Hello everyone,
The following versions of Totara have now been released:
- 9.1
- 2.9.13
- 2.7.21
- 2.6.38
- 2.5.45
- 2.4.47
- 2.2.53
These versions do contain security fixes and for this reason we strongly recommend upgrading.
Each release also includes bug fixes and improvements.
Thanks to the following people for their contributions to this release:
- Davo Smith at Synergy Learning - TL-10917
- Jo Jones at Kineo - TL-11157
Kind regards
Sam Hemelryk
| SHA1 checksum | Size | Package |
|---|---|---|
| 8d128b0ddc6d27242a42e7e31b24aa21f22b132b | 51M | totaralms-9.1.tar.gz |
| d5209694c2da4482a75bb0ecaa3e08cb92f844e0 | 47M | totaralms-2.9.13.tar.gz |
| 8514bb3cb9922ef6583810d8c5a8d6be13feec67 | 56M | totaralms-2.7.21.tar.gz |
| c5a443a6c9a3528df9f61efc78e2bedb42747fe6 | 50M | totaralms-2.6.38.tar.gz |
| d52447ce70eaa513e95b700293b98052c53e3347 | 44M | totaralms-2.5.45.tar.gz |
| 312b3a03c6848b309e423c391e5bcdcd8d009da0 | 32M | totaralms-2.4.47.tar.gz |
| f3293e1be301f3c78699a68988c0b779fe144145 | 26M | totaralms-2.2.53.tar.gz |
Release 9.1 (22nd November 2016):
Important:
TL-10252 Non-date picker uses of date picker strings changed to langconfig strings
Code unrelated to date pickers has been updated to use strings from the
langconfig language pack. Date picker strings should only be used in
relation to date pickers. Code now using the langconfig strings will
benefit from customisations made to those strings.
Additionally, the lang string customfieldtextdateformat was added in
totara_customfield. If you have customised the lang string
datepickerlongyearregexphp then after upgrading you should change
customfieldtextdateformat to your custom regular expression.
TL-11112 The default encoding is now consistently set to UTF-8
Totara now sets UTF-8 as default encoding for PHP scripts to prevent hard
to detect problems on sites with non-standard php.ini settings. There are
no known problems in Totara, but this change may help with compatibility in
external libraries and 3rd party plugins.
TL-11114 Incompatible plugin updates and installer code was removed
Totara LMS does not include an add-on installer, all additional plugins
must be installed manually by server administrators.
Before installing any additional plugins please make sure the code was
tested with Totara LMS, is secure, is maintained by authors and contains
phpunit and behat tests.
Totara Learning Solutions support does not cover plugins that are not
included in the standard distribution.
TL-11157 Fixed data loss bug when learning plans are deleted under certain conditions
This bug occurs under very specific circumstances.
Due to the structure of the repository table involved, it is possible to
have relationship data from different learning plans and even different
components within the same learning plan co-existing within the same table.
Originally, the system deleted relationships between learning plan
components (e.g. course and objectives) using just the component identifier
e.g. objective ID.
However, in very rare situations, it is possible for the table to hold
values from unrelated components which use the same identifier. When the
system deleted a component using this identifier value alone *all*
components associated with it were removed. Hence the data loss.
The system now checks component type in addition to ID to prevent this
happening.
Security issues:
TL-10752 Implemented additional checks within the Appraisal review ajax script
TL-5178 Added a missing sesskey check to feedback/assignments.php
TL-6615 Added a check for HTTP only cookies to the security report
The HTTP only cookies setting restricts access to cookies by client side
scripts in supported browsers making it more difficult to exploit any
potential XSS vulnerabilities.
TL-8849 Improved validation when managing Seminar custom fields
Previously it was possible to view custom fields from areas outside of
Seminars through the Seminar custom field management page.
This page now properly verifies that the custom fields being requested
belong to a Seminar area.
Improvements:
TL-10038 Added a warning entry into the HR Import import log if data contains a user that has their "HR import" setting disabled
TL-10097 Removed whitespace when editing individual feedback 360 requests
TL-10203 Improved efficiency when importing users that include dropdown menu profile field data
A significant performance gain has been made when importing users through
HR Import on sites that use drop down menu profile custom fields.
The import process should now run much faster than before.
