Hello everyone, The following versions of Totara have now been released:
(Edited by Tom Wood - original submission Wednesday, 19 July 2017, 8:52 PM)
| SHA1 Checksum | Size (M) | Package |
|---|---|---|
a7ad2b6bbbfab3eaac0cf254cdc3873bf115ceb5 |
50M | evergreen-20170719.tar.gz |
7433d3ab4e7ab963bdd7cbc54939c6854ad0c20f |
53M | totaralms-9.9.tar.gz |
d12195f3bb707f8d5c7704267054578d0c691f68 |
49M | totaralms-2.9.21.tar.gz |
177a6ff8ffab32b179400ced8ae6af0bb397b065 |
56M | totaralms-2.7.29.tar.gz |
5a33c9ad4230c940b133e9aa84e103fe4faa35e0 |
51M | totaralms-2.6.46.tar.gz |
56c4bb963288b2a8feb256f43168a2ba0860f193 |
44M | totaralms-2.5.53.tar.gz |
ae45e75a876f35f44da4bead5074a96296b359ea |
32M | totaralms-2.4.53.tar.gz |
ad1050f3bbf629ab4270a6b1b565354754e3d9fe |
26M | totaralms-2.2.58.tar.gz |
Important:
TL-14731 The Intl PHP extension is now required
TL-14941 Having MySQL configured with mysql_large_prefix is now recommended
Security issues:
TL-9391 Made file access in programs stricter
Restricted File access in programs to:
* Users that are not logged in cannot see any files in programs.
* Users who are not assigned can only see the summary and overview files
* Only users who can view hidden programs can see the files in programs
that are not visible
TL-12940 Applied account lockout threshold when using webservice authentication
Previously, the account lockout threshold, for number of incorrect
passwords, was not taken into account when webservice authentication was
being used. The account lockout functionality now applies to webservice
authentication. Please note that this refers to the authentication type
that allows users to log in with username and password, not when accessing
their account using a webservice token.
TL-12942 Stopped the supplied passwords being logged in failed web services authentication
When web service authentication was used, entries recorded to the logs for
failed log in attempts included the supplied password in plain text. This
is no longer recorded.
Performance improvement:
TL-2821 Capability to configure a second database connection for Report Builder
It is now possible to configure a second database connection for use by
Report Builder.
The purpose of this secondary connection is so that you can direct the main
Report Builder queries at a read-only database clone.
The upside of which is that you can isolate the database access related
performance cost of Report Builder to an isolated database server.
This in turn prevents the expensive report builder queries from being
executed on the primary database, hopefully leading to a better user
experience on high concurrency sites.
These settings should be considered highly advanced.
Support cannot be provided on configuring a read only slave, you will need
in house expertise to achieve this.
Those wishing to use the second database connection can find instructions
for it within config-dist.php.
TL-6834 Improved the performance of Report Builder reports by avoiding unnecessary count queries
Previously when displaying a report in the browser the report query would
be executed either two or three times.
Once to get the filtered count of results.
Potentially once more to get the unfiltered count of results.
Once to get the first page of data.
The report page, and all embedded reports now use a new counted recordset
query that gives the first page of data and the filtered count of results
in a single query, preventing the need to run the expensive report query to
get the filtered count.
Additionally TL-14791 prevents the need to run the query to get the
unfiltered count unless the site administrator has explicitly requested it
and the report creator explicitly turned it on for that report.
This reduction of expensive queries greatly improves the performance of
viewing a report in the browser.
TL-14237 Fixed an SQL error when caching a report with Job Assignment fields
Removed an issue where caching of a report failed due to the SQL failing.
This is only for the User's Position(s), User's Organisation(s), User's
Manager(s) and User's Appraiser(s) filters.
TL-14398 Report Builder source caching is now user specific
Previously the Report Builder source cache was shared between users.
When scheduled reports were being run this could lead to several issues,
notably incorrect results when applying filters, and performance issues.
The cache is now user specific. This consumes more memory but fixes the
user specific scheduled reports and improves overall performance when
generating scheduled reports created by many users.
TL-14421 Improved the performance of the Site log report source when the event name filter was available
The "Event name" filter has been changed from an option selector to a
freetext filter improving the performance of the site log report.
TL-14432 Improved performance when generating report caches for reports with text based columns
Previously all fields within a Report Builder cache had an index created
upon them.
This included both text and blob type fields and duly could lead to
degraded performance or even failure when trying to populate a Report
Builder cache.
As of this release indexes are no longer created for text or blob type
columns.
This may slow down the export of a full cached report on some databases if
the report contains many text or blob columns, but will greatly improve the
overall performance of the cache generation and help avoid memory
limitations in all databases.
TL-14724 Improved aggregation of custom fields within Report Builder reports
Previously it was not possible to aggregate custom user profile field
columns in Report Builder reports.
It is now possible, providing the fields are set as visible to everyone.
