popup for the "Actual due date" column explains why
                   assignment due dates may be different from the actual due dates. After
                   upgrading, the "Actual due date" field can be manually added to the
                   "Audience: Enrolled Learning" embedded report, or you can reset it to the
                   default to have it automatically added.

    TL-7183        Trigger updates to program user assignments when changing assignments via the audience Enrolled Learning tab

                   When you make a change in an audience's Enrolled Learning tab, it will
                   immediately trigger an update of program and certification user
                   assignments. If there are less than 200 total users involved in the program
                   then the users will be processed immediately, otherwise the update will be
                   deferred. By default, deferred program user assignments are processed the
                   next time cron runs. This patch makes the behaviour consistent with making
                   changes in a program's Assignments tab.

    TL-7256        Mark programs for deferred user assignment update when assignment membership changes

                   This patch includes several improvements which cause program and
                   certification memberships to be updated sooner:
                   * When audience membership changes, either by a user manually editing an
                   audience or when a dynamic audience's membership is automatically updated,
                   related programs and certifications will be marked as having user
                   assignment changes deferred.
                   * When a user's assigned position, organisation or manager change, programs
                   and certifications related to the old and new positions, organisations and
                   management hierarchy are marked as having user assignment changes
                   deferred.
                   
                   With this change in place, all changes to program membership should now be
                   detected as they occur and are either processed immediately or by the
                   "Deferred program assignments changes" scheduled task. As such, we
                   recommend setting the related tasks to their default schedules: "Deferred
                   program assignments changes" can be run every time cron runs, while
                   "Program user assignments" only needs to be run once per day.

    TL-7529        Fixed handling of RPL records when resetting or deleting a course or its completions

                   This change fixes how RPL records are handled when a course is reset by a
                   certification, deleted or reset by a user, or course completions unlocked
                   by a teacher.
                   
                   When deleting or resetting a course, RPL completions are now also deleted
                   correctly. Previously these were not removed. An upgrade step will safely
                   remove invalid data records for deleted courses.
                   
                   In 2.9.0 when a users course completion gets reset by a certification
                   window opening, all course and activity RPL completions will be removed.
                   In 2.7.9, 2.6.26, and 2.5.33, when a user's course completion gets reset by
                   a certification window opening, all course RPL completions will be removed.
                   Activity RPL completions will remain and still count towards the next
                   course and certification completion.
                   
                   As before, when a teacher unlocks course completion criteria and selects to
                   delete, course and activity RPL records will be kept and still count
                   towards a users completion.
                   
                   Contributed by Eugene Venter at Catalyst NZ

    TL-7697        Improved the layout of comments within learning plans
    TL-7722        Added an accessible label to the hidden password field protecting forms

                   TL-7157 introduced a field as a workaround to prevent browsers from
                   automatically loading users saved passwords where they weren't desired.
                   This issue introduces a label for the field so that if this field is
                   detected (via a screen reader or other means) a user is not confused as to
                   its purpose

    TL-7737        Improve help text for Case insensitive shortnames option on Completion import page
    TL-7745        Added labels to settings on Site administration > Front page > Front page settings
    TL-7748        Improved Accessibility when editing the Site administration > Plugins > Activity modules > Quiz Settings
    TL-7750        Improved layout of "User Fullname (with links to learning components)" Report builder column
    TL-7772        Make sure Case insensitive shortname checkbox loads value from database on page load
    TL-7792        Added settings to enforce https access and prevent embedding of content in external Flash and PDF files
    TL-7813        Reduced events triggered when program user assignments are updated

                   Some events were being triggered unnecessarily when updating program and
                   certification user assignments. They will now only be triggered if it is
                   certain that there are changes that need to be signalled.
                   
                   Please remember that user_assignments_task by default is scheduled to
                   execute just once per day, whereas assignments_deferred_task is designed to
                   be run every time cron runs.

    TL-7824        Moved program user assignment deferred flag reset to start of functon

                   If changes are made to a program's assignments while the function is
                   running in cron, those changes will be processed the next time cron runs,
                   rather than having to wait until the nightly cron or another change is
                   made.