TL-10292 Added a legend when exporting and importing questions by category or context from within the question bank
TL-10627 Improved appraisal snapshot PDF rendering
TL-10654 Improved display of username when viewing as another role
TL-10681 Added an environment test for mbstring.func_overload to ensure it is not set
Multibyte function overloading is not compatible with Totara.
TL-10705 Improved the help text within Seminar when uploading attendees by CSV file
TL-10731 Added setting to allow limiting of feedback reminders sent out
A new setting has been added, 'reminder_maxtimesincecompletion', which can
be used to limit the number of days after course completion in which
feedback activity reminders will be sent. This may be used to prevent
reminders being sent for historic course completions after they are
imported via upload.
TL-10782 Seminar direct enrolment instances within a course can now be manually removed when no longer wanted
TL-10793 Improved support of RTL languages within Report builder reports in the new themes
TL-10909 Improved wording of course activity reports visibility setting help
TL-10917 Improved the performance of admin settings for PDF fonts
TL-10947 Removed duplicated link in the My team block
TL-10965 Improved program assignments to recognise changes in hierarchies related to 'all below' assignments
Previously, if a change was made to a lower level of a hierarchy then the
change did not trigger the deferred program assignment update. Instead, the
change would not be applied until the program user assignments cron task
was run.
Now, the change immediately flags the related program for update and will
be processed by the deferred program assignments task.
TL-11001 Mark completion reaggregated after each record is processed
Previously, completion_regular_task would first process all records which
had a reaggregate flag greater than one, then finally set the flags on all
the records to 0. Now, the reaggregate flag is set to 0 after each record
is processed.
TL-11026 Improved move left and move right functionality when editing a course
TL-11041 Site level administrative approvers setting in Seminars has been relocated to Seminars > Global settings
TL-11045 Seminar upcoming and previous headings are now the correct level
TL-11051 The Seminar event "Add approver" button is now disabled when it is not relevant
TL-11052 Changed text when removing users from a seminar event
TL-9325 Moved the add event link within Seminar above the upcoming events display
Bug fixes:
TL-10108 Prevented program due messages being sent when the user is already complete
This fix affects several messages: program due, program overdue, course set
due and course set overdue. In programs and certifications, just before one
of these messages is sent, a check is performed to ensure that the user
hasn't completed the program or certification in the mean time.
TL-10213 Reduced the number of joins in appraisal details report with scale value questions
Multi-choice, single answer questions no longer need a join, while
multi-choice, multi-select questions now require just one join per role per
question (down from two).
A consequence of this change is that multi-choice columns will no longer be
sorted alphabetically in this report. Instead, if you sort a multi-choice
column, the records will be shown in the same order as the options are
defined and as they appear when completing the appraisal.
MySQL is inherently limited to 61 joins, but now more questions can be
added before this limit is reached.
TL-10244 Removed unnecessary italic format from the my team block
TL-10273 Removed unnecessary fieldset around forum search
TL-10311 Controls in the element library now link to the same page
TL-10320 Corrected the accessibility link between the Seminar event export label and it's select input
TL-10331 Ensured URL custom fields are cleaned using PARAM_URL when uploaded via HR Import
TL-10332 Added default behaviour of do not open in new window for URL custom fields when added or updated via HR Import
TL-10360 Competency completion calculations now correctly look at previously completed courses
Courses completed before the last time a competency is modified are now
correctly considered for competency assignment
TL-10687 Dock action icons now use the same colour as block actions in basis
TL-10766 Fixed colour of legends and help icons in Kiwifruit responsive
TL-10787 Fixed a php notice generated when a competency is added to a learning plan with optional courses
TL-10819 Added code to re-run an upgrade step to delete report data for deleted users
The issue was caused by TL-8711 and fixed by TL-10804
TL-10837 Added workaround for iOS 10 bug causing problems with video playback
TL-10853 Ensured consistent spacing around the login info within the Basis theme footer
TL-10891 Fixed overactive validation of Seminar cutoff against dates
Previously when editing a Seminar event in which the current date was
already within the cutoff period, if you attempted to edit the event you
could not save because the cutoff was too close, even in situations when
you were not changing the dates or the cutoff.
Cutoff validation is now only applied when the dates are changing, or when
the cutoff period is changing.
