Hello everyone,
The following versions of Totara have now been released:
- 2.9.9
- 2.7.17
- 2.6.34
- 2.5.41
- 2.4.43
- 2.2.49
These versions do contain security fixes and for this reason we strongly recommend upgrading.
Each release also includes bug fixes and improvements, including from the latest Moodle releases.
Thanks to the following people for their contributions to this release:
- Davo Smith at Synergy Learning - TL-9485
- Francis Devine at Catalyst NZ - TL-9086
- Nigel Cunningham at Catalyst AU - TL-8601, TL-9261
Kind regards
Sam Hemelryk
Release 2.9.9 (26th July 2016):
Important:
TL-9703 This release contains fixes made in Moodle 2.9.9
Moodle 2.9.9 received two fixes as noted below:
1. MDL-53431 tool_monitor: Access control for tool monitor subscriptions
Imported as TL-9551
2. MDL-55069 core: escape special characters in email headers
Imported as TL-9515
3. MDL-53019 environment: 3.2 requirements added
Imported as TL-9556
4. MDL-54564 behat: Wait after hover, to ensure page is ready
Imported as TL-9631
5. MDL-54620 ratings: display '0' when aggregate = 0
Imported as TL-9633
Security issues:
TL-9340 Fixed access control when deleting calendar subscriptions
Users can only delete their own calendar subscriptions.
Previously it was possible to craft a special request that would allow you
to delete a calendar subscription regardless of whether you were the owner
or not.
The moodle/calendar:manageownentries capability is now consistently
checked.
TL-9400 Fixed access control when deleting personal goals
A user's personal goals can only be deleted if one of the following
conditions is true for the current user:
1. They have the totara/hierarchy:managegoalassignments capability in the
system context.
2. They are a manager of the goal's owner and they have the
totara/hierarchy:managestaffpersonalgoal capability in the users context.
3. It is one of their own personal goals and they have the
totara/hierarchy:manageownpersonalgoal capability in the system context.
Previously it was possible to craft a special request that would allow you
to delete any personal goal, regardless of whether it was one of your
personal goals or not.
The relevant capability checks are now consistently applied.
TL-9515 Fixed sanitisation of user's firstname and lastname when sending emails
Totara was not previously sanitising the users firstname and lastname
correct when compiling emails to the user.
An authenticated user could therefor alter their firstname or lastname in
Totara to contain invalid content including additional email addresses.
As their firstname and lastname was not being correctly sanitised this
could be abused to send spam to others.
The users firstname and lastname is now properly sanitised.
References MDL-55069
TL-9668 Improved the security of all repository plugins
Previously it may have been possible to perform SSRF attacks on a server
through the repository API which was not working with installed repository
plugins to sanitise downloaded content.
With this update comes a change to the repository API that allows it to
work with the repository plugins to ensure that content requested for
download is expected and valid.
By default any plugin which attempts to use the repository API to download
content without implementing the now required get_file() method will stop
working as this is deemed a security risk.
We are aware that some subscribers do use third party repository plugins,
and that this change may stop those plugins from working.
Whilst it is our recommendation for those sites to get the affected third
party repositories updated to support the new API and downloading of files
we have also in 2.9 added a special setting to bypass the lacking support
and allow the plugins to function as they once did.
This setting is present in 2.9 only and will not be available in 9.0.
To enable this setting add the following to your config.php:
{code}
$CFG->repositoryignoresecurityproblems = 1;
{code}
Please be aware that adding this setting may open a security hole on your
site.
We do not recommend adding it.
Improvements:
TL-8996 Added support for syncing a user's image during SSO login
TL-9221 Added the ability to resolve dismissed program exceptions to the completion editor
The Program and Certification completion editors now display information
about dismissed program exceptions when viewing a user's completion data,
and allow dismissed exceptions to be overridden.
TL-9265 Added a new filter for Audience Visibility to Course reports
Previously a Visibility filter could be added to Course reports, however
there was no corresponding Audience Visibility filter for those sites that
had Audience Visibility turned on.
