Totara Release Notes

Security releases for Totara Evergreen 20170621, 9.8, 2.9.20, 2.7.28, 2.6.45, 2.5.52, and 2.4.52 released 21st June 2017

 
Sam Hemelryk
Security releases for Totara Evergreen 20170621, 9.8, 2.9.20, 2.7.28, 2.6.45, 2.5.52, and 2.4.52 released 21st June 2017
par Sam Hemelryk, Tuesday 20 June 2017, 22:54
Groupe Totara

Hello everyone,

The following versions of Totara Learn have now been released:
  • Evergreen 20170621
  • 9.8
  • 2.9.20
  • 2.7.28
  • 2.6.45
  • 2.5.52
  • 2.4.52
These versions do contain security fixes and for this reason we strongly recommend upgrading.
Each release also includes bug fixes and improvements. Thanks to the following people for their contributions to this release:

  • Artur Rietz at Webanywhere - TL-14271
  • Barry Oosthuizen at Learning Pool - TL-14445
  • Eugene Venter at Catalyst NZ - TL-10502, TL-9300
  • Francis Devine at Catalyst NZ - TL-14430
  • Michael Trio at Kineo UK - TL-14357
  • Russell England at Kineo US - TL-14144
Kind regards
Sam Hemelryk

Package Information
SHA1 ChecksumSize (M)Package
5fa3e6509531dc2fc1a56fd0b814427f2fcf6a63 49M evergreen-20170621.tar.gz
6e171d704ec6fdf017166fab2235f2edcc46a913 53M totaralms-9.8.tar.gz
c0ec87b36d40ae90e14dd0b89de9fce537e4c8ea 49M totaralms-2.9.20.tar.gz
b61d714402b5a76f4cd26b9c3325f5519174698a 56M totaralms-2.7.28.tar.gz
f2985429f6a18e92790ba84136140804ff85c608 51M totaralms-2.6.45.tar.gz
3243d0d0ad9d6707b66f60fb07738d8b2277a7d6 44M totaralms-2.5.52.tar.gz
7f40e63269e8477fb59e8c27732c79e96472c7d7 32M totaralms-2.4.52.tar.gz

Release Evergreen (21st June 2017):

Security issues:

    TL-7289        Added environment check for XML External Entity Expansion

                   On upgrade or install, a check will be made to determine whether the
                   server's environment could be vulnerable to attackers including the
                   contents of external files via entities in user-supplied XML files. A
                   warning will only be shown if a vulnerability is identified. This check is
                   also available via the security report.


New features:

    TL-8169        Added placeholders to Appraisal messages

                   Appraisal messages can now use placeholders that will be replaced with the
                   relevant information immediately prior to sending the message.
                   Please review the inproduct help when creating and editing appraisal
                   messages for a list of available placeholders.


Improvements:

    TL-6009        Added additional columns to the Previous Certifications report source

                   The following columns were added: Status, Renewal status, Progress
                   (displayed as a progress bar)
                   The following filters were added: Status, Renewal status

    TL-6553        Added "Time to complete" columns to the Course Completions report

                   Two new columns have been added to the Course Completions report:
                   * Time to complete (since start date)
                   * Time to complete (since enrol date)

    TL-7693        Changed the notification url when an Evidence Type is added/edited to the list of all Evidence Types
    TL-8939        Added audience member filter to all report sources that have user fields
    TL-9224        Improved consistency of program exception restrictions

                   Previously some Programs code was still being executed on users with
                   exceptions, those places now check for valid user assignments before
                   processing the users. Some places identified were, the program completion
                   cron, the certification window opening cron, and the programs course
                   enrolment plugin.

    TL-9300        Updated the Date/time custom field so that it is not enabled by default

                   Making the Date/time custom fields disabled by default prevents the field
                   from being set inadvertently. When the custom field is marked as required
                   the field will always be enabled and default to the present date.

    TL-9775        Added Behat tests for Dynamic Audience Based Learning Plan creation
    TL-10502       Renamed Record of learning navigation block to "Learning" (from "Learning plans")
    TL-11264       Improved Atto editor autosave messaging and draft revert workflow

                   When a draft is automatically applied to an Editor, there is now a
                   page-level alert to let users know what has happened. In addition, the
                   default arrangement of toolbar icons now includes Undo/Redo which, when a
                   Draft is auto-applied, will toggle between original Database-saved content
                   and the Draft.

    TL-11323       Added HTML labels to inputs when creating and reviewing learning plans
    TL-11325       Added labels to the manage learning plan templates page
    TL-11444       Added table headings when showing current forum subscribers
    TL-12849       Improved alignment of the manage badges table
    TL-14187       New featured links blocks will now display without a border by default
    TL-14271       Fixed dynamic audience performance issue for user profile custom fields
    TL-14288       Added logs relating to program and certification assignment changes
    TL-14367       The login page now allows the configured registration plugin to control the onscreen signup message
    TL-14375       Embedded reports may now define custom required columns
    TL-14383       Improved performance of reportbuilder job assignment content restraints
    TL-14385       Added checks for missing program and certification completion records

                   The program and certification completion checkers have been extended to
                   detect missing and unneeded program and certification completion records.
                   Automated fixes have been provided to allow admins to correct these
                   problems. After upgrade, you should use the completion checker to fix all
                   "Files" category problems which are reported (if any). After all problems
                   on the site have been fixed, if new problems are discovered then they
                   should be reported to Totara support.

    TL-14429       Added support for relative dates in new forms in behat tests
    TL-14430       Converted the Reportbuilder source directory cache into a defined cache
    TL-14445       Added full details link to review items in Appraisals

                   When goals, objectives or competencies are selected for review in an
                   appraisal, a link will now be available which opens the full details of
                   that item in a new window. This link will only be shown if the user has
                   permission to view those details normally outside the appraisal.
                   
                   This feature has only been added for the aforementioned review types so
                   far.
                   