TL-10901 Fixed missing course events from calendar when viewing all
Previously, many events were being excluded from the calendar when being
viewed by a user with the capability, moodle/calendar:manageentries, while
the site setting, 'calendar_adminseesall' was turned on. The process of
selecting events from courses to show in the calendar to fix this has been
improved. However, for performance reasons, there is still a limit on how
many courses have events shown in the calendar. This limit has been set at
50 courses by default. The limit can be adjusted using a new setting,
calendar_adminallcourseslimit. See config-dist.php for more information on
that setting.
TL-10905 Stopped a duplicate error message from being displayed on the login screen when the session has expired
TL-10910 Fixed required permissions for appraisals aggregate questions
TL-10916 Fixed a debug error within the Current Learning block when images are added to the summary of a program or certification
TL-10946 Removed false deprecation message for the viewmyteam string
TL-10955 Fixed database error when generating a report with search columns
TL-10956 Fixed the display of the marking guide editing interface
Missing selectors from Totara's new themes have been added to now catch
each type of advanced grading form; marking guide & Rubric.
As themes continue to prefer CSS applied without the use of the 'style'
attribute, the maximum grade form input has also had its explicit width
removed.
The Javascript calculation of textarea widths inside the form have also
been simplified, with height now being the only value calculated & set.
TL-10963 Added tabs to the seminar events and session report pages and ensured bookmarking of both pages can be achieved
TL-10972 Deleting a Seminar now correctly removes orphaned notification records
TL-10979 Ensured certification messages can be resent on subsequent recertifications
This patch ensures that all applicable certification messages are reset
when a user's recertification window opens, allowing them to be triggered
again for that user.
TL-10998 Removed inaccessible options in Program Administration block
TL-11009 Fixed the display of learning plan courses within the Current Learning block after being enrolled in a course
TL-11010 Fixed emails being sent to declined users when an event is closed
TL-11020 Caused program completion to be checked on assignment
Now, when users are assigned to programs and certifications, completion
will immediately be calculated. If the user has already completed the
courses required for program completion or certification, they will be
marked complete. Previously, the user would have had to wait for the
Program Completions scheduled task to run, which occurs once each night by
default.
This change also causes the first course set completion record to be
correctly created. Previously, it was not created until the first course
set was completed. Because it is being created at the correct time, course
set due and overdue messages related to the first course set will now be
correctly triggered.
TL-11047 Fixed an incorrect capability check made when checking whether a user can manage dashboards
TL-11060 Fixed a php notice generated within HR Sync when using the organisation or position elements
TL-11087 Ensured that IE9 chunked stylesheet paths are correctly generated
TL-11102 Fixed a timing issue in totara_core_webservice PHPUnit tests
TL-11138 Provided an IE9 compatible fallback for the loading icon
TL-7752 Fixed problems with program enrolment messages
Program enrolment and unenrolment messages are now resent each time a user
is assigned or unassigned, rather than just the first time either of those
events occur.
All program messages are now covered by automated tests.
TL-9301 Fixed Seminar event functionality when the cancellationnote default custom field has been deleted
TL-9846 Removed reference to deprecated variable when in a chat activity
TL-9993 Fixed the display of images within textareas in Learning Plans and Record of Learning Evidence
TL-9994 Stopped the actions column from being included when exporting Other Evidence report in the Record of Learning
API changes:
TL-9726 Added the system requirements for upgrades to Totara 10dev
Contributions:
* Davo Smith at Synergy Learning - TL-10917
* Jo Jones at Kineo - TL-11157
Release 2.9.13 (22nd November 2016):
Important:
TL-11157 Fixed data loss bug when learning plans are deleted under certain conditions
This bug occurs under very specific circumstances.
Due to the structure of the repository table involved, it is possible to
have relationship data from different learning plans and even different
components within the same learning plan co-existing within the same table.
Originally, the system deleted relationships between learning plan
components (e.g. course and objectives) using just the component identifier
e.g. objective ID.
However, in very rare situations, it is possible for the table to hold
values from unrelated components which use the same identifier. When the
system deleted a component using this identifier value alone *all*
components associated with it were removed. Hence the data loss.
The system now checks component type in addition to ID to prevent this
happening.
