Hello Everyone,
The following versions of Totara have now been released:
* Evergreen-20180514
* 11.3
* 10.9
* 9.20
* 2.9.32
* 2.7.40
* 2.6.57
* 2.5.64
* 2.4.63
* 2.2.67
These versions do contain security fixes and for this reason we strongly recommend upgrading. Each release also includes bug fixes and improvements.
Thanks to the following people for their contributions to this release:
* Marcin Czarnecki at Kineo UK - TL-17387
Kind Regards,
David Curry
Release Evergreen (14th May 2018):
Key: + Evergreen only
Security issues:
TL-17382 Mustache str, pix, and flex helpers no longer support recursive helpers
A serious security issue was found in the way in which the String, Pix
icon, and Flex icon Mustache helpers processed variable data.
An attacker could craft content that would use this parsing to instantiate
unexpected helpers and allow them to access context data they should be
able to access, and in some cases to allow them to get malicious JavaScript
into pages viewed by other users.
Failed attempts to get malicious JavaScript into the page could still lead
to parsing issues, encoding issues, and JSON encoding issues. Some of which
may lead to other exploits.
To fix this all three Mustache helpers have been rewritten with new secure
API's.
The old API's will continue to function in Totara 11, and below.
In this Evergreen release and above the new API's should be used, as the
old API's have been deprecated to ensure templates are secure.
The API changes are as follows. In all cases all core uses have been
converted already.
If you are using customisations that make use of mustache templates and any
of the following helpers we recommend you review those templates as part of
the upgrade process.
String helper
-------------
Old API: {{#str}}Identifier, Component, $a (either a string or json
containing user data){{/str}}
New API: {{#str}}Identifier, Component, A identifier, A component{{/str}}
Change notes:
It is no longer allowed to pass JSON encoded data as $a, nor to put user
data variables into it.
The old API has been deprecated, code using it will continue to work but
debugging notices will be generated.
Support for the old API will be removed in the future.
The new API replaces the $a argument with two new arguments that allow a
second string to be specified, allowing for one string to be used within
another.
Conversion notes:
If you are not using $a you don't need to change anything.
Otherwise if you need to use user data variables within a string you must
now prepare the string and include it within the context data. This will
need to be done in the PHP handler, and the JS handler if there is one.
You should ensure that you sanitise and clean any user data you are using
within a string.
Flex icon helper
----------------
Old API: {{#flex_icon}}Identifier, JSON data (which can contain user
data){{/flex_icon}}
New API: {{#flex_icon}}Identifier, Alt identifier, Alt component,
classes{{/flex_icon}}
Change notes:
Providing JSON encoded data is no longer supported. Nor can user data
variables be passed as any argument.
The old API has been deprecated, code using it will continue to work but
debugging notices will be generated.
Support for the old API will be removed in the future.
Conversion notes:
For common uses of the helper the new API should be suitable, and is easily
converted to. Alt identifier, and alt component are a string identifier and
component that point to the alt string in the language system.
Classes is a string of space separated list of classes.
If you need to set additional HTML attributes, or use user data in the alt
text then you will need to change your template so that it no longer uses
the helper, and instead uses the flex icon template as a partial.
You can find more information about this in our document on [flex
icons|https://help.totaralearning.com/display/DEV/Flexible+Icons+API].
Pix icon helper
---------------
Old API: {{#pix}}Identifier, Component, Alt text{{/pix}}
New API: {{#pix}}Identifier, Component, Alt identifier, Alt
component{{/pix}}
Change notes:
Alt text must now point to a translated string, and can no longer contain
user data variables.
The new API now accepts a string identifier and component pointing to a
translated string to use as alt text.
The old API has been deprecated, code using it will continue to work but
debugging notices will be generated.
Support for the old API will be removed in the future.
Conversion notes:
If the string is a translated string then conversion to the new API should
be simple.
If you need to use user data variables within the alt text you must now
prepare the string and include it within the context data, and change the
template to use the pix icon partial template instead of the helper.
TL-17436 Added additional validation on caller component when exporting to portfolio
TL-17440 Added additional validation when exporting forum attachments using portfolio plugins
TL-17445 Added additional validation when exporting assignments using portfolio plugins
TL-17527 Seminar attendance can no longer be used to export sensitive user data
Previously it was possible for a site administrator to configure Seminar
attendance exports to contain sensitive user data, such as a user's hashed
password. User fields containing sensitive data can no longer be included
in Seminar attendance exports.
Improvements:
TL-12620 Automated the selection of job assignments upon a users assignment to an appraisal when possible
When an appraisal is activated or when learners are dynamically or manually
added to an active appraisal, a learner's job assignment is now
automatically linked to their appraisal assignment. Before this change, the
learner had to open the appraisal for this to happen.