                   When adding items for review for any review questions, these items no
                   longer have their own collapsible header and will instead be collapsible
                   under the entire review question. Non-question elements such as fixed text,
                   fixed image and profile information also no longer have a collapsible
                   header as part of this change.
                   
                   For any custom themes that impact on Appraisals or Feedback 360, it is
                   recommended that you review the appearance of these areas following
                   upgrade.


Bug fixes:

    TL-10374       Fixed an Appraisal bug when trying to add a question without selecting a type
    TL-12672       Fixed a php notice when saving data in location and textarea unique custom fields
    TL-12769       Fixed disabling of multi-select custom fields when set to locked

                   There was an issue with multi-select custom fields when they were set to
                   locked. This would result in only the first check box being disabled or
                   none of the check boxes being disabled (this depended on the browser).

    TL-14048       Fixed a bug resulting in duplicate entries in the "Record of Learning: Courses" report source

                   Previously the "Record of Learning: Courses" report source would show
                   duplicate records if no Learning Plan columns had been added to the
                   report.
                   This has been fixed and the "Record of Learning: Courses" report source now
                   correctly eliminates duplicates.

    TL-14140       Fixed security report check for whether Flash animation is enabled

                   The security report was checking for an outdated config setting when
                   checking whether Flash animation (using swf files) was enabled. The correct
                   config setting is now checked.
                   
                   Flash animation is no longer enabled by default on new installations of
                   Totara, however this is not changed during upgrade for existing sites. If
                   Flash animation is not required on your site, you are encouraged to review
                   the security report and disable Flash animation and/or the Multimedia
                   plugin if they are not required. 
                   Flash animations, when enabled, could only be added by trusted users who
                   had capabilities marked with XSS risk.

    TL-14144       Fixed ambiguous id column in course dialog when completion criteria is required
    TL-14161       Fixed location of dropdown arrow when editing tags
    TL-14224       Fixed the instance_config_save method in the featured links block
    TL-14251       Fixed the display order of goal scale values on the my goals page
    TL-14252       Fixed debug error when sending program messages with certain placeholders

                   Previously, if a program message (such as enrolment message) was sent out
                   for a user who was enrolled via multiple methods, and the message used the
                   %completioncriteria% or %duedate% placeholders, a debugging error is
                   thrown. This has now been fixed.
                   
                   The %completioncriteria% placeholder was only designed to work when only
                   one enrolment method is in place for a user. Previously, the criteria
                   substituted into the email when a user did have multiple enrolment methods
                   was chosen randomly. Now the criteria will be taken from the enrolment with
                   the most recent assignment date/time.

    TL-14272       Fixed program and certification course enrolment suspension

                   Due to a recent change, users were being unenrolled from courses after
                   completing the primary certification path, when the courses were not part
                   of recertification. This has now been fixed, and any user enrolments
                   incorrectly suspended will be restored automatically by the "Clean
                   enrolment plugins" scheduled task. This patch also greatly improves the
                   performance of this task.

    TL-14289       Improved the layout when requesting a program extension from inside of a learning plan
    TL-14291       Fixed user unassignment from programs and certifications

                   This patch includes several changes to the way program and certification
                   completion records are handled when users are unassigned. It includes
                   a fix for a problem that could occur when users are reassigned. It also
                   ensures that program and certification completion records are correctly
                   archived when a user is deleted (with the possibility of being undeleted),
                   rather than being left active.

    TL-14301       Fixed validation of date form fields when nested inside a fieldset
    TL-14309       Fixed missing embedded fallback font causing error when viewing certificate
    TL-14315       Added HR Import check to ensure user's country code is two charters in length
    TL-14335       Backup annotation no longer tries to write to the temp table it is currently reading from

                   Backup annotation handling was opening a recordset to a temporary table,
                   annotating over the results and writing to the same table while the
                   recordset was still open.
                   This was causing significant performance issues and occasional failures on
                   MSSQL.
                   Only large complex backups would be affected.
                   This change removes the code sequence responsible replacing it with batch
                   handling for the temp table.

    TL-14350       Fixed invalid program due date when a user is assigned with an exception

                   This patch includes automated fixes which can be triggered in the program
                   and certification completion editors to fix affected records.

    TL-14357       Fixed a problem with the self-enrolment method not allowing unauthenticated users to enrol in a course
    TL-14365       Added missing $PAGE->set_url() calls when setting up a single activity course wiki
    TL-14366       Fixed reference to renamed Feedback module table feedback_tracking
    TL-14369       Auth plugins may now define external setting pages that do not require site config capability
    TL-14371       Added missing use of format_string() in hierarchy filter text
    TL-14381       Ensured the hierarchy filter displays any saved selections on page reload
    TL-14387       Changes to [2.9.20]Face-to-face[2.9.20][9.8+10.0]Seminar[9.8+10.0] notification templates now update unchanged notifications
    TL-14389       Improved the handling of incomplete AJAX requests when navigating away from a page
    TL-14390       Fixed inconsistency in icon markup on Report Builder columns when replaced via AJAX

                   The markup of the icons for Delete, Move up and Move down were different
                   when loading the page (after clicking "Save changes") and when the icons
                   were replace via AJAX (eg. when deleting a row).

    TL-14399       Fixed the "Manage searches" button in the Audience view report
    TL-14400       Form selection elements now accept integers in current values
    TL-14401       Removed incorrect link to the user profile in Report builder for missing data
    TL-14402       Type is not added automatically to embedded report columns with default heading
    TL-14411       Fixed reportbuilder exports for reports with embedded parameters
    TL-14414       Fixed auto-update of saved searches list in report table block editing form
    TL-14419       Fixed problems when restoring users to certifications

                   There were some rare circumstances where the incorrect data was being set
                   when a user was reassigned to a certification. The most common problem was
                   that the due date was missing on records that were in the "expired" state.
                   The cause of the various problems has been prevented. Records which have
                   already been affected can be identified using the certification completion
                   checker and corrected using the certification completion editor and/or
                   automated fixes.