TL-14744 Fixed a JavaScript bug within the enhanced course catalog when no filters are available
TL-14761 New better performing Job columns
Several new Job columns have been added to the available user columns in
reports that can include user columns.
The new Job columns can be found under the "User" option group, the
available columns are as follows:
* User's Position Name(s)
* User's Position ID Numbers(s)
* User's Organisation Name(s)
* User's Organisation ID Numbers(s)
* User's Manager Name(s)
* User's Appraiser Name(s)
* User's Temporary Manager Name(s)
* Job assignments
There are already several Job columns available in many sources, however
they operate slightly differently and perform very poorly on large sites.
The new columns have nearly the same result, but are calculated much more
quickly. In testing they were between 70-90% faster than the current
columns.
There is only one difference between the new and old columns and that is
how they are sorted when the user had multiple jobs.
The old columns all sorted the information in the column by the Job sort
order. This meant that all of the old columns were sorted in the same way
and the information aligned across multiple columns.
The new columns sort the data alphabetically, which means that when viewing
multiple columns the first organisation and the first position may not
belong to the same Job.
We strongly recommend that all reports use the new columns.
This needs to be done manually by changing from the Job columns shown under
"All User's Job Assignments" to those appearing under "User".
If you must use the old columns please be aware that performance,
particularly on MySQL and MSSQL could be a major issue on large sites.
The old fields are now deprecated and will be removed after the release of
Totara 10.
TL-14780 Fixed the unnecessary use of LIKE within course category filter multichoice
The course category multichoice filter was unnecessarily using like for
category path conditions.
It can use = and has been converted to do so, improving the overall
performance of the report when this filter is in use.
TL-14791 Report Builder reports no longer show a total count by default
The total unfiltered count of records is no longer shown alongside the
filtered count in Report Builder reports.
If you want this functionality back then you must first turn on "Allow
Report Builder reports to show Total Count" at the site level, and then for
each report where you want it displayed edit the report and turn on
"Display a Total Count of records" (found under the Performance tab).
Please be aware that for performance reasons we recommend you leave these
settings off.
TL-14793 Filters which are not compatible with report caching can now prevent report caching
Previously filters that were not compatible with report caching, such as
those filters using correlated subqueries, could be added to a report and
report caching turned on.
This either lead to an error or poor performance.
When such a filter is in use in a report, report caching is now prevented.
TL-14816 Added detection of filters that prevent report caching
Report Builder now reviews the filters that are being used on a report that
is configured to be cached before attempting to generate the cache in order
to check if the filter is compatible with caching.
If the filter is not compatible with caching then the report will not use
caching.
This prevents errors being encountered when trying to filter a cached
report for filters that are not compatible with caching.
TL-14824 Improved the performance of the Site logs report source
Several columns in the Site logs report source were requiring additional
fields that did not perform well, and were not actually required for the
display of the columns in the report.
These additional fields have been removed, improving the performance of the
Site logs report source.
New features:
TL-11096 New signup with approval authentication plugin
Thanks to Learning Pool for providing an initial plugin which informed the
design of this piece of work.
The new auth_approved plugin is similar to the existing auth_email plugin.
However, the auth_approved plugin has an approval process in which the
applicant gets a system access only if an approver approves of the signup.
The approver is any system user that has the new auth/approved:approve
capability. In addition, if the user also has the
totara/hierarchy:assignuserposition capability, he can change the
organisation/position/manager details that the applicant provided in his
signup.
The new plugin also has features to bulk approve or reject signups as well
as send custom emails to potential system users.
Finally, the new plugin also defines a report source that can be used as a
basis for custom reports.
Improvements:
TL-5375 Added partial sync capability for Organisations and Positions to HR Import
It is now possible to import a position or organisation file that doesn't
contain all records. This is controlled by the "Source contains all
records" setting on the settings page for the element.
If "Source contains all records" is set to "No" for Organisations or
Positions then the deleted column is required in the source. For new
installs the default for this setting is "No".
TL-7648 Ensured that required database source fields are always listed for HR Import
TL-7699 Multi Select custom fields can now have multiple values set when used via HR Import
Multiple values can now be used for adding data to Multi Select' custom
fields when used with HR Import. The values need to be separated by a comma
(,). Where the value contains a comma, use single quotes (') around the
value.
TL-9342 Time created and time modified are now recorded for Learning Plans
We now record the time a Learning Plan was created, and when it was last
modified.
Two new columns have been added to Report Builder reports to display this
information.
Please be aware that this information is only available for Learning Plans
created or modified after upgrading to this version of Totara.
TL-10216 Added Event start and finish time columns to Seminar Events report source
TL-11295 Added accessibility link text to the previous program completions column when viewing a user's record of learning
TL-12391 User Time Modified column output modified to improve accuracy and add a 'no date' filter.