A new Audience Visibility filter has been added to all Course reports so
that those sites that have Audience Visibility turned on can filter by the
relevant visibility options.
TL-9276 Improved the description of Global Report Restrictions when only one restriction exists
If there is only one Global Report Restriction for a user it is
automatically applied for that user.
This was previously undocumented.
The description within the Global Report Restriction user interface has
been improved to elude to this behaviour.
TL-9314 Improved the information shown when viewing a Certification
When a user views one of their certifications, they will see a more verbose
description of the status.
It is now clear when a user is not required to work on a certification.
When working on a specific certification path, only courses in that path
are shown (as before), otherwise both paths are shown, rather than trying
to show the last path completed (which cannot be calculated under several
circumstances).
Additionally, a warning has been added, and is shown when the user is due
to recertify but the window opening process has not yet occurred.
TL-9344 Improved the time allowance strings used for Programs to ease translation
TL-9378 Ensured that goal management capabilities are consistently applied
Personal goals created by either a site administrator or a user's manager
cannot be edited or deleted by the user.
Additionally the action icons for actions you can't preform are now greyed
out.
TL-9383 Improved the performance of sidebar searches within Report Builder
For reports which had multi-check filters enabled in the sidebar, such as
in the course catalog, item counts shown in the filter were sometimes being
queried twice unnecessarily.
In cases where there were thousands of items, this had a noticeable effect
on performance.
These items counts are now only queried once, and only if needed.
TL-9433 Developers may now disable editor autosave in forms where it is not desirable
Previously it was not possible for the developer to disable autoasaving
within an editor when defining a form.
A small improvement has been made to allow the developer to pass
['autosave' = false] as an editor option, this gets passed through to the
editor initialisation and allows the developer to disable autosaving when
defining the form.
TL-9456 Plugins can now define Report Builder filters within the plugin space
If is now possible for plugins to define their own Report Builder filters
for use within their own Report Sources.
In order to do this the plugin defines an class called
`rb_filter_"filtertype"` in a location it chooses, and then requires the
file containing the class within the Report Builder sources that will use
it.
TL-9483 Fixed Behat file uploads to work in all browsers and in remote selenium instances
TL-9484 Added a workaround for missing alert confirmation support in PhantomJS
TL-9502 The Course and Activity completion reports now use the standard paging control
The Course completion and Activity completion reports now use the standard
paging control bar.
This helps bring the look and feel of these reports (which are not Report
Builder reports) inline with the other reports available in the system.
TL-9556 Environment definition updated to reflect Moodle 3.2 requirements
TL-9670 Course visibility filters show as not applicable depending on the sites audience visibility setting
Bug fixes:
TL-7907 Fixed manager approval for Face-to-face direct enrolment when automatic signup is enabled
Previously if you had a Face-to-face activity that was configured to
require manager approval, within a course with a Face-to-face direct
enrolment instance added and configured to automatically sign new users up
to all available sessions, then when a new user signed up they would be
automatically booked to the session requiring manager approval, bypassing
the approval stage.
Now the Face-to-face direct enrolment plugin, with automatic signup
enabled, correctly respects the manager approval requirements for available
sessions.
TL-8179 Program and Certification reports now order courseset data correctly
The Program and Certification overview reports now ensure that columns
displaying courseset information order the content in the same manner that
is applied when viewing the Program or Certification content.
TL-8555 Recurring courses now respect the tempdir setting
When recurring courses were copied during cron, it was assumed that the
temp folder was set to its default rather than what was in the 'tempdir'
config setting. The temporary backup folder is now created in the location
specified by the 'tempdir' setting.
This fix also ensures that the copy recurring courses cron task will run
when certifications are disabled, but programs are enabled, as recurring
courses can only be used within programs.
TL-8601 Fixed backup and restore of multi-select and file type Course custom fields
TL-8985 Suspending a user no longer cancels past Face-to-face signups
Previously if you suspended a user any Face-to-face signups they had made
would be cancelled. Even when the Face-to-face session had already been
run.
Now when a user is suspended only Face-to-face signups for future sessions
are cancelled.