    TL-14426       Fixed dialog scroll when adding "Fixed image" questions to an appraisal
    TL-14437       Added an automated fix for expired certifications missing a due date

                   An automated fix has been added to the certification completion editor.
                   When applied to expired completion records which are missing a due date, it
                   automatically sets the date to the latest certification completion history
                   expiry date which is before the current date. If no appropriate history
                   record is found then the due date must be set manually.

    TL-14447       Fixed double html escaping when searching for course names that include special characters
    TL-14672       Fixed permissions check for taking attendance within [2.7.28+2.9.20]Face-to-face sessions[2.7.28+2.9.20][9.8+10.0+Evergreen]Seminar events[9.8+10.0+Evergreen]

                   Previously it was not allowed to submit Seminar attendance without
                   mod/facetoface:addattendees or mod/facetoface:removeattendees permission.
                   Now mod/facetoface:takeattendance is enough.

    TL-14686       Fixed a typo in a variable name used in organisation file type custom fields
    TL-14690       Fixed error when creating a plan where a user has multiple jobs with duplicate position competencies.

API changes:

    TL-14413       Added two new methods to the DML to fetch recordsets and a total count at the same time

                   Two new methods have been added to the DML that allow for a recordset to be
                   fetched and simultaneously a total count returned in single query.
                   The two new methods are:
                   * moodle_database::get_counted_recordset_sql
                   * moodle_database::get_counted_records_sql


Miscellaneous Moodle fixes:

    TL-14565       MDL-57658: Fixed calendar unit tests
    TL-14568       MDL-57429: Badges now uses the new openbadges authentication service
    TL-14571       MDL-57994: Fixed "Number of announcements" course setting not reloading correctly
    TL-14572       MDL-57254: Ensured Choice activity checks correctly when results should be displayed
    TL-14573       MDL-57419: Hitting enter no longer sends messages within the messaging interfaces
    TL-14575       MDL-37168: Fixed LTI activity quick edit title
    TL-14576       MDL-58273: Fixed incorrect capability name used when enabling and disabling LDAP enrolment instances
    TL-14579       MDL-58050: Fixes message transaction handling when the user has no messages
    TL-14586       MDL-58257: Fixed course search when search query contains a hyphen
    TL-14588       MDL-58160: Improved the performance of category caching
    TL-14589       MDL-58325: Changes to site text editor settings are recorded in the config log
    TL-14590       MDL-58227: Fixed error when getting most recently completed answers in feedback module
    TL-14592       MDL-58264: Fixed incorrect SQL syntax in question engine
    TL-14594       MDL-41809: Course grade items are now formatted using the course context
    TL-14595       MDL-55499: Forum emails are now formatted using the correct context
    TL-14598       MDL-58180: Ensured Statistics Role names are passed through the format_text function
    TL-14599       MDL-58104: Fixed assignment bug in which attempt settings disappears when switching between attempts in grader interface
    TL-14600       MDL-55939: Removed unnecessary permission check on site course during external service call
    TL-14601       MDL-56370: Added back ability to change answers in Feedback module when not anonymous
    TL-14602       MDL-57858: Fixed assignment bug in a scale grade was not updated
    TL-14603       MDL-55950: Emails regarding completed feedbacks now link to only completed feedbacks
    TL-14605       MDL-58489: Fixed coding bug in the OAuth upgrade token process when the authentication server cannot be reached
    TL-14607       MDL-58461: Upgraded the MathJax library use a fixed CDN version
    TL-14608       MDL-57616: Fixed drag and drop of media files to course page.
    TL-14609       MDL-58555: Included web service name when making ajax requests
    TL-14612       MDL-58171: Fixed use of multilang in Course participation report headers.
    TL-14613       MDL-58244: Improved the logout process when using Shibboleth for authentication
    TL-14616       MDL-58394: Fixed filter processing not respecting sort order in some cases
    TL-14619       MDL-58486: Fixed lingering references to unset user preferences on the current user object
    TL-14622       MDL-58559: Fixed a missing string error in the community block
    TL-14624       MDL-58116: Forum emails are no longer sent by the noreply email address when they shouldn't be
    TL-14626       MDL-58096: Optimised performance of Course statistics report when loading list of courses
    TL-14628       MDL-58278: Fixed assignment bug in which data was not saved when marking workflow state as not released
    TL-14633       MDL-58613: Prevented debug messages from being displayed in Workshop random allocation.
    TL-14634       MDL-58636: Fixed incorrect drag and drop constraint in course management
    TL-14636       MDL-57793: Improved Calendar repeating rule unit tests
    TL-14637       MDL-58556: Fixed LDAP authentication creating forced password change loop
    TL-14638       MDL-58668: Fixed how multi choice answers are processed in Lesson activity
    TL-14639       MDL-54849: Fixed the 'move to next question' option in the Lesson activity
    TL-14640       MDL-58691: Fixed define checking for external_settings used by web services
    TL-14641       MDL-58372: Fixed error when loading files via WebDAV
    TL-14642       MDL-57807: Fixed search in database activity when not selecting an option in a menu field type

                   When performing a search in the database activity leaving the option on
                   "custom-select" which is the default option will result in no results being
                   returned in the search. The change will now correctly return all matching
                   records treating the unselected option for the menu as a wildcard.

    TL-14643       MDL-58698: JavaScript loads from language packs with 2 underscores (eg. en_us_k12)
    TL-14644       MDL-58701: Used proper defaults for serving files when webserver is used in externallib constructor
    TL-14645       MDL-58628: Fixed incorrect values being returned by mod_quiz_get_quizzes_by_courses quiz webservice when quiz is closed
    TL-14650       MDL-55468: Added the option to export analysis to Excel back to the Feedback module
    TL-14651       MDL-57704: Stopped forcing SSLv3 in LTI provider

                   SSLv3 is considered outdated and insecure so we shouldn't be enforcing the
                   use of it.