A number of Report Builder additions and changes have been made to address
some clients requirements and improve the data available. In this change,
the behaviour of User Time Modified has been altered to ensure it
accurately shows if / when a user has modified their profile. In addition,
its corresponding filter has been updated so allow records where no time
modified has been set to be added to the report.
TL-12748 Speed up password hashing when importing users in HR Import
TL-12887 Prevented date (no timezone) user profile field displaying 'not set' to match the output of other profile fields.
TL-12960 Drag and drop question images are scaled when they are too big for the available space
TL-14032 Added supports_news functionality to the demo course format
TL-14709 Changed manager job selection dialog to optionally disallow new job assignment creation
TL-14755 Added an environment test for misconfigured MSSQL databases
TL-14762 Added support for optgroups in Totara form select element
TL-14771 The length of the Seminar room name is now validated
TL-14820 Improved unit test performance and coverage for all Reportbuilder sources
TL-14947 Improved unit test coverage of DB reserved words
Bug fixes:
TL-12905 Fixed tag columns in report builder so they work with tag collections
This restricts the number of tags visible in certain report so they only
display the tags that are part of the current collection assigned to the
tag area.
TL-14039 When using Custom events, keyboard interactions no longer do the browser default action
TL-14336 Removed audience visibility checks for courses added to Learning Plans
This change is to bring Learning Plans in line with the behaviour that
already exists within Programs and Certifications.
TL-14341 Fixed page ordering for draft appraisals without stage due dates
TL-14361 Fixed Seminar direct enrolment not allowing enrolments after upgrade
TL-14379 Fixed double encoding of report names on "My Reports" page
TL-14435 Fixed the use of an unexpected recordset when removing Seminar attendees
TL-14446 Fixed incorrect link to Course using audience visibility when viewing a Program
TL-14680 Hide manager reservation link when seminar event is cancelled
TL-14701 Removed unused 'timemodified' form element from learning plan competencies
TL-14713 Fixed escape character escaping within the "sql_like_escape" database function
TL-14719 Prevented duplicate form ID attributes from being output on initial load and dynamic dialog forms
TL-14735 JavaScript pix helper now converts pix icons that only supply the icon name to flex icons
TL-14741 Fixed a php open_basedir restriction issue when used with HR Import directory check
TL-14750 Fixed restricted access based on quizzes using the require passing grade completion criteria
Previously, quizzes using the completion criteria "require passing grade"
were simply being marked as complete instead of as passed/failed. Since
they were correctly being marked as complete this had very little effect
except for restricted access. If a second activity had restricted access
based on the quiz where it required "complete with a passing grade", access
was never granted. This patch fixes that going forwards. To avoid making
assumptions about users completions, existing completion records have been
left alone. These can be manually checked with the upcoming completion
editor. In the mean time, if you are using the quiz completion criteria
"require passing grade" without the secondary "or all attempts used",
changing the access restriction to "Quiz must be marked as complete" will
have the same effect.
TL-14765 Retrieving a counted recordset now works with a wider selection of queries
TL-14778 Added new strings to the Seminar language pack to ease translation
Several strings being used by the Seminar module from the main language
have now been copied and are included in the Seminar language files in
order to allow them to be translated specifically for Seminar activities.
TL-14794 Fixed Seminar list under course activity
TL-14798 Ensured html entities are removed for export in the orderedlist_to_newline display class
TL-14803 Fixed certificate custom text to support multi-language content
TL-14804 Fixed issue with null in deleted column when using HR import
When importing an element using database HR Import if there is a null in
the database column a database write error was thrown. Now a null value
will be treated as 0 (not deleted).
TL-14806 Ensured when enabling or disabling an HR Import element, the notification is not incorrectly displayed multiple times
TL-14809 Corrected typos within graph custom settings inline help
TL-14814 Close button in YUI dialogs is fully contained within the header bar
TL-14929 Fixed the display of available activities if the user holds the viewhiddenactivities capability
Previously available and visible activities were shown to the user as
hidden (dimmed) if the user held the viewhiddenactivities capability,
despite the activity being both visible and available.
Activities are now shown as visible correctly when the user can both access
them and holds the above mentioned capability.
TL-14933 Fixed problems with temporary tables when using 4byte unicode collations in MySQL
TL-14934 Fixed a coding error when using fasthashing for passwords in HR Import
TL-14990 Fixed the course progress icon Report Builder column
TL-14993 Prevented all access to the admin pages from the guest user
TL-15014 Fixed inconsistencies in counted recordsets across all databases
The total count result is now consistent across all databases when
providing an offset greater than the total number of rows.