Security issues:
TL-10752 Implemented additional checks within the Appraisal review ajax script
TL-5178 Added a missing sesskey check to feedback/assignments.php
TL-6615 Added a check for HTTP only cookies to the security report
The HTTP only cookies setting restricts access to cookies by client side
scripts in supported browsers making it more difficult to exploit any
potential XSS vulnerabilities.
Improvements:
TL-10203 Improved efficiency when importing users that include dropdown menu profile field data
A significant performance gain has been made when importing users through
HR Import on sites that use drop down menu profile custom fields.
The import process should now run much faster than before.
TL-10627 Improved appraisal snapshot PDF rendering
TL-10681 Added an environment test for mbstring.func_overload to ensure it is not set
Multibyte function overloading is not compatible with Totara.
TL-10731 Added setting to allow limiting of feedback reminders sent out
A new setting has been added, 'reminder_maxtimesincecompletion', which can
be used to limit the number of days after course completion in which
feedback activity reminders will be sent. This may be used to prevent
reminders being sent for historic course completions after they are
imported via upload.
TL-10782 Face-to-face direct enrolment instances within a course can now be manually removed when no longer wanted
TL-10909 Improved wording of course activity reports visibility setting help
TL-10917 Improved the performance of admin settings for PDF fonts
TL-10965 Improved program assignments to recognise changes in hierarchies related to 'all below' assignments
Previously, if a change was made to a lower level of a hierarchy then the
change did not trigger the deferred program assignment update. Instead, the
change would not be applied until the program user assignments cron task
was run.
Now, the change immediately flags the related program for update and will
be processed by the deferred program assignments task.
TL-11001 Mark completion reaggregated after each record is processed
Previously, completion_regular_task would first process all records which
had a reaggregate flag greater than one, then finally set the flags on all
the records to 0. Now, the reaggregate flag is set to 0 after each record
is processed.
TL-9730 Allowed assign_user_position to manage roles in tests
Previously when running tests, role assignments had to be set up manually,
rather than using assign_user_position. Now, this function can set up the
roles during tests. This will improve testing, as the roles can now be set
up in tests using the same function that is used on live sites, rather than
having to simulate that functionality, avoiding possible discrepancies
between live code and test setup.
Bug fixes:
TL-10108 Prevented program due messages being sent when the user is already complete
This fix affects several messages: program due, program overdue, course set
due and course set overdue. In programs and certifications, just before one
of these messages is sent, a check is performed to ensure that the user
hasn't completed the program or certification in the mean time.
TL-10213 Reduced the number of joins in appraisal details report with scale value questions
Multi-choice, single answer questions no longer need a join, while
multi-choice, multi-select questions now require just one join per role per
question (down from two).
A consequence of this change is that multi-choice columns will no longer be
sorted alphabetically in this report. Instead, if you sort a multi-choice
column, the records will be shown in the same order as the options are
defined and as they appear when completing the appraisal.
MySQL is inherently limited to 61 joins, but now more questions can be
added before this limit is reached.
TL-10360 Competency completion calculations now correctly look at previously completed courses
Courses completed before the last time a competency is modified are now
correctly considered for competency assignment
TL-10819 Added code to re-run an upgrade step to delete report data for deleted users
The issue was caused by TL-8711 and fixed by TL-10804
TL-10837 Added workaround for iOS 10 bug causing problems with video playback
TL-10891 Fixed overactive validation of Face-to-face cutoff against dates
Previously when editing a Face-to-face event in which the current date was
already within the cutoff period, if you attempted to edit the event you
could not save because the cutoff was too close, even in situations when
you were not changing the dates or the cutoff.
Cutoff validation is now only applied when the dates are changing, or when
the cutoff period is changing.
TL-10901 Fixed missing course events from calendar when viewing all
Previously, many events were being excluded from the calendar when being
viewed by a user with the capability, moodle/calendar:manageentries, while
the site setting, 'calendar_adminseesall' was turned on. The process of
selecting events from courses to show in the calendar to fix this has been
improved. However, for performance reasons, there is still a limit on how
many courses have events shown in the calendar. This limit has been set at
50 courses by default. The limit can be adjusted using a new setting,
calendar_adminallcourseslimit. See config-dist.php for more information on
that setting.