TL-9056 Fixed program enrolment messages not being sent
It was possible that some program and certification enrolment messages were
not being sent. This would only occur in the unlikely event that the
program messaging scheduled task took some time to run, and that program
assignments changed during that time (either by a manual change made in the
Assignments interface when there were less than 200 users involved in the
program, or due to one of the two user assignment scheduled tasks running
at the same time). This has now been fixed. This patch does not
retroactively send program/certification enrolment messages that were
missed.
TL-9086 HR Import now validates incoming user custom field values consistently
Previously HR Import was validating incoming user custom field data without
first passing it through the user custom fields API.
This could lead to invalid data passing validation as it had not been
appropriately translated.
HR Import now correctly passes incoming data through the user custom fields
API prior to validation to ensure any invalid data is detected and not
imported.
TL-9115 Improved the display of averaged columns in Report Builder
When averaging a field the number of decimal places shown was the default
returned by the database.
The display has been improved to only show 2 decimal places.
TL-9118 HR Import now converts mixed case usernames to lower case
This fixes a backwards compatibility issue introduced by TL-8502.
TL-8502 improved validation of usernames being imported through HR Import.
Unfortunately a previously added hack was present which was converting
mixed case usernames to lower case.
TL-8502 reverted this hack, ensuring only completely valid usernames could
be imported, and any invalid usernames would be skipped with an error.
After the release of 2.9.7 we received several reports of people relying on
this conversion to import their data.
After much discussion we decided to treat this as a backwards compatibility
issue and fix it as a bug in 2.7 and 2.9.
Now when you import a username with mixed case you will receive a warning,
the username will be converted to lower case and the user will be
imported.
Please note that in Totara 9.0 you will receive an error and the user will
not be imported.
We advise those who are getting these warning to fix the data they are
importing so as to make it accurate.
TL-9135 Fixed the use of files within textarea type custom fields
TL-9159 Multi-select custom field data params are now correctly deleted when the field is deleted
Previously data params for multi-select custom field values were not being
deleted when the multi-select custom field was deleted.
This resulted in orphaned data param records being left in the database.
Now when a multi-select custom field is deleted the data params for it are
also deleted.
Additionally an upgrade step will clean up any orphaned multi-select data
params that may be lurking in your database.
TL-9162 Removing a user from an allocated Face-to-face session now returns capacity
Previously when a user was removed from an allocated spot in a Face-to-face
session by their manager the space they were occupying was not returned to
the available capacity of the session, nor were they being informed that
their allocation had been cancelled.
Now when a user is removed from an allocated spot the capacity is returned
and the user is notified.
TL-9187 Fixed searching of the Program exceptions list by firstname and lastname
TL-9210 Fixed a missing iCal attachment in the Face-to-face session allocation notification email
TL-9235 Fixed the display of aggregated yes_or_no Report Builder columns
"Yes" is counted as 1, "No" is counted as 0. Aggregate functions use these
values for the calculations.
TL-9241 Ensured the ability to choose an appraiser is not available when appraisals have been disabled
TL-9261 Fixed the "Re-sort" button within the Certification management UI
TL-9341 Fixed the User's Position Framework ID filter within the User report source
TL-9362 Fixed the status display for certification in progress within the Record of Learning
TL-9387 Fixed the display of Face-to-face sessions in the Face-to-face block
TL-9388 Fixed the expansion of the Site Administration menu in IE8
TL-9392 Available courses on the front page are no longer duplicated when the user is not enrolled in any courses
If the front page had been configured to display a list of Enrolled Courses
and the user was not enrolled on any courses then a list of available
courses would be displayed in stead.
Previously if you had also configured the front page to contain a list of
available courses this would then lead to the list of available courses
being displayed twice.
Now when the front page has been configured to display a list of available
courses and enrolled courses, when the user is not enrolled on courses then
nothing is printed.
This stops the list of available courses from being printed twice.
TL-9397 Fixed an error encountered while exporting a Face-to-face cancellation report
This fixes a regression introduced by TL-6962, released in Totara 2.7.14,
2.9.6.