This will only come into effect if the setting "Allow multiple job
assignments" is turned OFF.
If a user has multiple job assignments, this automatic assignment will not
apply. If a user has no job assignment, an empty job assignment will still
be automatically created.
TL-16139 + Added the ability to add icons into static tiles in the featured links block
In the edit content form of a featured links block, there is now an option
to select an icon that will show in the background at various sizes. The
available icons are all from the themes that have been installed.
TL-16140 + Added the ability for gallery tiles in the featured links block to contain other tiles
Gallery tile content is now based on other tiles rather than a set of
images. Each tile in a gallery tile still has all the normal configuration
and visibility associated with it, along with an additional meta tile
interface for any tile that can contain other tiles. This is so that meta
tiles can define that they cannot contain other meta tiles. There is a new
database column for parentid added to the block_totara_featured_links_tiles
table, this remembers the relationship between the gallery tile and sub
tiles.
Note: If there are any custom tiles based on the gallery tile then there is
a high probability that they will no longer work as they used to, as the
templates and structure has changed.
TL-16143 + Added more configuration options to the Gallery Tile in the Featured Links block
Options Added:
* Transition
** Fade
** Slide
* Order
** Random
** Sequential
* Controls
** Prev/Next (Arrows on side of tile)
** Position indicator (Dots at the bottom)
* Autoplay (Whether the gallery tile should automatically move)
* Repeat (If the tile should go back to the start when it gets to the
end)
* Pause on hover (if hovering over the tile then it will stop moving)
The switcher.js JavaScript that changes the gallery tile has been rewritten
to use the 3rd party library Slick. This caused large changes to the
structure of the html as Slick added a number of elements.
TL-16178 + Atto autosave notifications now use standardised components
This will require themes using less inheritance to re-compile their CSS
TL-16344 Implemented user data item for the "Self-registration with approval" authentication plugin
TL-16356 Implemented user data item for the database module
TL-16738 Implemented user data items for grades
The following user data items have been introduced:
* Grades - This item takes care of the Gradebook records, supporting both
export and purge.
* Temp import - This item is a fail-safe cleanup for the tables which are
used by grade import script for temporary storage, supporting only purge.
* Improved Individual assignments item - This item includes feedback and
grades awarded via advanced grading (Guide and Rubric), supporting both
purge and export.
TL-16912 + Added JavaScript polyfill in IE11 to support basic ECMAScript 6 functionality
More information can be found here:
https://help.totaralearning.com/display/DEV/ES+6+functionality
TL-16958 Updated language strings to replace outdated references to system roles
This issue is a follow up to TL-16582 with further updates to language
strings to ensure any outdated references to systems roles are corrected
and consistent, in particular changing student to learner and teacher to
trainer.
TL-17142 Enabled use of the HTML editor when creating site policy statements and added the ability to preview
An HTML editor is now used when adding and editing Site Policy statements
and translations. A preview function was also added. This enables the
policy creator to view how the policy will be rendered to users.
Anyone upgrading from an earlier version of Totara 11 who has previously
added site policies and wants to use html formatting will need to:
* Edit the policy text
* The text will still be displayed in a text editor, but you will have an
option to change the entered format
* Make sure you have a copy of the current text somewhere (copy/paste)
* Change the format to "HTML format"
* Save and re-open the policy OR Preview and click "Continue editing". The
policy text will be shown in the HTML editor but will most likely contain
no formatting
* Replace the current (unformatted) text by pasting back in the copy of
the original text
* Save
TL-17383 Improved the wording and grouping of user data items
TL-17450 + Added full width top and bottom block regions to the homepage and dashboard
In addition to existing block regions (side-pre, main, side-post), there
are now 2 new regions (top, bottom) that can show blocks as well.
Note: Just because existing blocks can be shown in these regions does not
mean those blocks are suited to these areas. There could be excess space or
undesirable aesthetics involved. The best blocks for these new regions are
those that can display their information in wide columns, for example
tabular data, listings or banners.
Bug fixes:
TL-6476 Removed the weekday-textual and month-textual options from the data source selector for report builder graphs
The is_graphable() method was changed to return false for the
weekday-textual and month-textual, stopping them from being selected in the
data source of a graph. This will not change existing graphs that contain
these fields, however if they are edited then a new data source will have
to be chosen. You can still display the weekday or month in a data source
by using the numeric form.
TL-15037 Fixed name_link display function of the "Event name" column for the site log report source
The Event name (linked to event source) column in the Site Logs reporting
source was not fully restoring the event data.