TL-15036 Added missing column type descriptor in the Totara Connect report source
Miscellaneous Moodle fixes:
TL-11598 MDL-53304: Only show quiz answer "Check" button when it can be available
TL-14919 MDL-59409: Fixed access control on admin categories
TL-14920 MDL-56565: Prevented other users' username being displayed when manipulating URLs
TL-14927 MDL-59456: Fixed a CAS authentication bypass issue when running against an old CAS server
Contributions:
* Alex Glover at Kineo UK - TL-14341
* Artur Rietz at Webanywhere - TL-14398
* Jo Jones at Kineo UK - TL-14432
* Russell England at Kineo USA - TL-14435
* Pavel Tsakalidis for proposing the approach used in TL-6834
Security issues:
TL-9391 Made file access in programs stricter
Restricted File access in programs to:
* Users that are not logged in cannot see any files in programs.
* Users who are not assigned can only see the summary and overview files
* Only users who can view hidden programs can see the files in programs
that are not visible
TL-12940 Applied account lockout threshold when using webservice authentication
Previously, the account lockout threshold, for number of incorrect
passwords, was not taken into account when webservice authentication was
being used. The account lockout functionality now applies to webservice
authentication. Please note that this refers to the authentication type
that allows users to log in with username and password, not when accessing
their account using a webservice token.
TL-12942 Stopped the supplied passwords being logged in failed web services authentication
When web service authentication was used and legacy logging was enabled,
entries recorded to the logs for failed log in attempts included the
supplied password in plain text. This is no longer recorded.
The password was not added to entries in other logs included with Totara
aside from the legacy log.
Performance improvement:
TL-2821 Capability to configure a second database connection for Report Builder
It is now possible to configure a second database connection for use by
Report Builder.
The purpose of this secondary connection is so that you can direct the main
Report Builder queries at a read-only database clone.
The upside of which is that you can isolate the database access related
performance cost of Report Builder to an isolated database server.
This in turn prevents the expensive report builder queries from being
executed on the primary database, hopefully leading to a better user
experience on high concurrency sites.
These settings should be considered highly advanced.
Support cannot be provided on configuring a read only slave, you will need
in house expertise to achieve this.
Those wishing to use the second database connection can find instructions
for it within config-dist.php.
TL-6834 Improved the performance of Report Builder reports by avoiding unnecessary count queries
Previously when displaying a report in the browser the report query would
be executed either two or three times.
Once to get the filtered count of results.
Potentially once more to get the unfiltered count of results.
Once to get the first page of data.
The report page, and all embedded reports now use a new counted recordset
query that gives the first page of data and the filtered count of results
in a single query, preventing the need to run the expensive report query to
get the filtered count.
Additionally TL-14791 prevents the need to run the query to get the
unfiltered count unless the site administrator has explicitly requested it
and the report creator explicitly turned it on for that report.
This reduction of expensive queries greatly improves the performance of
viewing a report in the browser.
TL-14237 Fixed an SQL error when caching a report with Job Assignment fields
Removed an issue where caching of a report failed due to the SQL failing.
This is only for the User's Position(s), User's Organisation(s), User's
Manager(s) and User's Appraiser(s) filters.
TL-14398 Report Builder source caching is now user specific
Previously the Report Builder source cache was shared between users.
When scheduled reports were being run this could lead to several issues,
notably incorrect results when applying filters, and performance issues.
The cache is now user specific. This consumes more memory but fixes the
user specific scheduled reports and improves overall performance when
generating scheduled reports created by many users.
TL-14421 Improved the performance of the Site log report source when the event name filter was available
The "Event name" filter has been changed from an option selector to a
freetext filter improving the performance of the site log report.
TL-14432 Improved performance when generating report caches for reports with text based columns
Previously all fields within a Report Builder cache had an index created
upon them.
This included both text and blob type fields and duly could lead to
degraded performance or even failure when trying to populate a Report
Builder cache.
As of this release indexes are no longer created for text or blob type
columns.
This may slow down the export of a full cached report on some databases if
the report contains many text or blob columns, but will greatly improve the
overall performance of the cache generation and help avoid memory
limitations in all databases.
TL-14744 Fixed a JavaScript bug within the enhanced course catalog when no filters are available
TL-14761 New better performing Job columns
Several new Job columns have been added to the available user columns in
reports that can include user columns.
The new Job columns can be found under the "User" option group, the
available columns are as follows:
* User's Position Name(s)
* User's Position ID Numbers(s)
* User's Organisation Name(s)
* User's Organisation ID Numbers(s)
* User's Manager Name(s)
* User's Appraiser Name(s)
* User's Temporary Manager Name(s)
* Job assignments
There are already several Job columns available in many sources, however
they operate slightly differently and perform very poorly on large sites.
The new columns have nearly the same result, but are calculated much more
quickly. In testing they were between 70-90% faster than the current
columns.
There is only one difference between the new and old columns and that is
how they are sorted when the user had multiple jobs.
The old columns all sorted the information in the column by the Job sort
order. This meant that all of the old columns were sorted in the same way
and the information aligned across multiple columns.
The new columns sort the data alphabetically, which means that when viewing
multiple columns the first organisation and the first position may not
belong to the same Job.