TL-9434 Fixed a bug preventing roles from being assigned via audiences at the category level
TL-9438 Fixed average aggregation within Report Builder when using MSSQL
MSSQL now ensures that it is using decimals when fetching average
aggregations.
TL-9453 Prevented the adding of a Program to a Learning Plan from resetting Program status
When a program was already assigned to a user, if the same program was then
added to the user's learning plan, the status of the program was reset. The
program would likely be re-marked completed by cron, but only if the course
requirements were unchanged and the courses involved were still marked
complete.
Additionally, dates related to the program may have changed.
This fix prevents changes when adding a program to a learning plan if the
user is already assigned to the program.
TL-9473 Fixed the "Download all" button within the file manager in IE and Safari
TL-9485 Fixed data param handling in the core data object class
TL-9669 Fixed the possibility of a "maximum SQL input variables" bug within the Face-to-face upgrade
Contributions:
* Davo Smith at Synergy Learning - TL-9485
* Francis Devine at Catalyst NZ - TL-9086
* Nigel Cunningham at Catalyst AU - TL-8601, TL-9261
Release 2.7.17 (26th July 2016):
Important:
TL-9702 This release contains fixes made in Moodle 2.7.15
Moodle 2.7.15 received two fixes as noted below:
1. MDL-55069 core: escape special characters in email headers
Imported as TL-9515
2. MDL-53019 environment: 3.2 requirements added
Imported as TL-9556
Security issues:
TL-9340 Fixed access control when deleting calendar subscriptions
Users can only delete their own calendar subscriptions.
Previously it was possible to craft a special request that would allow you
to delete a calendar subscription regardless of whether you were the owner
or not.
The moodle/calendar:manageownentries capability is now consistently
checked.
TL-9400 Fixed access control when deleting personal goals
A user's personal goals can only be deleted if one of the following
conditions is true for the current user:
1. They have the totara/hierarchy:managegoalassignments capability in the
system context.
2. They are a manager of the goal's owner and they have the
totara/hierarchy:managestaffpersonalgoal capability in the users context.
3. It is one of their own personal goals and they have the
totara/hierarchy:manageownpersonalgoal capability in the system context.
Previously it was possible to craft a special request that would allow you
to delete any personal goal, regardless of whether it was one of your
personal goals or not.
The relevant capability checks are now consistently applied.
TL-9515 Fixed sanitisation of user's firstname and lastname when sending emails
Totara was not previously sanitising the users firstname and lastname
correct when compiling emails to the user.
An authenticated user could therefor alter their firstname or lastname in
Totara to contain invalid content including additional email addresses.
As their firstname and lastname was not being correctly sanitised this
could be abused to send spam to others.
The users firstname and lastname is now properly sanitised.
References MDL-55069
Improvements:
TL-9221 Added the ability to resolve dismissed program exceptions to the completion editor
The Program and Certification completion editors now display information
about dismissed program exceptions when viewing a user's completion data,
and allow dismissed exceptions to be overridden.
TL-9314 Improved the information shown when viewing a Certification
When a user views one of their certifications, they will see a more verbose
description of the status.
It is now clear when a user is not required to work on a certification.
When working on a specific certification path, only courses in that path
are shown (as before), otherwise both paths are shown, rather than trying
to show the last path completed (which cannot be calculated under several
circumstances).
Additionally, a warning has been added, and is shown when the user is due
to recertify but the window opening process has not yet occurred.
TL-9383 Improved the performance of sidebar searches within Report Builder
For reports which had multi-check filters enabled in the sidebar, such as
in the course catalog, item counts shown in the filter were sometimes being
queried twice unnecessarily.
In cases where there were thousands of items, this had a noticeable effect
on performance.
These items counts are now only queried once, and only if needed.