TL-17387 Fixed managers not being able to allocate reserved spaces when an event was fully booked
TL-17442 Ensured that the 'deleted' field is displayed correctly in the list of source fields for HR Import
TL-17458 Fixed a PHP undefined property notice, $allow_delete within the HR Import source settings
TL-17471 Fixed Google reCAPTCHA v2 for the "self registration with approval" authentication plugin
TL-17485 Stopped irrelevant instructions being shown on some of the plan component detail pages
The plan header includes instructions about the component and adding a new
one. For objectives, competencies, and programs, the instructions were
being shown on both the main page, which lists the component items, and the
detail page for each item. These instructions were confusing and irrelevant
on the details pages so they have been removed.
TL-17487 Fixed the completion progress bar not updating the percentage correctly in the "Record of Learning: Courses" report
TL-17509 Fixed the time assigned column for program and certification report sources
The time assigned column for the program completion, program overview,
certification completion, and certification overview sources previously
displayed the data for timestarted, this patch has two main parts:
1) Changes the default header of the current column to "Time started" to be
consistent with what it displays
2) Adds a new column "Time assigned" to the report source that displays the
expected data
This means that any existing sites that have a report based on one of the
affected sources may want to edit the columns for the report and either add
or switch over to the new time assigned column.
TL-17522 Fixed inconsistent styling on the "Add new objective" button in learning plans
The padding on the "Add new objective" button was inconsistent with the
same button in other components. The missing class has been added to make
the styling consistent.
TL-17528 Removed some duplicated content from the audience member alert notification
TL-17534 Stopped time being added by the Totara form utc10 date picker
TL-16921 introduced the date time pickers of the utc10 totara form element.
As an unintended consequence, the time was being added by the input element
that caused validation to fail. This patch stops the time being added by
the date picker
TL-17535 Fixed hard-coded links to the community site that were not being redirected properly
Contributions:
* Marcin Czarnecki at Kineo UK - TL-17387
Release 11.3 (14th May 2018):
Security issues:
TL-17382 Mustache str, pix, and flex helpers no longer support recursive helpers
A serious security issue was found in the way in which the String, Pix
icon, and Flex icon Mustache helpers processed variable data.
An attacker could craft content that would use this parsing to instantiate
unexpected helpers and allow them to access context data they should be
able to access, and in some cases to allow them to get malicious JavaScript
into pages viewed by other users.
Failed attempts to get malicious JavaScript into the page could still lead
to parsing issues, encoding issues, and JSON encoding issues. Some of which
may lead to other exploits.
To fix this all uses of these three mustache helpers in core code have been
reviewed, and any uses of them that were using user data variables have
been updated to ensure that they are secure.
In this months Evergreen release and above the API for these three helpers
has been revised. User data variables can no longer be used in Mustache
template helpers.
We strongly recommend all users review any customisations they have that
make use of Mustache templates to ensure that any helpers being used don't
make use of context data variables coming from user input.
If you find helpers that are using variables containing user data we
strongly recommend preparing new pre-resolved context variables in PHP or
JavaScript and not passing that information through the helpers.
TL-17436 Added additional validation on caller component when exporting to portfolio
TL-17440 Added additional validation when exporting forum attachments using portfolio plugins
TL-17445 Added additional validation when exporting assignments using portfolio plugins
TL-17527 Seminar attendance can no longer be used to export sensitive user data
Previously it was possible for a site administrator to configure Seminar
attendance exports to contain sensitive user data, such as a user's hashed
password. User fields containing sensitive data can no longer be included
in Seminar attendance exports.
Improvements:
TL-12620 Automated the selection of job assignments upon a users assignment to an appraisal when possible
When an appraisal is activated or when learners are dynamically or manually
added to an active appraisal, a learner's job assignment is now
automatically linked to their appraisal assignment. Before this change, the
learner had to open the appraisal for this to happen.
This will only come into effect if the setting "Allow multiple job
assignments" is turned OFF.
If a user has multiple job assignments, this automatic assignment will not
apply. If a user has no job assignment, an empty job assignment will still
be automatically created.
TL-16344 Implemented user data item for the "Self-registration with approval" authentication plugin
TL-16356 Implemented user data item for the database module
TL-16738 Implemented user data items for grades
The following user data items have been introduced:
* Grades - This item takes care of the Gradebook records, supporting both
export and purge.
* Temp import - This item is a fail-safe cleanup for the tables which are
used by grade import script for temporary storage, supporting only purge.
* Improved Individual assignments item - This item includes feedback and
grades awarded via advanced grading (Guide and Rubric), supporting both
purge and export.
TL-16958 Updated language strings to replace outdated references to system roles
This issue is a follow up to TL-16582 with further updates to language
strings to ensure any outdated references to systems roles are corrected
and consistent, in particular changing student to learner and teacher to
trainer.
TL-17142 Enabled use of the HTML editor when creating site policy statements and added the ability to preview
An HTML editor is now used when adding and editing Site Policy statements
and translations. A preview function was also added. This enables the
policy creator to view how the policy will be rendered to users.
