Hello everyone,
The following versions of Totara have now been released:
- 9.0 rc1
- 2.9.11
- 2.7.19
- 2.6.36
- 2.5.43
- 2.4.45
- 2.2.51
The stable releases do contain security fixes and for this reason we strongly recommend upgrading. Each release also includes bug fixes and improvements.
Thanks to the following people for their contributions to this release:
- Andre Yamin at Kineo NZ - TL-9491
- Russell England at Kineo USA - TL-10235
Kind regards
Sam Hemelryk
Package information:
| SHA1 checksum | Package name | Size |
|---|---|---|
| 0a2e0bef9c250f0af58a7254f48470704a1de56c | totaralms-9.0-rc1.tar.gz | 51M |
| c1e1f173923e736cd77ec51c828fb2356b60fe23 | totaralms-2.9.11.tar.gz | 47M |
| c6f3c9f4f8d2dabf32be1dd1234145f74868b728 | totaralms-2.7.19.tar.gz | 56M |
| 384e093522884100abb9624fdc4c5e0cd99fb37c | totaralms-2.6.36.tar.gz | 50M |
| 6c4840352e4504ac43abe1951591d8b7934cfe6f | totaralms-2.5.43.tar.gz | 44M |
| 156c4beca89e63b902e021541771daf52348c93b | totaralms-2.4.45.tar.gz | 32M |
| 63f0c85d7c861c6a5a7db6529cde239f4d278257 | totaralms-2.2.51.tar.gz | 26M |
Release 9.0 release candidate 1 (22nd September 2016): Changelogs for the 9.0 release will be provided with the final, production ready release, due out early October. Please see the release announcement for this release for more information.
Release 2.9.11 (22nd September 2016):
Important:
TL-8675 Improvements to certification completion import
There were several bugs and unexpected behaviours in the import
certification completion module. This was often compounded by the confusion
about how the "Override" option was supposed to work.
To solve these problems, major changes were required. The internal
processes have been completely rewritten, allowing the result of importing
records to be clearly defined. Detailed logs are recorded in the
certification completion transaction logs.
To facilitate this, the "Override" option has been removed. To reduce
confusion and allow flexibility, it was replaced with a new setting called
"Import action" which has three possible settings; "Save to history",
"Certify uncertified users" and "Certify if newer". The old "Override off"
maps most closely to "Save to history", while "Override on" maps most
closely to "Certify if newer". Detailed help has been included for these
options in a popup, clearly explaining what will happen given any
combination of input record and existing data.
While "bulk" database transactions were maintained and improved, it is
possible that this change could lead to an increase in import processing
times. Most notably, user assignments are now being properly processed
during import, which could increase running time when importing a large
number of records for users who are not already assigned. This can be
avoided by assigning the users to the certification first, making sure to
wait for "deferred" user assignments to finish being processed by the
scheduled task, before importing the completion records.
Course completion import was not affected by this change.
TL-9717 Prevent circular management structures being created using HR Import
TL-7902 prevented circular management structures being created using the
position assignments form. This patch enforces the same rules for data
imported using HR import.
If you attempt to import users with management structures that would lead
to circular references, all users forming the circular reference will fail
to import with a notice explaining why.
TL-10487 Inclusion of Moodle 2.9.8
Please note not all changes included in Moodle 2.9.8 were included in this
release.
Specifically MDL-49026 was not included as we feel a more complete solution
can be found, TL-10488 will be used to find that complete solution.
Security issues:
TL-10044 Removed unnecessary sesskey param when managing hierarchies
The sesskey param was previously passed on hierarchy management actions,
including those that had confirmation steps.
The sesskey is now only added when actually performing the action, and all
actions have been confirmed to redirect.
This ensures that the sesskey is never exposed unnecessarily when managing
hierarchies.
TL-10355 Fixed information disclosure within Feedback 360 responses
Previously one of the Feedback 360 AJAX scripts could be used to test which
users had responded to a Feedback activity due to insufficient capability
checks.
Capability checks are now applied correctly and the output of the script
has been normalised so that it can no longer be used to test if a user has
responded.
TL-10435 Capability checks when changing hierarchy item types are now explicit
Prior to this update access control when changing a hierarchy item type was
carried out by the admin setting page capabilities. This allowed a user
with only the capability to manage frameworks to change item types.