TL-10910 Fixed required permissions for appraisals aggregate questions
TL-10955 Fixed database error when generating a report with search columns
TL-10972 Deleting a Face-to-face now correctly removes orphaned notification records
TL-10979 Ensured certification messages can be resent on subsequent recertifications
This patch ensures that all applicable certification messages are reset
when a user's recertification window opens, allowing them to be triggered
again for that user.
TL-10998 Removed inaccessible options in Program Administration block
TL-11020 Caused program completion to be checked on assignment
Now, when users are assigned to programs and certifications, completion
will immediately be calculated. If the user has already completed the
courses required for program completion or certification, they will be
marked complete. Previously, the user would have had to wait for the
Program Completions scheduled task to run, which occurs once each night by
default.
This change also causes the first course set completion record to be
correctly created. Previously, it was not created until the first course
set was completed. Because it is being created at the correct time, course
set due and overdue messages related to the first course set will now be
correctly triggered.
TL-11047 Fixed an incorrect capability check made when checking whether a user can manage dashboards
TL-11070 Fixed disabled Appraisal message entry fields
TL-11102 Fixed a timing issue in totara_core_webservice PHPUnit tests
TL-11118 Fixed the display of the Declare Interest button for past Face-to-face sessions
TL-1944 Corrected move left / right feature in the Face-to-face activity menu on the course page
TL-7752 Fixed problems with program enrolment messages
Program enrolment and unenrolment messages are now resent each time a user
is assigned or unassigned, rather than just the first time either of those
events occur.
All program messages are now covered by automated tests.
TL-9301 Fixed Face-to-face event functionality when the cancellationnote default custom field has been deleted
TL-9993 Fixed the display of images within textareas in Learning Plans and Record of Learning Evidence
TL-9994 Stopped the actions column from being included when exporting Other Evidence report in the Record of Learning
API changes:
TL-9726 Added the system requirements for upgrades to Totara 10dev
Contributions:
* Davo Smith at Synergy Learning - TL-10917
* Jo Jones at Kineo - TL-11157
Release 2.7.21 (22nd November 2016):
Important:
TL-11157 Fixed data loss bug when learning plans are deleted under certain conditions
This bug occurs under very specific circumstances.
Due to the structure of the repository table involved, it is possible to
have relationship data from different learning plans and even different
components within the same learning plan co-existing within the same table.
Originally, the system deleted relationships between learning plan
components (e.g. course and objectives) using just the component identifier
e.g. objective ID.
However, in very rare situations, it is possible for the table to hold
values from unrelated components which use the same identifier. When the
system deleted a component using this identifier value alone *all*
components associated with it were removed. Hence the data loss.
The system now checks component type in addition to ID to prevent this
happening.
Security issues:
TL-10752 Implemented additional checks within the Appraisal review ajax script
TL-5178 Added a missing sesskey check to feedback/assignments.php
TL-6615 Added a check for HTTP only cookies to the security report
The HTTP only cookies setting restricts access to cookies by client side
scripts in supported browsers making it more difficult to exploit any
potential XSS vulnerabilities.
Improvements:
TL-10681 Added an environment test for mbstring.func_overload to ensure it is not set
Multibyte function overloading is not compatible with Totara.
TL-9730 Allowed assign_user_position to manage roles in tests
Previously when running tests, role assignments had to be set up manually,
rather than using assign_user_position. Now, this function can set up the
roles during tests. This will improve testing, as the roles can now be set
up in tests using the same function that is used on live sites, rather than
having to simulate that functionality, avoiding possible discrepancies
between live code and test setup.
Bug fixes:
TL-10360 Competency completion calculations now correctly look at previously completed courses
Courses completed before the last time a competency is modified are now
correctly considered for competency assignment
TL-10819 Added code to re-run an upgrade step to delete report data for deleted users
The issue was caused by TL-8711 and fixed by TL-10804
TL-10837 Added workaround for iOS 10 bug causing problems with video playback
TL-10891 Fixed overactive validation of Face-to-face cutoff against dates
Previously when editing a Face-to-face event in which the current date was
already within the cutoff period, if you attempted to edit the event you
could not save because the cutoff was too close, even in situations when
you were not changing the dates or the cutoff.
Cutoff validation is now only applied when the dates are changing, or when
the cutoff period is changing.