    TL-7869        Updated timezone file to 2015g

Bug fixes:

    TL-6957        Display correct due date value in the upcoming certifications block
    TL-6981        Reaggregate course completion when activity completion criteria are unlocked without deletion

                   Previously, course completion status was only reaggregated if "unlock with
                   delete" was used. If "unlock without delete" was used, it was possible that
                   users who meet the new completion criteria were not marked complete, and
                   this would not be fixed by any cron task. This could lead to users being
                   stuck with an incomplete status. Now, the records will be marked for
                   reaggregation and will be processed by the completion cron task.

    TL-7273        Corrected the help text for Report builder simple select filters

                   Filters that use a drop-down select with no additional options such as 'not
                   equal to' now have correct corresponding help text, rather than referring
                   to additional options that do not exist.

    TL-7398        Fix course backup and restore to include completion status
    TL-7437        Switched the badges backpack URL to use HTTPS
    TL-7514        Fixed the display order of Face-to-face sessions for the Face-to-face direct enrolment plugin

                   Sessions will now be displayed in order of their start date/times instead
                   of when they were created

    TL-7559        Enabled the transfer of position and organistion custom fields for the database source of HR Sync
    TL-7562        Fixed strings for audience rules based on course and program completion
    TL-7594        Fixed users booked on a Face-to-face session with no dates being incorrectly removed when another user cancels their booking
    TL-7602        Re-enabled the Save and Cancel buttons for the Face-to-face take attendance tab

                   Save and Cancel buttons present in previous versions have been reintroduced
                   to the Face-to-face take attendance tab. Save must be clicked in order to
                   update attendance records.

    TL-7611        Fixed the handling of username and suspended fields for external database sources in HR Import
    TL-7644        Corrected the amount of white space in the 'recordoflearning' language string
    TL-7659        Prevented cancellation notifications being sent to users booked in completed Face-to-face sessions when the course is deleted
    TL-7660        Fixed the behaviour of pagination on hierarchy index pages

                   When viewing Positions, Organisations, Competencies or Goals within a
                   framework, pagination was not working correctly and instead was displaying
                   all of the items even though the paging bar was displaying the correct
                   number of pages.

    TL-7664        Fixed dynamic audience rules based upon checkbox position custom fields
    TL-7675        Fixed the display of an aggregation warning for Report builder columns

                   The warning that column aggregation options may not be compatible with
                   reports that use aggregation internally is now shown only for reports that
                   actually use aggregation internally.

    TL-7676        Fixed the display of duplicate categories in pie charts
    TL-7686        Fixed URL validation when adding new links to the quicklinks block
    TL-7691        Fixed the removal of individual assignments to company goals

                   When removing a user's individual assignment to a company goal, all user
                   assignments for that user-goal pair were being deleted. Group assignments
                   then regenerated the missing user assignments on the next cron, now only
                   the individual user assignment will be deleted.

    TL-7694        Fix undefined index error when viewing user's position details without specifying type of position
    TL-7695        Re-aggregate when course completion criteria is changed without deletion

                   When changing course completion criteria, and unlocking without deleting
                   existing completion data, re-aggregation was not being performed. Now,
                   users who are assigned but not complete and match the new criteria will be
                   marked complete after cron re-aggregates them. To fix any users affected by
                   this problem, an upgrade script will mark all incomplete users in all
                   courses for re-aggregation, which will be performed by cron, and may take a
                   while to process on larger sites.

    TL-7698        Fixed the handling of position and organisation 'Text area' custom fields within HR Import
    TL-7718        Fixed revoked alerts for deleted users when alert is set to "send alerts to all members"
    TL-7723        Fixed phpunit test failure caused by Norfolk Island timezone change
    TL-7724        Fixed an error when adding audience visibility during program creation.

                   A user who was assigned the site manager role within a category context
                   would previously be presented with an error when giving audiences
                   visibility during program creation. This error no longer appears. 