    TL-14652       MDL-58172: Ensured responses export respects user identity fields setting and viewuseridentity capability
    TL-14653       MDL-58635: Ensured external blog edits belongs to current user.
    TL-14656       MDL-58650: Fixed messages being marked as read when user receives emails about them
    TL-14657       MDL-50670: Fixed some default options not being correctly applied with custom course formats
    TL-14658       MDL-58434: Correct display of user responses to numeric question type in Lessons.
    TL-14659       MDL-35913: Front page layout is set before any output is sent

                   In some rare occurrences, the front page layout was being set after some
                   code had been displayed. This fix ensures the layout is set before any
                   output is sent

    TL-14660       MDL-58772: Prevented anonymous answers from being overwritten in feedback module
    TL-14663       MDL-58514: The assignment submission page and grading table now use consistent override logic 
    TL-14664       MDL-56675: Memcache is no longer used as the cache store in known bad configurations

                   There is a compatibility bug between the Memcached extension and the
                   Memcached server.
                   If you are using php-memcached extension > 3.0.1 and Memcached library >
                   1.4.22.
                   In this situation the cache will not be purged when required if the
                   configuration has been configured to facilitate a shared cache.
                   As this could lead to stale caches code has been amended to prevent the
                   memcached cache store from being used in situations where we know it is
                   affected.

    TL-14665       MDL-58431: Fixed error in Lesson activity for the Jump to random content page option
    TL-14670       MDL-58259: Added permission check for adding attachments to forum posts via web services
    TL-14671       MDL-58807: The activity results block now correctly formats the activity name

Contributions:

    * Artur Rietz at Webanywhere - TL-14271
    * Barry Oosthuizen at Learning Pool - TL-14445
    * Eugene Venter at Catalyst NZ - TL-9300, TL-10502
    * Francis Devine at Catalyst NZ - TL-14430
    * Michael Trio at Kineo UK - TL-14357
    * Russell England at Kineo US - TL-14144

Release 9.8 (21st June 2017):

Security issues:

    TL-7289        Added environment check for XML External Entity Expansion

                   On upgrade or install, a check will be made to determine whether the
                   server's environment could be vulnerable to attackers including the
                   contents of external files via entities in user-supplied XML files. A
                   warning will only be shown if a vulnerability is identified. This check is
                   also available via the security report.


Improvements:

    TL-9224        Improved consistency of program exception restrictions

                   Previously some Programs code was still being executed on users with
                   exceptions, those places now check for valid user assignments before
                   processing the users. Some places identified were, the program completion
                   cron, the certification window opening cron, and the programs course
                   enrolment plugin.

    TL-9300        Updated the Date/time custom field so that it is not enabled by default

                   Making the Date/time custom fields disabled by default prevents the field
                   from being set inadvertently. When the custom field is marked as required
                   the field will always be enabled and default to the present date.

    TL-9775        Added Behat tests for Dynamic Audience Based Learning Plan creation
    TL-10502       Renamed Record of learning navigation block to "Learning" (from "Learning plans")
    TL-11264       Improved Atto editor autosave messaging and draft revert workflow

                   When a draft is automatically applied to an Editor, there is now a
                   page-level alert to let users know what has happened. In addition, the
                   default arrangement of toolbar icons now includes Undo/Redo which, when a
                   Draft is auto-applied, will toggle between original Database-saved content
                   and the Draft.

    TL-11325       Added labels to the manage learning plan templates page
    TL-11444       Added table headings when showing current forum subscribers
    TL-14271       Fixed dynamic audience performance issue for user profile custom fields
    TL-14288       Added logs relating to program and certification assignment changes
    TL-14367       The login page now allows the configured registration plugin to control the onscreen signup message
    TL-14375       Embedded reports may now define custom required columns
    TL-14383       Improved performance of reportbuilder job assignment content restraints
    TL-14385       Added checks for missing program and certification completion records

                   The program and certification completion checkers have been extended to
                   detect missing and unneeded program and certification completion records.
                   Automated fixes have been provided to allow admins to correct these
                   problems. After upgrade, you should use the completion checker to fix all
                   "Files" category problems which are reported (if any). After all problems
                   on the site have been fixed, if new problems are discovered then they
                   should be reported to Totara support.

    TL-14429       Added support for relative dates in new forms in behat tests
    TL-14430       Converted the Reportbuilder source directory cache into a defined cache
    TL-14445       Added full details link to review items in Appraisals

                   When goals, objectives or competencies are selected for review in an
                   appraisal, a link will now be available which opens the full details of
                   that item in a new window. This link will only be shown if the user has
                   permission to view those details normally outside the appraisal.
                   
                   This feature has only been added for the aforementioned review types so
                   far.
                   
                   When adding items for review for any review questions, these items no
                   longer have their own collapsible header and will instead be collapsible
                   under the entire review question. Non-question elements such as fixed text,
                   fixed image and profile information also no longer have a collapsible
                   header as part of this change.
                   
                   For any custom themes that impact on Appraisals or Feedback 360, it is
                   recommended that you review the appearance of these areas following
                   upgrade.


Bug fixes:

    TL-10374       Fixed an Appraisal bug when trying to add a question without selecting a type
    TL-12672       Fixed a php notice when saving data in location and textarea unique custom fields
    TL-12769       Fixed disabling of multi-select custom fields when set to locked

                   There was an issue with multi-select custom fields when they were set to
                   locked. This would result in only the first check box being disabled or
                   none of the check boxes being disabled (this depended on the browser).

    TL-14048       Fixed a bug resulting in duplicate entries in the "Record of Learning: Courses" report source

                   Previously the "Record of Learning: Courses" report source would show
                   duplicate records if no Learning Plan columns had been added to the
                   report.
                   This has been fixed and the "Record of Learning: Courses" report source now
                   correctly eliminates duplicates.

    TL-14140       Fixed security report check for whether Flash animation is enabled

                   The security report was checking for an outdated config setting when
                   checking whether Flash animation (using swf files) was enabled. The correct
                   config setting is now checked.
                   