TL-9483 Fixed Behat file uploads to work in all browsers and in remote selenium instances
TL-9484 Added a workaround for missing alert confirmation support in PhantomJS
TL-9556 Environment definition updated to reflect Moodle 3.2 requirements
Bug fixes:
TL-7907 Fixed manager approval for Face-to-face direct enrolment when automatic signup is enabled
Previously if you had a Face-to-face activity that was configured to
require manager approval, within a course with a Face-to-face direct
enrolment instance added and configured to automatically sign new users up
to all available sessions, then when a new user signed up they would be
automatically booked to the session requiring manager approval, bypassing
the approval stage.
Now the Face-to-face direct enrolment plugin, with automatic signup
enabled, correctly respects the manager approval requirements for available
sessions.
TL-8601 Fixed backup and restore of multi-select and file type Course custom fields
TL-8985 Suspending a user no longer cancels past Face-to-face signups
Previously if you suspended a user any Face-to-face signups they had made
would be cancelled. Even when the Face-to-face session had already been
run.
Now when a user is suspended only Face-to-face signups for future sessions
are cancelled.
TL-9056 Fixed program enrolment messages not being sent
It was possible that some program and certification enrolment messages were
not being sent. This would only occur in the unlikely event that the
program messaging scheduled task took some time to run, and that program
assignments changed during that time (either by a manual change made in the
Assignments interface when there were less than 200 users involved in the
program, or due to one of the two user assignment scheduled tasks running
at the same time). This has now been fixed. This patch does not
retroactively send program/certification enrolment messages that were
missed.
TL-9086 HR Import now validates incoming user custom field values consistently
Previously HR Import was validating incoming user custom field data without
first passing it through the user custom fields API.
This could lead to invalid data passing validation as it had not been
appropriately translated.
HR Import now correctly passes incoming data through the user custom fields
API prior to validation to ensure any invalid data is detected and not
imported.
TL-9116 Fixed broken images when viewing the description for a live Appraisal
TL-9118 HR Import now converts mixed case usernames to lower case
This fixes a backwards compatibility issue introduced by TL-8502.
TL-8502 improved validation of usernames being imported through HR Import.
Unfortunately a previously added hack was present which was converting
mixed case usernames to lower case.
TL-8502 reverted this hack, ensuring only completely valid usernames could
be imported, and any invalid usernames would be skipped with an error.
After the release of 2.9.7 we received several reports of people relying on
this conversion to import their data.
After much discussion we decided to treat this as a backwards compatibility
issue and fix it as a bug in 2.7 and 2.9.
Now when you import a username with mixed case you will receive a warning,
the username will be converted to lower case and the user will be
imported.
Please note that in Totara 9.0 you will receive an error and the user will
not be imported.
We advise those who are getting these warning to fix the data they are
importing so as to make it accurate.
TL-9135 Fixed the use of files within textarea type custom fields
TL-9159 Multi-select custom field data params are now correctly deleted when the field is deleted
Previously data params for multi-select custom field values were not being
deleted when the multi-select custom field was deleted.
This resulted in orphaned data param records being left in the database.
Now when a multi-select custom field is deleted the data params for it are
also deleted.
Additionally an upgrade step will clean up any orphaned multi-select data
params that may be lurking in your database.
TL-9187 Fixed searching of the Program exceptions list by firstname and lastname
TL-9210 Fixed a missing iCal attachment in the Face-to-face session allocation notification email
TL-9235 Fixed the display of aggregated yes_or_no Report Builder columns
"Yes" is counted as 1, "No" is counted as 0. Aggregate functions use these
values for the calculations.
TL-9387 Fixed the display of Face-to-face sessions in the Face-to-face block
TL-9392 Available courses on the front page are no longer duplicated when the user is not enrolled in any courses
If the front page had been configured to display a list of Enrolled Courses
and the user was not enrolled on any courses then a list of available
courses would be displayed in stead.
Previously if you had also configured the front page to contain a list of
available courses this would then lead to the list of available courses
being displayed twice.
Now when the front page has been configured to display a list of available
courses and enrolled courses, when the user is not enrolled on courses then
nothing is printed.
This stops the list of available courses from being printed twice.
TL-9397 Fixed an error encountered while exporting a Face-to-face cancellation report
This fixes a regression introduced by TL-6962, released in Totara 2.7.14,
2.9.6.