We strongly recommend that all reports use the new columns.
This needs to be done manually by changing from the Job columns shown under
"All User's Job Assignments" to those appearing under "User".
If you must use the old columns please be aware that performance,
particularly on MySQL and MSSQL could be a major issue on large sites.
The old fields are now deprecated and will be removed after the release of
Totara 10.
TL-14780 Fixed the unnecessary use of LIKE within course category filter multichoice
The course category multichoice filter was unnecessarily using like for
category path conditions.
It can use = and has been converted to do so, improving the overall
performance of the report when this filter is in use.
TL-14791 Report Builder reports no longer show a total count by default
The total unfiltered count of records is no longer shown alongside the
filtered count in Report Builder reports.
If you want this functionality back then you must first turn on "Allow
Report Builder reports to show Total Count" at the site level, and then for
each report where you want it displayed edit the report and turn on
"Display a Total Count of records" (found under the Performance tab).
Please be aware that for performance reasons we recommend you leave these
settings off.
TL-14793 Filters which are not compatible with report caching can now prevent report caching
Previously filters that were not compatible with report caching, such as
those filters using correlated subqueries, could be added to a report and
report caching turned on.
This either lead to an error or poor performance.
When such a filter is in use in a report, report caching is now prevented.
TL-14816 Added detection of filters that prevent report caching
Report Builder now reviews the filters that are being used on a report that
is configured to be cached before attempting to generate the cache in order
to check if the filter is compatible with caching.
If the filter is not compatible with caching then the report will not use
caching.
This prevents errors being encountered when trying to filter a cached
report for filters that are not compatible with caching.
TL-14824 Improved the performance of the Site logs report source
Several columns in the Site logs report source were requiring additional
fields that did not perform well, and were not actually required for the
display of the columns in the report.
These additional fields have been removed, improving the performance of the
Site logs report source.
New features:
TL-11096 New signup with approval authentication plugin
Thanks to Learning Pool for providing an initial plugin which informed the
design of this piece of work.
The new auth_approved plugin is similar to the existing auth_email plugin.
However, the auth_approved plugin has an approval process in which the
applicant gets a system access only if an approver approves of the signup.
The approver is any system user that has the new auth/approved:approve
capability. In addition, if the user also has the
totara/hierarchy:assignuserposition capability, he can change the
organisation/position/manager details that the applicant provided in his
signup.
The new plugin also has features to bulk approve or reject signups as well
as send custom emails to potential system users.
Finally, the new plugin also defines a report source that can be used as a
basis for custom reports.
Improvements:
TL-3212 Improved notification template field behavior for seminar activity
TL-11294 Added additional link text to the previous certification completions column when viewing a users record of learning
TL-11295 Added accessibility link text to the previous program completions column when viewing a user's record of learning
TL-12659 Added labels to linked component checkboxes in learning plans
TL-12748 Speed up password hashing when importing users in HR Import
TL-12960 Drag and drop question images are scaled when they are too big for the available space
TL-14709 Changed manager job selection dialog to optionally disallow new job assignment creation
TL-14755 Added an environment test for misconfigured MSSQL databases
TL-14762 Added support for optgroups in Totara form select element
TL-14820 Improved unit test performance and coverage for all Reportbuilder sources
TL-14947 Improved unit test coverage of DB reserved words
Bug fixes:
TL-14336 Removed audience visibility checks for courses added to Learning Plans
This change is to bring Learning Plans in line with the behaviour that
already exists within Programs and Certifications.
TL-14341 Fixed page ordering for draft appraisals without stage due dates
TL-14361 Fixed Seminar direct enrolment not allowing enrolments after upgrade
TL-14379 Fixed double encoding of report names on "My Reports" page
TL-14435 Fixed the use of an unexpected recordset when removing Seminar attendees
TL-14446 Fixed incorrect link to Course using audience visibility when viewing a Program
TL-14680 Hide manager reservation link when seminar event is cancelled
TL-14701 Removed unused 'timemodified' form element from learning plan competencies
TL-14713 Fixed escape character escaping within the "sql_like_escape" database function
TL-14719 Prevented duplicate form ID attributes from being output on initial load and dynamic dialog forms
TL-14735 JavaScript pix helper now converts pix icons that only supply the icon name to flex icons
TL-14741 Fixed a php open_basedir restriction issue when used with HR Import directory check
TL-14750 Fixed restricted access based on quizzes using the require passing grade completion criteria
Previously, quizzes using the completion criteria "require passing grade"
were simply being marked as complete instead of as passed/failed. Since
they were correctly being marked as complete this had very little effect
except for restricted access. If a second activity had restricted access
based on the quiz where it required "complete with a passing grade", access
was never granted. This patch fixes that going forwards. To avoid making
assumptions about users completions, existing completion records have been
left alone. These can be manually checked with the upcoming completion
editor. In the mean time, if you are using the quiz completion criteria
"require passing grade" without the secondary "or all attempts used",
changing the access restriction to "Quiz must be marked as complete" will
have the same effect.