                   Flash animation is no longer enabled by default on new installations of
                   Totara, however this is not changed during upgrade for existing sites. If
                   Flash animation is not required on your site, you are encouraged to review
                   the security report and disable Flash animation and/or the Multimedia
                   plugin if they are not required. 
                   Flash animations, when enabled, could only be added by trusted users who
                   had capabilities marked with XSS risk.

    TL-14144       Fixed ambiguous id column in course dialog when completion criteria is required
    TL-14251       Fixed the display order of goal scale values on the my goals page
    TL-14252       Fixed debug error when sending program messages with certain placeholders

                   Previously, if a program message (such as enrolment message) was sent out
                   for a user who was enrolled via multiple methods, and the message used the
                   %completioncriteria% or %duedate% placeholders, a debugging error is
                   thrown. This has now been fixed.
                   
                   The %completioncriteria% placeholder was only designed to work when only
                   one enrolment method is in place for a user. Previously, the criteria
                   substituted into the email when a user did have multiple enrolment methods
                   was chosen randomly. Now the criteria will be taken from the enrolment with
                   the most recent assignment date/time.

    TL-14272       Fixed program and certification course enrolment suspension

                   Due to a recent change, users were being unenrolled from courses after
                   completing the primary certification path, when the courses were not part
                   of recertification. This has now been fixed, and any user enrolments
                   incorrectly suspended will be restored automatically by the "Clean
                   enrolment plugins" scheduled task. This patch also greatly improves the
                   performance of this task.

    TL-14289       Improved the layout when requesting a program extension from inside of a learning plan
    TL-14291       Fixed user unassignment from programs and certifications

                   This patch includes several changes to the way program and certification
                   completion records are handled when users are unassigned. It includes
                   a fix for a problem that could occur when users are reassigned. It also
                   ensures that program and certification completion records are correctly
                   archived when a user is deleted (with the possibility of being undeleted),
                   rather than being left active.

    TL-14309       Fixed missing embedded fallback font causing error when viewing certificate
    TL-14315       Added HR Import check to ensure user's country code is two charters in length
    TL-14335       Backup annotation no longer tries to write to the temp table it is currently reading from

                   Backup annotation handling was opening a recordset to a temporary table,
                   annotating over the results and writing to the same table while the
                   recordset was still open.
                   This was causing significant performance issues and occasional failures on
                   MSSQL.
                   Only large complex backups would be affected.
                   This change removes the code sequence responsible replacing it with batch
                   handling for the temp table.

    TL-14350       Fixed invalid program due date when a user is assigned with an exception

                   This patch includes automated fixes which can be triggered in the program
                   and certification completion editors to fix affected records.

    TL-14357       Fixed a problem with the self-enrolment method not allowing unauthenticated users to enrol in a course
    TL-14365       Added missing $PAGE->set_url() calls when setting up a single activity course wiki
    TL-14369       Auth plugins may now define external setting pages that do not require site config capability
    TL-14371       Added missing use of format_string() in hierarchy filter text
    TL-14381       Ensured the hierarchy filter displays any saved selections on page reload
    TL-14387       Changes to [2.9.20]Face-to-face[2.9.20][9.8+10.0]Seminar[9.8+10.0] notification templates now update unchanged notifications
    TL-14389       Improved the handling of incomplete AJAX requests when navigating away from a page
    TL-14390       Fixed inconsistency in icon markup on Report Builder columns when replaced via AJAX

                   The markup of the icons for Delete, Move up and Move down were different
                   when loading the page (after clicking "Save changes") and when the icons
                   were replace via AJAX (eg. when deleting a row).

    TL-14399       Fixed the "Manage searches" button in the Audience view report
    TL-14400       Form selection elements now accept integers in current values
    TL-14401       Removed incorrect link to the user profile in Report builder for missing data
    TL-14411       Fixed reportbuilder exports for reports with embedded parameters
    TL-14414       Fixed auto-update of saved searches list in report table block editing form
    TL-14419       Fixed problems when restoring users to certifications

                   There were some rare circumstances where the incorrect data was being set
                   when a user was reassigned to a certification. The most common problem was
                   that the due date was missing on records that were in the "expired" state.
                   The cause of the various problems has been prevented. Records which have
                   already been affected can be identified using the certification completion
                   checker and corrected using the certification completion editor and/or
                   automated fixes - see TL-14437.

    TL-14426       Fixed dialog scroll when adding "Fixed image" questions to an appraisal
    TL-14437       Added an automated fix for expired certifications missing a due date

                   An automated fix has been added to the certification completion editor.
                   When applied to expired completion records which are missing a due date, it
                   automatically sets the date to the latest certification completion history
                   expiry date which is before the current date. If no appropriate history
                   record is found then the due date must be set manually.

    TL-14447       Fixed double html escaping when searching for course names that include special characters
    TL-14672       Fixed permissions check for taking attendance within [2.7.28+2.9.20]Face-to-face sessions[2.7.28+2.9.20][9.8+10.0+Evergreen]Seminar events[9.8+10.0+Evergreen]

                   Previously it was not allowed to submit Seminar attendance without
                   mod/facetoface:addattendees or mod/facetoface:removeattendees permission.
                   Now mod/facetoface:takeattendance is enough.

    TL-14686       Fixed a typo in a variable name used in organisation file type custom fields
    TL-14690       Fixed error when creating a plan where a user has multiple jobs with duplicate position competencies.

API changes:

    TL-14413       Added two new methods to the DML to fetch recordsets and a total count at the same time

                   Two new methods have been added to the DML that allow for a recordset to be
                   fetched and simultaneously a total count returned in single query.
                   The two new methods are:
                   * moodle_database::get_counted_recordset_sql
                   * moodle_database::get_counted_records_sql


Contributions:

    * Artur Rietz at Webanywhere - TL-14271
    * Barry Oosthuizen at Learning Pool - TL-14445
    * Eugene Venter at Catalyst NZ - TL-9300, TL-10502
    * Francis Devine at Catalyst NZ - TL-14430
    * Michael Trio at Kineo UK - TL-14357
    * Russell England at Kineo US - TL-14144

Release 2.9.20 (21st June 2017):

Security issues:

    TL-7289        Added environment check for XML External Entity Expansion

                   On upgrade or install, a check will be made to determine whether the
                   server's environment could be vulnerable to attackers including the
                   contents of external files via entities in user-supplied XML files. A
                   warning will only be shown if a vulnerability is identified. This check is
                   also available via the security report.