TL-9438 Fixed average aggregation within Report Builder when using MSSQL
MSSQL now ensures that it is using decimals when fetching average
aggregations.
TL-9453 Prevented the adding of a Program to a Learning Plan from resetting Program status
When a program was already assigned to a user, if the same program was then
added to the user's learning plan, the status of the program was reset. The
program would likely be re-marked completed by cron, but only if the course
requirements were unchanged and the courses involved were still marked
complete.
Additionally, dates related to the program may have changed.
This fix prevents changes when adding a program to a learning plan if the
user is already assigned to the program.
TL-9485 Fixed data param handling in the core data object class
TL-9669 Fixed the possibility of a "maximum SQL input variables" bug within the Face-to-face upgrade
Contributions:
* Davo Smith at Synergy Learning - TL-9485
* Francis Devine at Catalyst NZ - TL-9086
* Nigel Cunningham at Catalyst AU - TL-8601
Release 2.6.34 (26th July 2016):
Security issues:
TL-9340 Fixed access control when deleting calendar subscriptions
Users can only delete their own calendar subscriptions.
Previously it was possible to craft a special request that would allow you
to delete a calendar subscription regardless of whether you were the owner
or not.
The moodle/calendar:manageownentries capability is now consistently
checked.
TL-9400 Fixed access control when deleting personal goals
A user's personal goals can only be deleted if one of the following
conditions is true for the current user:
1. They have the totara/hierarchy:managegoalassignments capability in the
system context.
2. They are a manager of the goal's owner and they have the
totara/hierarchy:managestaffpersonalgoal capability in the users context.
3. It is one of their own personal goals and they have the
totara/hierarchy:manageownpersonalgoal capability in the system context.
Previously it was possible to craft a special request that would allow you
to delete any personal goal, regardless of whether it was one of your
personal goals or not.
The relevant capability checks are now consistently applied.
TL-9515 Fixed sanitisation of user's firstname and lastname when sending emails
Totara was not previously sanitising the users firstname and lastname
correct when compiling emails to the user.
An authenticated user could therefor alter their firstname or lastname in
Totara to contain invalid content including additional email addresses.
As their firstname and lastname was not being correctly sanitised this
could be abused to send spam to others.
The users firstname and lastname is now properly sanitised.
References MDL-55069
Improvements:
TL-9221 Added the ability to resolve dismissed program exceptions to the completion editor
The Program and Certification completion editors now display information
about dismissed program exceptions when viewing a user's completion data,
and allow dismissed exceptions to be overridden.
TL-9483 Fixed Behat file uploads to work in all browsers and in remote selenium instances
TL-9484 Added a workaround for missing alert confirmation support in PhantomJS
Bug fixes:
TL-5108 Stopped timezones being displayed within Face-to-face reports when they are disabled in the plugin settings
TL-5654 Added missing notification templates to Face-to-face settings
TL-9135 Fixed the use of files within textarea type custom fields
TL-9210 Fixed a missing iCal attachment in the Face-to-face session allocation notification email
TL-9392 Available courses on the front page are no longer duplicated when the user is not enrolled in any courses
If the front page had been configured to display a list of Enrolled Courses
and the user was not enrolled on any courses then a list of available
courses would be displayed in stead.
Previously if you had also configured the front page to contain a list of
available courses this would then lead to the list of available courses
being displayed twice.
Now when the front page has been configured to display a list of available
courses and enrolled courses, when the user is not enrolled on courses then
nothing is printed.
This stops the list of available courses from being printed twice.
TL-9453 Prevented the adding of a Program to a Learning Plan from resetting Program status
When a program was already assigned to a user, if the same program was then
added to the user's learning plan, the status of the program was reset. The
program would likely be re-marked completed by cron, but only if the course
requirements were unchanged and the courses involved were still marked
complete.
Additionally, dates related to the program may have changed.
This fix prevents changes when adding a program to a learning plan if the
user is already assigned to the program.