TL-14765 Retrieving a counted recordset now works with a wider selection of queries
TL-14778 Added new strings to the Seminar language pack to ease translation
Several strings being used by the Seminar module from the main language
have now been copied and are included in the Seminar language files in
order to allow them to be translated specifically for Seminar activities.
TL-14794 Fixed Seminar list under course activity
TL-14798 Ensured html entities are removed for export in the orderedlist_to_newline display class
TL-14803 Fixed certificate custom text to support multi-language content
TL-14804 Fixed issue with null in deleted column when using HR import
When importing an element using database HR Import if there is a null in
the database column a database write error was thrown. Now a null value
will be treated as 0 (not deleted).
TL-14806 Ensured when enabling or disabling an HR Import element, the notification is not incorrectly displayed multiple times
TL-14809 Corrected typos within graph custom settings inline help
TL-14814 Close button in YUI dialogs is fully contained within the header bar
TL-14929 Fixed the display of available activities if the user holds the viewhiddenactivities capability
Previously available and visible activities were shown to the user as
hidden (dimmed) if the user held the viewhiddenactivities capability,
despite the activity being both visible and available.
Activities are now shown as visible correctly when the user can both access
them and holds the above mentioned capability.
TL-14934 Fixed a coding error when using fasthashing for passwords in HR Import
TL-14993 Prevented all access to the admin pages from the guest user
TL-15014 Fixed inconsistencies in counted recordsets across all databases
The total count result is now consistent across all databases when
providing an offset greater than the total number of rows.
TL-15036 Added missing column type descriptor in the Totara Connect report source
Miscellaneous Moodle fixes:
TL-14920 MDL-56565: Prevented other users' username being displayed when manipulating URLs
TL-14927 MDL-59456: Fixed a CAS authentication bypass issue when running against an old CAS server
Contributions:
* Alex Glover at Kineo UK - TL-14341
* Artur Rietz at Webanywhere - TL-14398
* Jo Jones at Kineo UK - TL-14432
* Russell England at Kineo USA - TL-14435
* Pavel Tsakalidis for proposing the approach used in TL-6834
Important:
TL-14946 The webdav_locks table has been dropped from the database
The webdav_locks table has been dropped from the database.
It is a legacy table from Totara 1.1 and has never been used in Totara 2 or
above.
It had already been dropped from Totara 9 and 10.
The decision was made to drop the table from stable branches as it
contained a field that was using a name that had become a reserved word in
modern databases.
By dropping this unused table we can help ensure that database upgrades
will not be problematic in the supported stable releases.
Security issues:
TL-9391 Made file access in programs stricter
Restricted File access in programs to:
* Users that are not logged in cannot see any files in programs.
* Users who are not assigned can only see the summary and overview files
* Only users who can view hidden programs can see the files in programs
that are not visible
TL-12940 Applied account lockout threshold when using webservice authentication
Previously, the account lockout threshold, for number of incorrect
passwords, was not taken into account when webservice authentication was
being used. The account lockout functionality now applies to webservice
authentication. Please note that this refers to the authentication type
that allows users to log in with username and password, not when accessing
their account using a webservice token.
TL-12942 Stopped the supplied passwords being logged in failed web services authentication
When web service authentication was used and legacy logging was enabled,
entries recorded to the logs for failed log in attempts included the
supplied password in plain text. This is no longer recorded.
The password was not added to entries in other logs included with Totara
aside from the legacy log.
Performance improvement:
TL-6834 Improved the performance of Report Builder reports by avoiding unnecessary count queries
Previously when displaying a report in the browser the report query would
be executed either two or three times.
Once to get the filtered count of results.
Potentially once more to get the unfiltered count of results.
Once to get the first page of data.
The report page, and all embedded reports now use a new counted recordset
query that gives the first page of data and the filtered count of results
in a single query, preventing the need to run the expensive report query to
get the filtered count.
Additionally TL-14791 which is included in 9.9 and above prevents the need
to run the query to get the unfiltered count unless the site administrator
has explicitly requested it and the report creator explicitly turned it on
for that report.
This reduction of expensive queries greatly improves the performance of
viewing a report in the browser.
TL-14398 Report Builder source caching is now user specific
Previously the Report Builder source cache was shared between users.
When scheduled reports were being run this could lead to several issues,
notably incorrect results when applying filters, and performance issues.
The cache is now user specific. This consumes more memory but fixes the
user specific scheduled reports and improves overall performance when
generating scheduled reports created by many users.
TL-14780 Fixed the unnecessary use of LIKE within course category filter multichoice
The course category multichoice filter was unnecessarily using like for
category path conditions.
It can use = and has been converted to do so, improving the overall
performance of the report when this filter is in use.