    TL-7725        Removed calls to window.status from group member management pages
    TL-7732        Allow HR import to set posenddate value as blank when posstartdate is set
    TL-7749        Linked the Download table data with the dropdown when exporting site logs
    TL-7769        The Report builder "Manager's name" filter now counts users without a manager as "empty"
    TL-7770        Fixed date validation for Face-to-face sessions when removing dates or wait-listing a session
    TL-7777        Prevented the element library dialog from saving to the database

                   The multi select dialog example in the element library was previously
                   saving to the database, which should not have been happening.

    TL-7783        Fixed the ordering of the Face-to-face waitlist

                   Previously when a user cancelled an overbooked session the Face-to-face
                   replaced them with a user from the waitlist based off the user's names, now
                   the replacement is decided based off their signup time.

    TL-7784        Fixed the help text for Face-to-face 'minimum capacity' setting
    TL-7785        Changed course catalog query to prevent failure in MariaDB

                   A bug in MariaDB was causing a query in the course catalog to return the
                   incorrect values. The query has been changed to avoid the problem. See
                   https://mariadb.atlassian.net/browse/MDEV-9028 for more infomation about
                   the bug.

    TL-7789        Fixed the formatting of the Face-to-face intro page
    TL-7821        Fixed a Totara Connect upgrade step that introduced a non-existent local plugin
    TL-7833        Fixed cron failure when sending Face-to-face notifications

                   When scheduled Face-to-face notifications were being sent out, the cron
                   task would potentially fail if notifications were going to users who had
                   their session bookings approved by a manager. This has now been fixed,
                   notifications go out as normal, and cron is not disrupted. 

    TL-7836        Ensured images are restricted by their assigned widths

                   If an image is resized from its native dimensions and then displayed,
                   Internet Explorer would display the image at its native size, and not the
                   size that had been requested.

    TL-7851        Fixed the display of the "duedates" column for program and certification overview Report builder reports
    TL-7876        Stopped the incorrect archiving of facetoface sessions without dates

                   Previously if a user was waitlisted on a Face-to-face session which had no
                   dates set, in a Certification Course. When the user's recertification
                   window opened, the  signup would be marked as archived, meaning it would no
                   longer count towards course completion.

    TL-7881        Recreate course completion records when activity criteria are reset with deletion

                   Course completion records for users who were not complete according to the
                   new criteria were not being recreated immediately. Although the records
                   were being created when the completion cron task was run or when a user's
                   status in the course changed, it was possible that some unexpected
                   behaviour could have occurred due to the missing records.

    TL-7883        Fixed date handling on the Face-to-face block calendar page
    TL-7909        Make sure url params are passed when using report builder toolbar search
    TL-7921        Fixed regression with media playback when request_order="GPC" in PHP.ini

Contributions:

    * Eugene Venter at Catalyst NZ - TL-7529

Release 2.6.26 (16th November 2015):

Security issues:

    TL-7829        Removed reliance on url parameter for choosing table

                   The script for getting the positions and organisations to assign to a
                   program relied on a url parameter to choose which table to access. The
                   table is now chosen according to the type of hierarchy that the query is
                   for. 

    TL-7853        Added missing sesskey protection to lesson module
    TL-7855        Fixed output escaping in survey activity
    TL-7856        Added sesskey check to hub registration
    TL-7857        Fixed input validation in choice activity
    TL-7858        Fixed availability changes in SCORM activity
    TL-7859        Respect view badges capability
    TL-7870        Backport password autofilling workaround in more areas
    TL-7886        Fixed access checks for the position assignment AJAX script

Improvements:

    TL-6282        Improved handling and displaying of the user's name in Core dialogs
    TL-7183        Trigger updates to program user assignments when changing assignments via the audience Enrolled Learning tab

                   When you make a change in an audience's Enrolled Learning tab, it will
                   immediately trigger an update of program and certification user
                   assignments. If there are less than 200 total users involved in the program
                   then the users will be processed immediately, otherwise the update will be
                   deferred. By default, deferred program user assignments are processed the
                   next time cron runs. This patch makes the behaviour consistent with making
                   changes in a program's Assignments tab.