The totara/hierarchy:update capability is now explicitly checked when
changing the type of a hierarchy item.
TL-10463 Applied stricter type validation when managing custom fields
Previously when creating, or editing custom fields it was possible to
manipulate the form markup and exploit the loose validation to execute
exploits.
All custom field input types have been reviewed and much stricter type
validation is now in place to ensure that incoming data is stringently
cleaned.
TL-10489 Forgotten password workflow no longer exposes the token via headers
Previously if the theme introduced any external links on all pages, then
during the forgotten password process if the user followed these links the
token used to reset their password would be present in the referrer
information sent to the external page.
The token is no longer masked through a redirect on the initial request,
and is no longer exposed via referrer information.
Improvements:
TL-9426 Program assignments with due date based on first login will be assigned immediately
Previously, if you assigned users to a program or certification and set
their due date to "within N days of first login" then the user assignment
and program and certification completion records were not being created
until the user first logged in. Now, these records are created immediately,
and will be updated with a due date when the user first logs in. This is
consistent with adding a user with no due date criteria and later adding
the "first login" criteria. Note that users who previously had been
assigned and were immediately given the "first login" criteria were not
showing in completion reports until they first logged in - now they will be
included in reports immediately. Previous report behaviour can be achieved
by using the "User First Access" report filter.
TL-9491 Enhanced SCORM report source to use additional tracking fields
TL-10161 Added accessibility text to action menus
TL-10358 Deleted unused test course backup file
TL-10469 Stopped duplicate log entries being created when creating an objective within a plan
Bug fixes:
TL-8803 Fixed rules for first/last log in dates in dynamic audiences
This fixes an issue where users who have never logged in are incorrectly
included in dynamic audiences with a single rule, of the type first log in,
or last log in.
Users who have never logged in are now correctly excluded.
Please note this may lead to audience membership changes if you have any
dynamic audiences with a single rule, of the type first log in, or last log
in.
TL-9275 Fixed the variable translations for course reminder templates
TL-9405 Fixed the visibility of user profile custom fields in user reports
TL-9431 Fixed the formatting of Report Builder titles when exporting to Excel
TL-9480 Always reset activity grades when course completion is archived
Previously, when course completion was archived (due to certification
window opening, or by using the "Completions archive" link), it was
possible that under some specific circumstances activity grades were not
being reset, possibly leading to unwanted re-completion of the activity,
course and/or certification. Now, activity grades will always be reset, in
all activities, including custom activities. Activities which implement the
"_archive_completion" function are no longer required to
reset grades themselves, although they may continue to reset grades if they
do so already.
TL-9490 Fixed the pagination of content when viewing a category
TL-9512 Fixed incorrect uniqueness checks on empty user custom profile fields
TL-9701 Report builder graph legend now sizes dynamically to better accommodate its content
TL-9734 Corrected the "is equal to" proficiency filter in Competency Status report
TL-9776 Corrected the string used by the "status" filter in Program Membership reports
TL-9793 Fixed dimming of course names in course overview block when audience visibility is on
TL-9801 Fixed incorrect API call when upgrading dashboards
TL-9806 Fixed undefined event property when assigning goals to a hierarchy item
TL-9889 Fixed undefined property allowduplicatedemails warning on HR import user CSV page
TL-10033 Fixed program course sets set to "Some courses" and "0"
TL-10088 Fixed pagination within the Totara Report block
TL-10116 Fixed Face-to-face notification templates when manager copy prefix was missing
TL-10181 Site managers within category context can now see users emails in program assignment dialogs
TL-10229 Fixed upgrade of assignment submissions which had been graded twice
TL-10235 Face-to-face events are now correctly shown on the site calendar when configured to do so
TL-10251 Fixed HTML validation when viewing a single badge
TL-10275 Removed empty link from Record of Learning previous course completion column
TL-10313 Fixed Report builder graph placement issues in PDF exports
TL-10341 Removed program status column for non-assigned users
The status column was recently inadvertently added when non-assigned users
were viewing a program or certification.
TL-10400 Audience start and end dates are now shown correctly on the overview tab
TL-10425 Searching without providing a term no longer leads to an error in Report Builder
TL-10446 Removed invalid future 3.2 version from server environment tests
Contributions:
* Andre Yamin at Kineo NZ - TL-9491
* Russell England at Kineo USA - TL-10235
Release 2.7.19 (22nd September 2016):
Important:
TL-8675 Improvements to certification completion import
There were several bugs and unexpected behaviours in the import
certification completion module. This was often compounded by the confusion
about how the "Override" option was supposed to work.