Improvements:
TL-14755 Added an environment test for misconfigured MSSQL databases
Bug fixes:
TL-14341 Fixed page ordering for draft appraisals without stage due dates
TL-14701 Removed unused 'timemodified' form element from learning plan competencies
TL-14713 Fixed escape character escaping within the "sql_like_escape" database function
TL-14750 Fixed restricted access based on quizzes using the require passing grade completion criteria
Previously, quizzes using the completion criteria "require passing grade"
were simply being marked as complete instead of as passed/failed. Since
they were correctly being marked as complete this had very little effect
except for restricted access. If a second activity had restricted access
based on the quiz where it required "complete with a passing grade", access
was never granted. This patch fixes that going forwards. To avoid making
assumptions about users completions, existing completion records have been
left alone. These can be manually checked with the upcoming completion
editor. In the mean time, if you are using the quiz completion criteria
"require passing grade" without the secondary "or all attempts used",
changing the access restriction to "Quiz must be marked as complete" will
have the same effect.
TL-14765 Retrieving a counted recordset now works with a wider selection of queries
TL-14803 Fixed certificate custom text to support multi-language content
TL-14809 Corrected typos within graph custom settings inline help
TL-14993 Prevented all access to the admin pages from the guest user
TL-15014 Fixed inconsistencies in counted recordsets across all databases
The total count result is now consistent across all databases when
providing an offset greater than the total number of rows.
TL-15036 Added missing column type descriptor in the Totara Connect report source
Miscellaneous Moodle fixes:
TL-14927 MDL-59456: Fixed a CAS authentication bypass issue when running against an old CAS server
Contributions:
* Alex Glover at Kineo UK - TL-14341
* Artur Rietz at Webanywhere - TL-14398
Important:
TL-14946 The webdav_locks table has been dropped from the database
The webdav_locks table has been dropped from the database.
It is a legacy table from Totara 1.1 and has never been used in Totara 2 or
above.
It had already been dropped from Totara 9 and 10.
The decision was made to drop the table from stable branches as it
contained a field that was using a name that had become a reserved word in
modern databases.
By dropping this unused table we can help ensure that database upgrades
will not be problematic in the supported stable releases.
Security issues:
TL-9391 Made file access in programs stricter
Restricted File access in programs to:
* Users that are not logged in cannot see any files in programs.
* Users who are not assigned can only see the summary and overview files
* Only users who can view hidden programs can see the files in programs
that are not visible
TL-12940 Applied account lockout threshold when using webservice authentication
Previously, the account lockout threshold, for number of incorrect
passwords, was not taken into account when webservice authentication was
being used. The account lockout functionality now applies to webservice
authentication. Please note that this refers to the authentication type
that allows users to log in with username and password, not when accessing
their account using a webservice token.
TL-12942 Stopped the supplied passwords being logged in failed web services authentication
When web service authentication was used and legacy logging was enabled,
entries recorded to the logs for failed log in attempts included the
supplied password in plain text. This is no longer recorded.
The password was not added to entries in other logs included with Totara
aside from the legacy log.
Performance improvement:
TL-6834 Improved the performance of Report Builder reports by avoiding unnecessary count queries
Previously when displaying a report in the browser the report query would
be executed either two or three times.
Once to get the filtered count of results.
Potentially once more to get the unfiltered count of results.
Once to get the first page of data.
The report page, and all embedded reports now use a new counted recordset
query that gives the first page of data and the filtered count of results
in a single query, preventing the need to run the expensive report query to
get the filtered count.
Additionally TL-14791 which is included in 9.9 and above prevents the need
to run the query to get the unfiltered count unless the site administrator
has explicitly requested it and the report creator explicitly turned it on
for that report.
This reduction of expensive queries greatly improves the performance of
viewing a report in the browser.
Improvements:
TL-14755 Added an environment test for misconfigured MSSQL databases
Bug fixes:
TL-14341 Fixed page ordering for draft appraisals without stage due dates
TL-14701 Removed unused 'timemodified' form element from learning plan competencies
TL-14713 Fixed escape character escaping within the "sql_like_escape" database function
TL-14765 Retrieving a counted recordset now works with a wider selection of queries
TL-14803 Fixed certificate custom text to support multi-language content
TL-14993 Prevented all access to the admin pages from the guest user
TL-15014 Fixed inconsistencies in counted recordsets across all databases
The total count result is now consistent across all databases when
providing an offset greater than the total number of rows.
TL-15036 Added missing column type descriptor in the Totara Connect report source
Miscellaneous Moodle fixes:
TL-14927 MDL-59456: Fixed a CAS authentication bypass issue when running against an old CAS server
Contributions:
* Alex Glover at Kineo UK - TL-14341
Important:
TL-14946 The webdav_locks table has been dropped from the database
The webdav_locks table has been dropped from the database.
It is a legacy table from Totara 1.1 and has never been used in Totara 2 or
above.
It had already been dropped from Totara 9 and 10.