TL-10901 Fixed missing course events from calendar when viewing all
Previously, many events were being excluded from the calendar when being
viewed by a user with the capability, moodle/calendar:manageentries, while
the site setting, 'calendar_adminseesall' was turned on. The process of
selecting events from courses to show in the calendar to fix this has been
improved. However, for performance reasons, there is still a limit on how
many courses have events shown in the calendar. This limit has been set at
50 courses by default. The limit can be adjusted using a new setting,
calendar_adminallcourseslimit. See config-dist.php for more information on
that setting.
TL-10910 Fixed required permissions for appraisals aggregate questions
TL-10955 Fixed database error when generating a report with search columns
TL-10972 Deleting a Face-to-face now correctly removes orphaned notification records
TL-11070 Fixed disabled Appraisal message entry fields
TL-11102 Fixed a timing issue in totara_core_webservice PHPUnit tests
TL-11118 Fixed the display of the Declare Interest button for past Face-to-face sessions
TL-11127 Fixed embedded images used within the description of a personal goal
Previously when editing a personal goal which had an embedded image in its
description the image would be broken within the editor.
It would display correctly however when viewing the personal goal.
It is now displayed correctly when editing as well.
TL-1944 Corrected move left / right feature in the Face-to-face activity menu on the course page
TL-9301 Fixed Face-to-face event functionality when the cancellationnote default custom field has been deleted
API changes:
TL-9726 Added the system requirements for upgrades to Totara 10dev
Contributions:
* Jo Jones at Kineo - TL-11157
Release 2.6.38 (22nd November 2016):
Important:
TL-11157 Fixed data loss bug when learning plans are deleted under certain conditions
This bug occurs under very specific circumstances.
Due to the structure of the repository table involved, it is possible to
have relationship data from different learning plans and even different
components within the same learning plan co-existing within the same table.
Originally, the system deleted relationships between learning plan
components (e.g. course and objectives) using just the component identifier
e.g. objective ID.
However, in very rare situations, it is possible for the table to hold
values from unrelated components which use the same identifier. When the
system deleted a component using this identifier value alone *all*
components associated with it were removed. Hence the data loss.
The system now checks component type in addition to ID to prevent this
happening.
Security issues:
TL-10752 Implemented additional checks within the Appraisal review ajax script
TL-5174 Fixed access controls around feedback360 requests
TL-5178 Added a missing sesskey check to feedback/assignments.php
TL-6615 Added a check for HTTP only cookies to the security report
The HTTP only cookies setting restricts access to cookies by client side
scripts in supported browsers making it more difficult to exploit any
potential XSS vulnerabilities.
Improvements:
TL-10681 Added an environment test for mbstring.func_overload to ensure it is not set
Multibyte function overloading is not compatible with Totara.
TL-9730 Allowed assign_user_position to manage roles in tests
Previously when running tests, role assignments had to be set up manually,
rather than using assign_user_position. Now, this function can set up the
roles during tests. This will improve testing, as the roles can now be set
up in tests using the same function that is used on live sites, rather than
having to simulate that functionality, avoiding possible discrepancies
between live code and test setup.
Bug fixes:
TL-10360 Competency completion calculations now correctly look at previously completed courses
Courses completed before the last time a competency is modified are now
correctly considered for competency assignment
TL-10837 Added workaround for iOS 10 bug causing problems with video playback
TL-10955 Fixed database error when generating a report with search columns
TL-11065 Fixed zip archive handling edge case when using PHP 5.6
TL-11066 Backported compatibility fixes for PostgreSQL 9.5
TL-11127 Fixed embedded images used within the description of a personal goal
Previously when editing a personal goal which had an embedded image in its
description the image would be broken within the editor.
It would display correctly however when viewing the personal goal.
It is now displayed correctly when editing as well.
API changes:
TL-9726 Added the system requirements for upgrades to Totara 10dev
Contributions:
* Jo Jones at Kineo - TL-11157
Release 2.5.45 (22nd November 2016):
Important:
TL-11157 Fixed data loss bug when learning plans are deleted under certain conditions
This bug occurs under very specific circumstances.
Due to the structure of the repository table involved, it is possible to
have relationship data from different learning plans and even different
components within the same learning plan co-existing within the same table.
Originally, the system deleted relationships between learning plan
components (e.g. course and objectives) using just the component identifier
e.g. objective ID.