Improvements:

    TL-9224        Improved consistency of program exception restrictions

                   Previously some Programs code was still being executed on users with
                   exceptions, those places now check for valid user assignments before
                   processing the users. Some places identified were, the program completion
                   cron, the certification window opening cron, and the programs course
                   enrolment plugin.

    TL-9300        Updated the Date/time custom field so that it is not enabled by default

                   Making the Date/time custom fields disabled by default prevents the field
                   from being set inadvertently. When the custom field is marked as required
                   the field will always be enabled and default to the present date.

    TL-10502       Renamed Record of learning navigation block to "Learning" (from "Learning plans")
    TL-11264       Improved Atto editor autosave messaging and draft revert workflow

                   When a draft is automatically applied to an Editor, there is now a
                   page-level alert to let users know what has happened. In addition, the
                   default arrangement of toolbar icons now includes Undo/Redo which, when a
                   Draft is auto-applied, will toggle between original Database-saved content
                   and the Draft.

    TL-14288       Added logs relating to program and certification assignment changes
    TL-14385       Added checks for missing program and certification completion records

                   The program and certification completion checkers have been extended to
                   detect missing and unneeded program and certification completion records.
                   Automated fixes have been provided to allow admins to correct these
                   problems. After upgrade, you should use the completion checker to fix all
                   "Files" category problems which are reported (if any). After all problems
                   on the site have been fixed, if new problems are discovered then they
                   should be reported to Totara support.


Bug fixes:

    TL-10374       Fixed an Appraisal bug when trying to add a question without selecting a type
    TL-14140       Fixed security report check for whether Flash animation is enabled

                   The security report was checking for an outdated config setting when
                   checking whether Flash animation (using swf files) was enabled. The correct
                   config setting is now checked.
                   
                   Flash animation is no longer enabled by default on new installations of
                   Totara, however this is not changed during upgrade for existing sites. If
                   Flash animation is not required on your site, you are encouraged to review
                   the security report and disable Flash animation and/or the Multimedia
                   plugin if they are not required. 
                   Flash animations, when enabled, could only be added by trusted users who
                   had capabilities marked with XSS risk.

    TL-14144       Fixed ambiguous id column in course dialog when completion criteria is required
    TL-14251       Fixed the display order of goal scale values on the my goals page
    TL-14252       Fixed debug error when sending program messages with certain placeholders

                   Previously, if a program message (such as enrolment message) was sent out
                   for a user who was enrolled via multiple methods, and the message used the
                   %completioncriteria% or %duedate% placeholders, a debugging error is
                   thrown. This has now been fixed.
                   
                   The %completioncriteria% placeholder was only designed to work when only
                   one enrolment method is in place for a user. Previously, the criteria
                   substituted into the email when a user did have multiple enrolment methods
                   was chosen randomly. Now the criteria will be taken from the enrolment with
                   the most recent assignment date/time.

    TL-14272       Fixed program and certification course enrolment suspension

                   Due to a recent change, users were being unenrolled from courses after
                   completing the primary certification path, when the courses were not part
                   of recertification. This has now been fixed, and any user enrolments
                   incorrectly suspended will be restored automatically by the "Clean
                   enrolment plugins" scheduled task. This patch also greatly improves the
                   performance of this task.

    TL-14291       Fixed user unassignment from programs and certifications

                   This patch includes several changes to the way program and certification
                   completion records are handled when users are unassigned. It includes
                   a fix for a problem that could occur when users are reassigned. It also
                   ensures that program and certification completion records are correctly
                   archived when a user is deleted (with the possibility of being undeleted),
                   rather than being left active.

    TL-14309       Fixed missing embedded fallback font causing error when viewing certificate
    TL-14335       Backup annotation no longer tries to write to the temp table it is currently reading from

                   Backup annotation handling was opening a recordset to a temporary table,
                   annotating over the results and writing to the same table while the
                   recordset was still open.
                   This was causing significant performance issues and occasional failures on
                   MSSQL.
                   Only large complex backups would be affected.
                   This change removes the code sequence responsible replacing it with batch
                   handling for the temp table.

    TL-14350       Fixed invalid program due date when a user is assigned with an exception

                   This patch includes automated fixes which can be triggered in the program
                   and certification completion editors to fix affected records.

    TL-14351       Ensured all images in appraisal print previews are responsive
    TL-14371       Added missing use of format_string() in hierarchy filter text
    TL-14387       Changes to [2.9.20]Face-to-face[2.9.20][9.8+10.0]Seminar[9.8+10.0] notification templates now update unchanged notifications
    TL-14389       Improved the handling of incomplete AJAX requests when navigating away from a page
    TL-14399       Fixed the "Manage searches" button in the Audience view report
    TL-14411       Fixed reportbuilder exports for reports with embedded parameters
    TL-14419       Fixed problems when restoring users to certifications

                   There were some rare circumstances where the incorrect data was being set
                   when a user was reassigned to a certification. The most common problem was
                   that the due date was missing on records that were in the "expired" state.
                   The cause of the various problems has been prevented. Records which have
                   already been affected can be identified using the certification completion
                   checker and corrected using the certification completion editor and/or
                   automated fixes - see TL-14437.

    TL-14426       Fixed dialog scroll when adding "Fixed image" questions to an appraisal
    TL-14437       Added an automated fix for expired certifications missing a due date

                   An automated fix has been added to the certification completion editor.
                   When applied to expired completion records which are missing a due date, it
                   automatically sets the date to the latest certification completion history
                   expiry date which is before the current date. If no appropriate history
                   record is found then the due date must be set manually.