The decision was made to drop the table from stable branches as it
contained a field that was using a name that had become a reserved word in
modern databases.
By dropping this unused table we can help ensure that database upgrades
will not be problematic in the supported stable releases.
Security issues:
TL-9391 Made file access in programs stricter
Restricted File access in programs to:
* Users that are not logged in cannot see any files in programs.
* Users who are not assigned can only see the summary and overview files
* Only users who can view hidden programs can see the files in programs
that are not visible
TL-12940 Applied account lockout threshold when using webservice authentication
Previously, the account lockout threshold, for number of incorrect
passwords, was not taken into account when webservice authentication was
being used. The account lockout functionality now applies to webservice
authentication. Please note that this refers to the authentication type
that allows users to log in with username and password, not when accessing
their account using a webservice token.
TL-12942 Stopped the supplied passwords being logged in failed web services authentication
When web service authentication was used, entries recorded to the logs for
failed log in attempts included the supplied password in plain text. This
is no longer recorded.
Bug fixes:
TL-14765 Retrieving a counted recordset now works with a wider selection of queries
TL-14932 Removed PHP 5.4+ only array syntax from the course overview block
TL-14993 Prevented all access to the admin pages from the guest user
Contributions:
* Francis Devine at Catalyst NZ - TL-14932
Important:
TL-14946 The webdav_locks table has been dropped from the database
The webdav_locks table has been dropped from the database.
It is a legacy table from Totara 1.1 and has never been used in Totara 2 or
above.
It had already been dropped from Totara 9 and 10.
The decision was made to drop the table from stable branches as it
contained a field that was using a name that had become a reserved word in
modern databases.
By dropping this unused table we can help ensure that database upgrades
will not be problematic in the supported stable releases.
Security issues:
TL-9391 Made file access in programs stricter
Restricted File access in programs to:
* Users that are not logged in cannot see any files in programs.
* Users who are not assigned can only see the summary and overview files
* Only users who can view hidden programs can see the files in programs
that are not visible
TL-12940 Applied account lockout threshold when using webservice authentication
Previously, the account lockout threshold, for number of incorrect
passwords, was not taken into account when webservice authentication was
being used. The account lockout functionality now applies to webservice
authentication. Please note that this refers to the authentication type
that allows users to log in with username and password, not when accessing
their account using a webservice token.
TL-12942 Stopped the supplied passwords being logged in failed web services authentication
When web service authentication was used, entries recorded to the logs for
failed log in attempts included the supplied password in plain text. This
is no longer recorded.
Bug fixes:
TL-14736 Removed PHP 5.4+ only array syntax from the personal goals form
TL-14932 Removed PHP 5.4+ only array syntax from the course overview block
TL-14993 Prevented all access to the admin pages from the guest user
Contributions:
* Francis Devine at Catalyst NZ - TL-14736, TL-14932
Important:
TL-14946 The webdav_locks table has been dropped from the database
The webdav_locks table has been dropped from the database.
It is a legacy table from Totara 1.1 and has never been used in Totara 2 or
above.
It had already been dropped from Totara 9 and 10.
The decision was made to drop the table from stable branches as it
contained a field that was using a name that had become a reserved word in
modern databases.
By dropping this unused table we can help ensure that database upgrades
will not be problematic in the supported stable releases.
Security issues:
TL-12940 Applied account lockout threshold when using webservice authentication
Previously, the account lockout threshold, for number of incorrect
passwords, was not taken into account when webservice authentication was
being used. The account lockout functionality now applies to webservice
authentication. Please note that this refers to the authentication type
that allows users to log in with username and password, not when accessing
their account using a webservice token.
TL-12942 Stopped the supplied passwords being logged in failed web services authentication
When web service authentication was used, entries recorded to the logs for
failed log in attempts included the supplied password in plain text. This
is no longer recorded.
Bug fixes:
TL-14993 Prevented all access to the admin pages from the guest user
Important:
TL-14946 The webdav_locks table has been dropped from the database
The webdav_locks table has been dropped from the database.
It is a legacy table from Totara 1.1 and has never been used in Totara 2 or
above.
It had already been dropped from Totara 9 and 10.
The decision was made to drop the table from stable branches as it
contained a field that was using a name that had become a reserved word in
modern databases.
By dropping this unused table we can help ensure that database upgrades
will not be problematic in the supported stable releases.
Security issues:
TL-12940 Applied account lockout threshold when using webservice authentication
Previously, the account lockout threshold, for number of incorrect
passwords, was not taken into account when webservice authentication was
being used. The account lockout functionality now applies to webservice
authentication. Please note that this refers to the authentication type
that allows users to log in with username and password, not when accessing
their account using a webservice token.
TL-12942 Stopped the supplied passwords being logged in failed web services authentication
When web service authentication was used, entries recorded to the logs for
failed log in attempts included the supplied password in plain text. This
is no longer recorded.