To solve these problems, major changes were required. The internal
processes have been completely rewritten, allowing the result of importing
records to be clearly defined. Detailed logs are recorded in the
certification completion transaction logs.
To facilitate this, the "Override" option has been removed. To reduce
confusion and allow flexibility, it was replaced with a new setting called
"Import action" which has three possible settings; "Save to history",
"Certify uncertified users" and "Certify if newer". The old "Override off"
maps most closely to "Save to history", while "Override on" maps most
closely to "Certify if newer". Detailed help has been included for these
options in a popup, clearly explaining what will happen given any
combination of input record and existing data.
While "bulk" database transactions were maintained and improved, it is
possible that this change could lead to an increase in import processing
times. Most notably, user assignments are now being properly processed
during import, which could increase running time when importing a large
number of records for users who are not already assigned. This can be
avoided by assigning the users to the certification first, making sure to
wait for "deferred" user assignments to finish being processed by the
scheduled task, before importing the completion records.
Course completion import was not affected by this change.
TL-9717 Prevent circular management structures being created using HR Import
TL-7902 prevented circular management structures being created using the
position assignments form. This patch enforces the same rules for data
imported using HR import.
If you attempt to import users with management structures that would lead
to circular references, all users forming the circular reference will fail
to import with a notice explaining why.
TL-10486 Inclusion of Moodle 2.7.16
Please note not all changes included in Moodle 2.7.16 were included in this
release.
Specifically MDL-49026 was not included as we feel a more complete solution
can be found.
Security issues:
TL-10044 Removed unnecessary sesskey param when managing hierarchies
The sesskey param was previously passed on hierarchy management actions,
including those that had confirmation steps.
The sesskey is now only added when actually performing the action, and all
actions have been confirmed to redirect.
This ensures that the sesskey is never exposed unnecessarily when managing
hierarchies.
TL-10355 Fixed information disclosure within Feedback 360 responses
Previously one of the Feedback 360 AJAX scripts could be used to test which
users had responded to a Feedback activity due to insufficient capability
checks.
Capability checks are now applied correctly and the output of the script
has been normalised so that it can no longer be used to test if a user has
responded.
TL-10435 Capability checks when changing hierarchy item types are now explicit
Prior to this update access control when changing a hierarchy item type was
carried out by the admin setting page capabilities. This allowed a user
with only the capability to manage frameworks to change item types.
The totara/hierarchy:update capability is now explicitly checked when
changing the type of a hierarchy item.
TL-10463 Applied stricter type validation when managing custom fields
Previously when creating, or editing custom fields it was possible to
manipulate the form markup and exploit the loose validation to execute
exploits.
All custom field input types have been reviewed and much stricter type
validation is now in place to ensure that incoming data is stringently
cleaned.
TL-10489 Forgotten password workflow no longer exposes the token via headers
Previously if the theme introduced any external links on all pages, then
during the forgotten password process if the user followed these links the
token used to reset their password would be present in the referrer
information sent to the external page.
The token is no longer masked through a redirect on the initial request,
and is no longer exposed via referrer information.
Improvements:
TL-9426 Program assignments with due date based on first login will be assigned immediately
Previously, if you assigned users to a program or certification and set
their due date to "within N days of first login" then the user assignment
and program and certification completion records were not being created
until the user first logged in. Now, these records are created immediately,
and will be updated with a due date when the user first logs in. This is
consistent with adding a user with no due date criteria and later adding
the "first login" criteria. Note that users who previously had been
assigned and were immediately given the "first login" criteria were not
showing in completion reports until they first logged in - now they will be
included in reports immediately. Previous report behaviour can be achieved
by using the "User First Access" report filter.
TL-9491 Enhanced SCORM report source to use additional tracking fields
TL-10358 Deleted unused test course backup file
TL-10469 Stopped duplicate log entries being created when creating an objective within a plan
Bug fixes:
TL-8803 Fixed rules for first/last log in dates in dynamic audiences
This fixes an issue where users who have never logged in are incorrectly
included in dynamic audiences with a single rule, of the type first log in,
or last log in.
Users who have never logged in are now correctly excluded.