    TL-7529        Fixed handling of RPL records when resetting or deleting a course or its completions

                   This change fixes how RPL records are handled when a course is reset by a
                   certification, deleted or reset by a user, or course completions unlocked
                   by a teacher.
                   
                   When deleting or resetting a course, RPL completions are now also deleted
                   correctly. Previously these were not removed. An upgrade step will safely
                   remove invalid data records for deleted courses.
                   
                   In 2.9.0 when a users course completion gets reset by a certification
                   window opening, all course and activity RPL completions will be removed.
                   In 2.7.9, 2.6.26, and 2.5.33, when a user's course completion gets reset by
                   a certification window opening, all course RPL completions will be removed.
                   Activity RPL completions will remain and still count towards the next
                   course and certification completion.
                   
                   As before, when a teacher unlocks course completion criteria and selects to
                   delete, course and activity RPL records will be kept and still count
                   towards a users completion.
                   
                   Contributed by Eugene Venter at Catalyst NZ

    TL-7737        Improve help text for Case insensitive shortnames option on Completion import page
    TL-7824        Moved program user assignment deferred flag reset to start of functon

                   If changes are made to a program's assignments while the function is
                   running in cron, those changes will be processed the next time cron runs,
                   rather than having to wait until the nightly cron or another change is
                   made.

    TL-7869        Updated timezone file to 2015g

Bug fixes:

    TL-6957        Display correct due date value in the upcoming certifications block
    TL-6981        Reaggregate course completion when activity completion criteria are unlocked without deletion

                   Previously, course completion status was only reaggregated if "unlock with
                   delete" was used. If "unlock without delete" was used, it was possible that
                   users who meet the new completion criteria were not marked complete, and
                   this would not be fixed by any cron task. This could lead to users being
                   stuck with an incomplete status. Now, the records will be marked for
                   reaggregation and will be processed by the completion cron task.

    TL-7273        Corrected the help text for Report builder simple select filters

                   Filters that use a drop-down select with no additional options such as 'not
                   equal to' now have correct corresponding help text, rather than referring
                   to additional options that do not exist.

    TL-7437        Switched the badges backpack URL to use HTTPS
    TL-7562        Fixed strings for audience rules based on course and program completion
    TL-7594        Fixed users booked on a Face-to-face session with no dates being incorrectly removed when another user cancels their booking
    TL-7644        Corrected the amount of white space in the 'recordoflearning' language string
    TL-7664        Fixed dynamic audience rules based upon checkbox position custom fields
    TL-7686        Fixed URL validation when adding new links to the quicklinks block
    TL-7691        Fixed the removal of individual assignments to company goals

                   When removing a user's individual assignment to a company goal, all user
                   assignments for that user-goal pair were being deleted. Group assignments
                   then regenerated the missing user assignments on the next cron, now only
                   the individual user assignment will be deleted.

    TL-7695        Re-aggregate when course completion criteria is changed without deletion

                   When changing course completion criteria, and unlocking without deleting
                   existing completion data, re-aggregation was not being performed. Now,
                   users who are assigned but not complete and match the new criteria will be
                   marked complete after cron re-aggregates them. To fix any users affected by
                   this problem, an upgrade script will mark all incomplete users in all
                   courses for re-aggregation, which will be performed by cron, and may take a
                   while to process on larger sites.

    TL-7769        The Report builder "Manager's name" filter now counts users without a manager as "empty"
    TL-7777        Prevented the element library dialog from saving to the database

                   The multi select dialog example in the element library was previously
                   saving to the database, which should not have been happening.

    TL-7783        Fixed the ordering of the Face-to-face waitlist

                   Previously when a user cancelled an overbooked session the Face-to-face
                   replaced them with a user from the waitlist based off the user's names, now
                   the replacement is decided based off their signup time.