    TL-14447       Fixed double html escaping when searching for course names that include special characters
    TL-14672       Fixed permissions check for taking attendance within [2.7.28+2.9.20]Face-to-face sessions[2.7.28+2.9.20][9.8+10.0+Evergreen]Seminar events[9.8+10.0+Evergreen]

                   Previously it was not allowed to submit Seminar attendance without
                   mod/facetoface:addattendees or mod/facetoface:removeattendees permission.
                   Now mod/facetoface:takeattendance is enough.

    TL-14708       Fixed course id for the notifications when restoring a Face-to-face

API changes:

    TL-14413       Added two new methods to the DML to fetch recordsets and a total count at the same time

                   Two new methods have been added to the DML that allow for a recordset to be
                   fetched and simultaneously a total count returned in single query.
                   The two new methods are:
                   * moodle_database::get_counted_recordset_sql
                   * moodle_database::get_counted_records_sql


Contributions:

    * Eugene Venter at Catalyst NZ - TL-9300, TL-10502
    * Russell England at Kineo US - TL-14144

Release 2.7.28 (21st June 2017):

Security issues:

    TL-7289        Added environment check for XML External Entity Expansion

                   On upgrade or install, a check will be made to determine whether the
                   server's environment could be vulnerable to attackers including the
                   contents of external files via entities in user-supplied XML files. A
                   warning will only be shown if a vulnerability is identified. This check is
                   also available via the security report.


Improvements:

    TL-9224        Improved consistency of program exception restrictions

                   Previously some Programs code was still being executed on users with
                   exceptions, those places now check for valid user assignments before
                   processing the users. Some places identified were, the program completion
                   cron, the certification window opening cron, and the programs course
                   enrolment plugin.

    TL-14385       Added checks for missing program and certification completion records

                   The program and certification completion checkers have been extended to
                   detect missing and unneeded program and certification completion records.
                   Automated fixes have been provided to allow admins to correct these
                   problems. After upgrade, you should use the completion checker to fix all
                   "Files" category problems which are reported (if any). After all problems
                   on the site have been fixed, if new problems are discovered then they
                   should be reported to Totara support.


Bug fixes:

    TL-14140       Fixed security report check for whether Flash animation is enabled

                   The security report was checking for an outdated config setting when
                   checking whether Flash animation (using swf files) was enabled. The correct
                   config setting is now checked.
                   
                   Flash animation is no longer enabled by default on new installations of
                   Totara, however this is not changed during upgrade for existing sites. If
                   Flash animation is not required on your site, you are encouraged to review
                   the security report and disable Flash animation and/or the Multimedia
                   plugin if they are not required. 
                   Flash animations, when enabled, could only be added by trusted users who
                   had capabilities marked with XSS risk.

    TL-14272       Fixed program and certification course enrolment suspension

                   Due to a recent change, users were being unenrolled from courses after
                   completing the primary certification path, when the courses were not part
                   of recertification. This has now been fixed, and any user enrolments
                   incorrectly suspended will be restored automatically by the "Clean
                   enrolment plugins" scheduled task. This patch also greatly improves the
                   performance of this task.

    TL-14291       Fixed user unassignment from programs and certifications

                   This patch includes several changes to the way program and certification
                   completion records are handled when users are unassigned. It includes
                   a fix for a problem that could occur when users are reassigned. It also
                   ensures that program and certification completion records are correctly
                   archived when a user is deleted (with the possibility of being undeleted),
                   rather than being left active.

    TL-14335       Backup annotation no longer tries to write to the temp table it is currently reading from

                   Backup annotation handling was opening a recordset to a temporary table,
                   annotating over the results and writing to the same table while the
                   recordset was still open.
                   This was causing significant performance issues and occasional failures on
                   MSSQL.
                   Only large complex backups would be affected.
                   This change removes the code sequence responsible replacing it with batch
                   handling for the temp table.

    TL-14350       Fixed invalid program due date when a user is assigned with an exception

                   This patch includes automated fixes which can be triggered in the program
                   and certification completion editors to fix affected records.

    TL-14399       Fixed the "Manage searches" button in the Audience view report
    TL-14419       Fixed problems when restoring users to certifications

                   There were some rare circumstances where the incorrect data was being set
                   when a user was reassigned to a certification. The most common problem was
                   that the due date was missing on records that were in the "expired" state.
                   The cause of the various problems has been prevented. Records which have
                   already been affected can be identified using the certification completion
                   checker and corrected using the certification completion editor and/or
                   automated fixes - see TL-14437.

    TL-14426       Fixed dialog scroll when adding "Fixed image" questions to an appraisal
    TL-14437       Added an automated fix for expired certifications missing a due date

                   An automated fix has been added to the certification completion editor.
                   When applied to expired completion records which are missing a due date, it
                   automatically sets the date to the latest certification completion history
                   expiry date which is before the current date. If no appropriate history
                   record is found then the due date must be set manually.

    TL-14672       Fixed permissions check for taking attendance within [2.7.28+2.9.20]Face-to-face sessions[2.7.28+2.9.20][9.8+10.0+Evergreen]Seminar events[9.8+10.0+Evergreen]

                   Previously it was not allowed to submit Seminar attendance without
                   mod/facetoface:addattendees or mod/facetoface:removeattendees permission.
                   Now mod/facetoface:takeattendance is enough.

    TL-14708       Fixed course id for the notifications when restoring a Face-to-face

API changes:

    TL-14413       Added two new methods to the DML to fetch recordsets and a total count at the same time

                   Two new methods have been added to the DML that allow for a recordset to be
                   fetched and simultaneously a total count returned in single query.
                   The two new methods are:
                   * moodle_database::get_counted_recordset_sql
                   * moodle_database::get_counted_records_sql


Release 2.6.45 (21st June 2017):

Security issues:

    TL-7289        Added environment check for XML External Entity Expansion

                   On upgrade or install, a check will be made to determine whether the
                   server's environment could be vulnerable to attackers including the
                   contents of external files via entities in user-supplied XML files. A
                   warning will only be shown if a vulnerability is identified. This check is
                   also available via the security report.