Please note this may lead to audience membership changes if you have any
dynamic audiences with a single rule, of the type first log in, or last log
in.
TL-9480 Always reset activity grades when course completion is archived
Previously, when course completion was archived (due to certification
window opening, or by using the "Completions archive" link), it was
possible that under some specific circumstances activity grades were not
being reset, possibly leading to unwanted re-completion of the activity,
course and/or certification. Now, activity grades will always be reset, in
all activities, including custom activities. Activities which implement the
"_archive_completion" function are no longer required to
reset grades themselves, although they may continue to reset grades if they
do so already.
TL-9490 Fixed the pagination of content when viewing a category
TL-9512 Fixed incorrect uniqueness checks on empty user custom profile fields
TL-9701 Report builder graph legend now sizes dynamically to better accommodate its content
TL-9793 Fixed dimming of course names in course overview block when audience visibility is on
TL-9801 Fixed incorrect API call when upgrading dashboards
TL-10116 Fixed Face-to-face notification templates when manager copy prefix was missing
TL-10181 Site managers within category context can now see users emails in program assignment dialogs
TL-10235 Face-to-face events are now correctly shown on the site calendar when configured to do so
TL-10313 Fixed Report builder graph placement issues in PDF exports
TL-10341 Removed program status column for non-assigned users
The status column was recently inadvertently added when non-assigned users
were viewing a program or certification.
TL-10400 Audience start and end dates are now shown correctly on the overview tab
TL-10422 Fixed a JavaScript error occurring when playing some SCORM packages
TL-10425 Searching without providing a term no longer leads to an error in Report Builder
TL-10446 Removed invalid future 3.2 version from server environment tests
Contributions:
* Andre Yamin at Kineo NZ - TL-9491
* Russell England at Kineo USA - TL-10235
Release 2.6.36 (22nd September 2016):
Important:
TL-8675 Improvements to certification completion import
There were several bugs and unexpected behaviours in the import
certification completion module. This was often compounded by the confusion
about how the "Override" option was supposed to work.
To solve these problems, major changes were required. The internal
processes have been completely rewritten, allowing the result of importing
records to be clearly defined. Detailed logs are recorded in the
certification completion transaction logs.
To facilitate this, the "Override" option has been removed. To reduce
confusion and allow flexibility, it was replaced with a new setting called
"Import action" which has three possible settings; "Save to history",
"Certify uncertified users" and "Certify if newer". The old "Override off"
maps most closely to "Save to history", while "Override on" maps most
closely to "Certify if newer". Detailed help has been included for these
options in a popup, clearly explaining what will happen given any
combination of input record and existing data.
While "bulk" database transactions were maintained and improved, it is
possible that this change could lead to an increase in import processing
times. Most notably, user assignments are now being properly processed
during import, which could increase running time when importing a large
number of records for users who are not already assigned. This can be
avoided by assigning the users to the certification first, making sure to
wait for "deferred" user assignments to finish being processed by the
scheduled task, before importing the completion records.
Course completion import was not affected by this change.
TL-9717 Prevent circular management structures being created using HR Import
TL-7902 prevented circular management structures being created using the
position assignments form. This patch enforces the same rules for data
imported using HR import.
If you attempt to import users with management structures that would lead
to circular references, all users forming the circular reference will fail
to import with a notice explaining why.
Security issues:
TL-10044 Removed unnecessary sesskey param when managing hierarchies
The sesskey param was previously passed on hierarchy management actions,
including those that had confirmation steps.
The sesskey is now only added when actually performing the action, and all
actions have been confirmed to redirect.
This ensures that the sesskey is never exposed unnecessarily when managing
hierarchies.
TL-10355 Fixed information disclosure within Feedback 360 responses
Previously one of the Feedback 360 AJAX scripts could be used to test which
users had responded to a Feedback activity due to insufficient capability
checks.
Capability checks are now applied correctly and the output of the script
has been normalised so that it can no longer be used to test if a user has
responded.
TL-10435 Capability checks when changing hierarchy item types are now explicit
Prior to this update access control when changing a hierarchy item type was
carried out by the admin setting page capabilities. This allowed a user
with only the capability to manage frameworks to change item types.
The totara/hierarchy:update capability is now explicitly checked when
changing the type of a hierarchy item.