    TL-7789        Fixed the formatting of the Face-to-face intro page
    TL-7833        Fixed cron failure when sending Face-to-face notifications

                   When scheduled Face-to-face notifications were being sent out, the cron
                   task would potentially fail if notifications were going to users who had
                   their session bookings approved by a manager. This has now been fixed,
                   notifications go out as normal, and cron is not disrupted. 

    TL-7876        Stopped the incorrect archiving of facetoface sessions without dates

                   Previously if a user was waitlisted on a Face-to-face session which had no
                   dates set, in a Certification Course. When the user's recertification
                   window opened, the  signup would be marked as archived, meaning it would no
                   longer count towards course completion.

    TL-7881        Recreate course completion records when activity criteria are reset with deletion

                   Course completion records for users who were not complete according to the
                   new criteria were not being recreated immediately. Although the records
                   were being created when the completion cron task was run or when a user's
                   status in the course changed, it was possible that some unexpected
                   behaviour could have occurred due to the missing records.

    TL-7883        Fixed date handling on the Face-to-face block calendar page
    TL-7921        Fixed regression with media playback when request_order="GPC" in PHP.ini

Contributions:

    * Eugene Venter at Catalyst NZ - TL-7529

Release 2.5.33 (16th November 2015):

Security issues:

    TL-7829        Removed reliance on url parameter for choosing table

                   The script for getting the positions and organisations to assign to a
                   program relied on a url parameter to choose which table to access. The
                   table is now chosen according to the type of hierarchy that the query is
                   for. 

    TL-7853        Added missing sesskey protection to lesson module
    TL-7855        Fixed output escaping in survey activity
    TL-7856        Added sesskey check to hub registration
    TL-7857        Fixed input validation in choice activity
    TL-7858        Fixed availability changes in SCORM activity
    TL-7859        Respect view badges capability
    TL-7870        Backport password autofilling workaround in more areas
    TL-7886        Fixed access checks for the position assignment AJAX script

Improvements:

    TL-7183        Trigger updates to program user assignments when changing assignments via the audience Enrolled Learning tab

                   When you make a change in an audience's Enrolled Learning tab, it will
                   immediately trigger an update of program and certification user
                   assignments. If there are less than 200 total users involved in the program
                   then the users will be processed immediately, otherwise the update will be
                   deferred. By default, deferred program user assignments are processed the
                   next time cron runs. This patch makes the behaviour consistent with making
                   changes in a program's Assignments tab.

    TL-7529        Fixed handling of RPL records when resetting or deleting a course or its completions

                   This change fixes how RPL records are handled when a course is reset by a
                   certification, deleted or reset by a user, or course completions unlocked
                   by a teacher.
                   
                   When deleting or resetting a course, RPL completions are now also deleted
                   correctly. Previously these were not removed. An upgrade step will safely
                   remove invalid data records for deleted courses.
                   
                   In 2.9.0 when a users course completion gets reset by a certification
                   window opening, all course and activity RPL completions will be removed.
                   In 2.7.9, 2.6.26, and 2.5.33, when a user's course completion gets reset by
                   a certification window opening, all course RPL completions will be removed.
                   Activity RPL completions will remain and still count towards the next
                   course and certification completion.
                   
                   As before, when a teacher unlocks course completion criteria and selects to
                   delete, course and activity RPL records will be kept and still count
                   towards a users completion.
                   
                   Contributed by Eugene Venter at Catalyst NZ

    TL-7737        Improve help text for Case insensitive shortnames option on Completion import page
    TL-7824        Moved program user assignment deferred flag reset to start of functon

                   If changes are made to a program's assignments while the function is
                   running in cron, those changes will be processed the next time cron runs,
                   rather than having to wait until the nightly cron or another change is
                   made.

    TL-7869        Updated timezone file to 2015g

Bug fixes:

    TL-6957        Display correct due date value in the upcoming certifications block
    TL-6981        Reaggregate course completion when activity completion criteria are unlocked without deletion

                   Previously, course completion status was only reaggregated if "unlock with
                   delete" was used. If "unlock without delete" was used, it was possible that
                   users who meet the new completion criteria were not marked complete, and
                   this would not be fixed by any cron task. This could lead to users being
                   stuck with an incomplete status. Now, the records will be marked for
                   reaggregation and will be processed by the completion cron task.