Improvements:

    TL-9224        Improved consistency of program exception restrictions

                   Previously some Programs code was still being executed on users with
                   exceptions, those places now check for valid user assignments before
                   processing the users. Some places identified were, the program completion
                   cron, the certification window opening cron, and the programs course
                   enrolment plugin.

    TL-14385       Added checks for missing program and certification completion records

                   The program and certification completion checkers have been extended to
                   detect missing and unneeded program and certification completion records.
                   Automated fixes have been provided to allow admins to correct these
                   problems. After upgrade, you should use the completion checker to fix all
                   "Files" category problems which are reported (if any). After all problems
                   on the site have been fixed, if new problems are discovered then they
                   should be reported to Totara support.


Bug fixes:

    TL-14140       Fixed security report check for whether Flash animation is enabled

                   The security report was checking for an outdated config setting when
                   checking whether Flash animation (using swf files) was enabled. The correct
                   config setting is now checked.
                   
                   Flash animation is no longer enabled by default on new installations of
                   Totara, however this is not changed during upgrade for existing sites. If
                   Flash animation is not required on your site, you are encouraged to review
                   the security report and disable Flash animation and/or the Multimedia
                   plugin if they are not required. 
                   Flash animations, when enabled, could only be added by trusted users who
                   had capabilities marked with XSS risk.

    TL-14291       Fixed user unassignment from programs and certifications

                   This patch includes several changes to the way program and certification
                   completion records are handled when users are unassigned. It includes
                   a fix for a problem that could occur when users are reassigned. It also
                   ensures that program and certification completion records are correctly
                   archived when a user is deleted (with the possibility of being undeleted),
                   rather than being left active.

    TL-14350       Fixed invalid program due date when a user is assigned with an exception

                   This patch includes automated fixes which can be triggered in the program
                   and certification completion editors to fix affected records.

    TL-14399       Fixed the "Manage searches" button in the Audience view report
    TL-14419       Fixed problems when restoring users to certifications

                   There were some rare circumstances where the incorrect data was being set
                   when a user was reassigned to a certification. The most common problem was
                   that the due date was missing on records that were in the "expired" state.
                   The cause of the various problems has been prevented. Records which have
                   already been affected can be identified using the certification completion
                   checker and corrected using the certification completion editor and/or
                   automated fixes.

    TL-14708       Fixed course id for the notifications when restoring a Face-to-face

API changes:

    TL-14413       Added two new methods to the DML to fetch recordsets and a total count at the same time

                   Two new methods have been added to the DML that allow for a recordset to be
                   fetched and simultaneously a total count returned in single query.
                   The two new methods are:
                   * moodle_database::get_counted_recordset_sql
                   * moodle_database::get_counted_records_sql


Release 2.5.52 (21st June 2017):

Improvements:

    TL-9224        Improved consistency of program exception restrictions

                   Previously some Programs code was still being executed on users with
                   exceptions, those places now check for valid user assignments before
                   processing the users. Some places identified were, the program completion
                   cron, the certification window opening cron, and the programs course
                   enrolment plugin.

    TL-14385       Added checks for missing program and certification completion records

                   The program and certification completion checkers have been extended to
                   detect missing and unneeded program and certification completion records.
                   Automated fixes have been provided to allow admins to correct these
                   problems. After upgrade, you should use the completion checker to fix all
                   "Files" category problems which are reported (if any). After all problems
                   on the site have been fixed, if new problems are discovered then they
                   should be reported to Totara support.


Bug fixes:

    TL-14140       Fixed security report check for whether Flash animation is enabled

                   The security report was checking for an outdated config setting when
                   checking whether Flash animation (using swf files) was enabled. The correct
                   config setting is now checked.
                   
                   Flash animation is no longer enabled by default on new installations of
                   Totara, however this is not changed during upgrade for existing sites. If
                   Flash animation is not required on your site, you are encouraged to review
                   the security report and disable Flash animation and/or the Multimedia
                   plugin if they are not required. 
                   Flash animations, when enabled, could only be added by trusted users who
                   had capabilities marked with XSS risk.

    TL-14291       Fixed user unassignment from programs and certifications

                   This patch includes several changes to the way program and certification
                   completion records are handled when users are unassigned. It includes
                   a fix for a problem that could occur when users are reassigned. It also
                   ensures that program and certification completion records are correctly
                   archived when a user is deleted (with the possibility of being undeleted),
                   rather than being left active.

    TL-14350       Fixed invalid program due date when a user is assigned with an exception

                   This patch includes automated fixes which can be triggered in the program
                   and certification completion editors to fix affected records.

    TL-14419       Fixed problems when restoring users to certifications

                   There were some rare circumstances where the incorrect data was being set
                   when a user was reassigned to a certification. The most common problem was
                   that the due date was missing on records that were in the "expired" state.
                   The cause of the various problems has been prevented. Records which have
                   already been affected can be identified using the certification completion
                   checker and corrected using the certification completion editor and/or
                   automated fixes.

    TL-14708       Fixed course id for the notifications when restoring a Face-to-face

Release 2.4.52 (21st June 2017):

Bug fixes:

    TL-14140       Fixed security report check for whether Flash animation is enabled

                   The security report was checking for an outdated config setting when
                   checking whether Flash animation (using swf files) was enabled. The correct
                   config setting is now checked.
                   
                   Flash animation is no longer enabled by default on new installations of
                   Totara, however this is not changed during upgrade for existing sites. If
                   Flash animation is not required on your site, you are encouraged to review
                   the security report and disable Flash animation and/or the Multimedia
                   plugin if they are not required. 
                   Flash animations, when enabled, could only be added by trusted users who
                   had capabilities marked with XSS risk.

    TL-14708       Fixed course id for the notifications when restoring a Face-to-face