However, in very rare situations, it is possible for the table to hold
values from unrelated components which use the same identifier. When the
system deleted a component using this identifier value alone *all*
components associated with it were removed. Hence the data loss.
The system now checks component type in addition to ID to prevent this
happening.
Security issues:
TL-10752 Implemented additional checks within the Appraisal review ajax script
TL-5174 Fixed access controls around feedback360 requests
TL-5178 Added a missing sesskey check to feedback/assignments.php
TL-6615 Added a check for HTTP only cookies to the security report
The HTTP only cookies setting restricts access to cookies by client side
scripts in supported browsers making it more difficult to exploit any
potential XSS vulnerabilities.
Improvements:
TL-10681 Added an environment test for mbstring.func_overload to ensure it is not set
Multibyte function overloading is not compatible with Totara.
TL-9730 Allowed assign_user_position to manage roles in tests
Previously when running tests, role assignments had to be set up manually,
rather than using assign_user_position. Now, this function can set up the
roles during tests. This will improve testing, as the roles can now be set
up in tests using the same function that is used on live sites, rather than
having to simulate that functionality, avoiding possible discrepancies
between live code and test setup.
Bug fixes:
TL-10837 Added workaround for iOS 10 bug causing problems with video playback
TL-11065 Fixed zip archive handling edge case when using PHP 5.6
TL-11066 Backported compatibility fixes for PostgreSQL 9.5
TL-11127 Fixed embedded images used within the description of a personal goal
Previously when editing a personal goal which had an embedded image in its
description the image would be broken within the editor.
It would display correctly however when viewing the personal goal.
It is now displayed correctly when editing as well.
API changes:
TL-9726 Added the system requirements for upgrades to Totara 10dev
Contributions:
* Jo Jones at Kineo - TL-11157
Release 2.4.47 (22nd November 2016):
Important:
TL-11157 Fixed data loss bug when learning plans are deleted under certain conditions
This bug occurs under very specific circumstances.
Due to the structure of the repository table involved, it is possible to
have relationship data from different learning plans and even different
components within the same learning plan co-existing within the same table.
Originally, the system deleted relationships between learning plan
components (e.g. course and objectives) using just the component identifier
e.g. objective ID.
However, in very rare situations, it is possible for the table to hold
values from unrelated components which use the same identifier. When the
system deleted a component using this identifier value alone *all*
components associated with it were removed. Hence the data loss.
The system now checks component type in addition to ID to prevent this
happening.
Security issues:
TL-6615 Added a check for HTTP only cookies to the security report
The HTTP only cookies setting restricts access to cookies by client side
scripts in supported browsers making it more difficult to exploit any
potential XSS vulnerabilities.
Improvements:
TL-10681 Added an environment test for mbstring.func_overload to ensure it is not set
Multibyte function overloading is not compatible with Totara.
Bug fixes:
TL-11065 Fixed zip archive handling edge case when using PHP 5.6
TL-11066 Backported compatibility fixes for PostgreSQL 9.5
API changes:
TL-9726 Added the system requirements for upgrades to Totara 10dev
Contributions:
* Jo Jones at Kineo - TL-11157
Release 2.2.53 (22nd November 2016):
Important:
TL-11157 Fixed data loss bug when learning plans are deleted under certain conditions
This bug occurs under very specific circumstances.
Due to the structure of the repository table involved, it is possible to
have relationship data from different learning plans and even different
components within the same learning plan co-existing within the same table.
Originally, the system deleted relationships between learning plan
components (e.g. course and objectives) using just the component identifier
e.g. objective ID.
However, in very rare situations, it is possible for the table to hold
values from unrelated components which use the same identifier. When the
system deleted a component using this identifier value alone *all*
components associated with it were removed. Hence the data loss.
The system now checks component type in addition to ID to prevent this
happening.
Security issues:
TL-6615 Added a check for HTTP only cookies to the security report
The HTTP only cookies setting restricts access to cookies by client side
scripts in supported browsers making it more difficult to exploit any
potential XSS vulnerabilities.
Improvements:
TL-10681 Added an environment test for mbstring.func_overload to ensure it is not set
Multibyte function overloading is not compatible with Totara.
API changes:
TL-9726 Added the system requirements for upgrades to Totara 10dev
Contributions:
* Jo Jones at Kineo - TL-11157