TL-10463 Applied stricter type validation when managing custom fields
Previously when creating, or editing custom fields it was possible to
manipulate the form markup and exploit the loose validation to execute
exploits.
All custom field input types have been reviewed and much stricter type
validation is now in place to ensure that incoming data is stringently
cleaned.
TL-10489 Forgotten password workflow no longer exposes the token via headers
Previously if the theme introduced any external links on all pages, then
during the forgotten password process if the user followed these links the
token used to reset their password would be present in the referrer
information sent to the external page.
The token is no longer masked through a redirect on the initial request,
and is no longer exposed via referrer information.
Improvements:
TL-9426 Program assignments with due date based on first login will be assigned immediately
Previously, if you assigned users to a program or certification and set
their due date to "within N days of first login" then the user assignment
and program and certification completion records were not being created
until the user first logged in. Now, these records are created immediately,
and will be updated with a due date when the user first logs in. This is
consistent with adding a user with no due date criteria and later adding
the "first login" criteria. Note that users who previously had been
assigned and were immediately given the "first login" criteria were not
showing in completion reports until they first logged in - now they will be
included in reports immediately. Previous report behaviour can be achieved
by using the "User First Access" report filter.
TL-10358 Deleted unused test course backup file
Bug fixes:
TL-8803 Fixed rules for first/last log in dates in dynamic audiences
This fixes an issue where users who have never logged in are incorrectly
included in dynamic audiences with a single rule, of the type first log in,
or last log in.
Users who have never logged in are now correctly excluded.
Please note this may lead to audience membership changes if you have any
dynamic audiences with a single rule, of the type first log in, or last log
in.
TL-10422 Fixed a JavaScript error occurring when playing some SCORM packages
Release 2.5.43 (22nd September 2016):
Security issues:
TL-10044 Removed unnecessary sesskey param when managing hierarchies
The sesskey param was previously passed on hierarchy management actions,
including those that had confirmation steps.
The sesskey is now only added when actually performing the action, and all
actions have been confirmed to redirect.
This ensures that the sesskey is never exposed unnecessarily when managing
hierarchies.
TL-10355 Fixed information disclosure within Feedback 360 responses
Previously one of the Feedback 360 AJAX scripts could be used to test which
users had responded to a Feedback activity due to insufficient capability
checks.
Capability checks are now applied correctly and the output of the script
has been normalised so that it can no longer be used to test if a user has
responded.
TL-10435 Capability checks when changing hierarchy item types are now explicit
Prior to this update access control when changing a hierarchy item type was
carried out by the admin setting page capabilities. This allowed a user
with only the capability to manage frameworks to change item types.
The totara/hierarchy:update capability is now explicitly checked when
changing the type of a hierarchy item.
TL-10463 Applied stricter type validation when managing custom fields
Previously when creating, or editing custom fields it was possible to
manipulate the form markup and exploit the loose validation to execute
exploits.
All custom field input types have been reviewed and much stricter type
validation is now in place to ensure that incoming data is stringently
cleaned.
Improvements:
TL-10358 Deleted unused test course backup file
Release 2.4.45 (22nd September 2016):
Security issues:
TL-10435 Capability checks when changing hierarchy item types are now explicit
Prior to this update access control when changing a hierarchy item type was
carried out by the admin setting page capabilities. This allowed a user
with only the capability to manage frameworks to change item types.
The totara/hierarchy:update capability is now explicitly checked when
changing the type of a hierarchy item.
TL-10463 Applied stricter type validation when managing custom fields
Previously when creating, or editing custom fields it was possible to
manipulate the form markup and exploit the loose validation to execute
exploits.
All custom field input types have been reviewed and much stricter type
validation is now in place to ensure that incoming data is stringently
cleaned.
Release 2.2.51 (22nd September 2016):
Security issues:
TL-10435 Capability checks when changing hierarchy item types are now explicit
Prior to this update access control when changing a hierarchy item type was
carried out by the admin setting page capabilities. This allowed a user
with only the capability to manage frameworks to change item types.
The totara/hierarchy:update capability is now explicitly checked when
changing the type of a hierarchy item.
TL-10463 Applied stricter type validation when managing custom fields
Previously when creating, or editing custom fields it was possible to
manipulate the form markup and exploit the loose validation to execute
exploits.
All custom field input types have been reviewed and much stricter type
validation is now in place to ensure that incoming data is stringently
cleaned.