TL-9466 Fixed notice when sending registration information via cron when executed from the command line
Release 2.5.41 (26th July 2016):
Security issues:
TL-9340 Fixed access control when deleting calendar subscriptions
Users can only delete their own calendar subscriptions.
Previously it was possible to craft a special request that would allow you
to delete a calendar subscription regardless of whether you were the owner
or not.
The moodle/calendar:manageownentries capability is now consistently
checked.
TL-9400 Fixed access control when deleting personal goals
A user's personal goals can only be deleted if one of the following
conditions is true for the current user:
1. They have the totara/hierarchy:managegoalassignments capability in the
system context.
2. They are a manager of the goal's owner and they have the
totara/hierarchy:managestaffpersonalgoal capability in the users context.
3. It is one of their own personal goals and they have the
totara/hierarchy:manageownpersonalgoal capability in the system context.
Previously it was possible to craft a special request that would allow you
to delete any personal goal, regardless of whether it was one of your
personal goals or not.
The relevant capability checks are now consistently applied.
TL-9515 Fixed sanitisation of user's firstname and lastname when sending emails
Totara was not previously sanitising the users firstname and lastname
correct when compiling emails to the user.
An authenticated user could therefor alter their firstname or lastname in
Totara to contain invalid content including additional email addresses.
As their firstname and lastname was not being correctly sanitised this
could be abused to send spam to others.
The users firstname and lastname is now properly sanitised.
References MDL-55069
Improvements:
TL-9221 Added the ability to resolve dismissed program exceptions to the completion editor
The Program and Certification completion editors now display information
about dismissed program exceptions when viewing a user's completion data,
and allow dismissed exceptions to be overridden.
Bug fixes:
TL-9392 Available courses on the front page are no longer duplicated when the user is not enrolled in any courses
If the front page had been configured to display a list of Enrolled Courses
and the user was not enrolled on any courses then a list of available
courses would be displayed in stead.
Previously if you had also configured the front page to contain a list of
available courses this would then lead to the list of available courses
being displayed twice.
Now when the front page has been configured to display a list of available
courses and enrolled courses, when the user is not enrolled on courses then
nothing is printed.
This stops the list of available courses from being printed twice.
TL-9453 Prevented the adding of a Program to a Learning Plan from resetting Program status
When a program was already assigned to a user, if the same program was then
added to the user's learning plan, the status of the program was reset. The
program would likely be re-marked completed by cron, but only if the course
requirements were unchanged and the courses involved were still marked
complete.
Additionally, dates related to the program may have changed.
This fix prevents changes when adding a program to a learning plan if the
user is already assigned to the program.
TL-9466 Fixed notice when sending registration information via cron when executed from the command line
Release 2.4.43 (26th July 2016):
Security issues:
TL-9340 Fixed access control when deleting calendar subscriptions
Users can only delete their own calendar subscriptions.
Previously it was possible to craft a special request that would allow you
to delete a calendar subscription regardless of whether you were the owner
or not.
The moodle/calendar:manageownentries capability is now consistently
checked.
TL-9515 Fixed sanitisation of user's firstname and lastname when sending emails
Totara was not previously sanitising the users firstname and lastname
correct when compiling emails to the user.
An authenticated user could therefor alter their firstname or lastname in
Totara to contain invalid content including additional email addresses.
As their firstname and lastname was not being correctly sanitised this
could be abused to send spam to others.
The users firstname and lastname is now properly sanitised.
References MDL-55069
Bug fixes:
TL-9466 Fixed notice when sending registration information via cron when executed from the command line
Release 2.2.49 (26th July 2016):
Security issues:
TL-9515 Fixed sanitisation of user's firstname and lastname when sending emails
Totara was not previously sanitising the users firstname and lastname
correct when compiling emails to the user.
An authenticated user could therefor alter their firstname or lastname in
Totara to contain invalid content including additional email addresses.
As their firstname and lastname was not being correctly sanitised this
could be abused to send spam to others.
The users firstname and lastname is now properly sanitised.
References MDL-55069
Bug fixes:
TL-9298 Fixed PHP warnings on the My Learning page when there are no tasks or alerts