    TL-7437        Switched the badges backpack URL to use HTTPS
    TL-7664        Fixed dynamic audience rules based upon checkbox position custom fields
    TL-7686        Fixed URL validation when adding new links to the quicklinks block
    TL-7691        Fixed the removal of individual assignments to company goals

                   When removing a user's individual assignment to a company goal, all user
                   assignments for that user-goal pair were being deleted. Group assignments
                   then regenerated the missing user assignments on the next cron, now only
                   the individual user assignment will be deleted.

    TL-7695        Re-aggregate when course completion criteria is changed without deletion

                   When changing course completion criteria, and unlocking without deleting
                   existing completion data, re-aggregation was not being performed. Now,
                   users who are assigned but not complete and match the new criteria will be
                   marked complete after cron re-aggregates them. To fix any users affected by
                   this problem, an upgrade script will mark all incomplete users in all
                   courses for re-aggregation, which will be performed by cron, and may take a
                   while to process on larger sites.

    TL-7833        Fixed cron failure when sending Face-to-face notifications

                   When scheduled Face-to-face notifications were being sent out, the cron
                   task would potentially fail if notifications were going to users who had
                   their session bookings approved by a manager. This has now been fixed,
                   notifications go out as normal, and cron is not disrupted. 

    TL-7876        Stopped the incorrect archiving of facetoface sessions without dates

                   Previously if a user was waitlisted on a Face-to-face session which had no
                   dates set, in a Certification Course. When the user's recertification
                   window opened, the  signup would be marked as archived, meaning it would no
                   longer count towards course completion.

    TL-7881        Recreate course completion records when activity criteria are reset with deletion

                   Course completion records for users who were not complete according to the
                   new criteria were not being recreated immediately. Although the records
                   were being created when the completion cron task was run or when a user's
                   status in the course changed, it was possible that some unexpected
                   behaviour could have occurred due to the missing records.

    TL-7921        Fixed regression with media playback when request_order="GPC" in PHP.ini

Contributions:

    * Eugene Venter at Catalyst NZ - TL-7529

Release 2.4.36 (16th November 2015):

Security issues:

    TL-7829        Removed reliance on url parameter for choosing table

                   The script for getting the positions and organisations to assign to a
                   program relied on a url parameter to choose which table to access. The
                   table is now chosen according to the type of hierarchy that the query is
                   for. 

    TL-7853        Added missing sesskey protection to lesson module
    TL-7855        Fixed output escaping in survey activity
    TL-7856        Added sesskey check to hub registration
    TL-7857        Fixed input validation in choice activity
    TL-7858        Fixed availability changes in SCORM activity
    TL-7859        Respect view badges capability
    TL-7870        Backport password autofilling workaround in more areas
    TL-7886        Fixed access checks for the position assignment AJAX script

Improvements:

    TL-7869        Updated timezone file to 2015g

Bug fixes:

    TL-7921        Fixed regression with media playback when request_order="GPC" in PHP.ini

Release 2.2.43 (16th November 2015):

Security issues:

    TL-7829        Removed reliance on url parameter for choosing table

                   The script for getting the positions and organisations to assign to a
                   program relied on a url parameter to choose which table to access. The
                   table is now chosen according to the type of hierarchy that the query is
                   for. 

    TL-7853        Added missing sesskey protection to lesson module
    TL-7855        Fixed output escaping in survey activity
    TL-7856        Added sesskey check to hub registration
    TL-7857        Fixed input validation in choice activity
    TL-7870        Backport password autofilling workaround in more areas
    TL-7886        Fixed access checks for the position assignment AJAX script

Improvements:

    TL-7869        Updated timezone file to 2015g

Bug fixes:

    TL-7921        Fixed regression with media playback when request_order="GPC" in PHP.ini