Anyone upgrading from an earlier version of Totara 11 who has previously
added site policies and wants to use html formatting will need to:
* Edit the policy text
* The text will still be displayed in a text editor, but you will have an
option to change the entered format
* Make sure you have a copy of the current text somewhere (copy/paste)
* Change the format to "HTML format"
* Save and re-open the policy OR Preview and click "Continue editing". The
policy text will be shown in the HTML editor but will most likely contain
no formatting
* Replace the current (unformatted) text by pasting back in the copy of
the original text
* Save
TL-17383 Improved the wording and grouping of user data items
Bug fixes:
TL-6476 Removed the weekday-textual and month-textual options from the data source selector for report builder graphs
The is_graphable() method was changed to return false for the
weekday-textual and month-textual, stopping them from being selected in the
data source of a graph. This will not change existing graphs that contain
these fields, however if they are edited then a new data source will have
to be chosen. You can still display the weekday or month in a data source
by using the numeric form.
TL-15037 Fixed name_link display function of the "Event name" column for the site log report source
The Event name (linked to event source) column in the Site Logs reporting
source was not fully restoring the event data.
TL-17387 Fixed managers not being able to allocate reserved spaces when an event was fully booked
TL-17442 Ensured that the 'deleted' field is displayed correctly in the list of source fields for HR Import
TL-17458 Fixed a PHP undefined property notice, $allow_delete within the HR Import source settings
TL-17471 Fixed Google reCAPTCHA v2 for the "self registration with approval" authentication plugin
TL-17485 Stopped irrelevant instructions being shown on some of the plan component detail pages
The plan header includes instructions about the component and adding a new
one. For objectives, competencies, and programs, the instructions were
being shown on both the main page, which lists the component items, and the
detail page for each item. These instructions were confusing and irrelevant
on the details pages so they have been removed.
TL-17487 Fixed the completion progress bar not updating the percentage correctly in the "Record of Learning: Courses" report
TL-17509 Fixed the time assigned column for program and certification report sources
The time assigned column for the program completion, program overview,
certification completion, and certification overview sources previously
displayed the data for timestarted, this patch has two main parts:
1) Changes the default header of the current column to "Time started" to be
consistent with what it displays
2) Adds a new column "Time assigned" to the report source that displays the
expected data
This means that any existing sites that have a report based on one of the
affected sources may want to edit the columns for the report and either add
or switch over to the new time assigned column.
TL-17522 Fixed inconsistent styling on the "Add new objective" button in learning plans
The padding on the "Add new objective" button was inconsistent with the
same button in other components. The missing class has been added to make
the styling consistent.
TL-17528 Removed some duplicated content from the audience member alert notification
TL-17534 Stopped time being added by the Totara form utc10 date picker
TL-16921 introduced the date time pickers of the utc10 totara form element.
As an unintended consequence, the time was being added by the input element
that caused validation to fail. This patch stops the time being added by
the date picker
TL-17535 Fixed hard-coded links to the community site that were not being redirected properly
Contributions:
* Marcin Czarnecki at Kineo UK - TL-17387
Release 10.9 (14th May 2018):
Security issues:
TL-17382 Mustache str, pix, and flex helpers no longer support recursive helpers
A serious security issue was found in the way in which the String, Pix
icon, and Flex icon Mustache helpers processed variable data.
An attacker could craft content that would use this parsing to instantiate
unexpected helpers and allow them to access context data they should be
able to access, and in some cases to allow them to get malicious JavaScript
into pages viewed by other users.
Failed attempts to get malicious JavaScript into the page could still lead
to parsing issues, encoding issues, and JSON encoding issues. Some of which
may lead to other exploits.
To fix this all uses of these three mustache helpers in core code have been
reviewed, and any uses of them that were using user data variables have
been updated to ensure that they are secure.
In this months Evergreen release and above the API for these three helpers
has been revised. User data variables can no longer be used in Mustache
template helpers.
We strongly recommend all users review any customisations they have that
make use of Mustache templates to ensure that any helpers being used don't
make use of context data variables coming from user input.
If you find helpers that are using variables containing user data we
strongly recommend preparing new pre-resolved context variables in PHP or
JavaScript and not passing that information through the helpers.
TL-17436 Added additional validation on caller component when exporting to portfolio
TL-17440 Added additional validation when exporting forum attachments using portfolio plugins
TL-17445 Added additional validation when exporting assignments using portfolio plugins
TL-17527 Seminar attendance can no longer be used to export sensitive user data
Previously it was possible for a site administrator to configure Seminar
attendance exports to contain sensitive user data, such as a user's hashed
password. User fields containing sensitive data can no longer be included
in Seminar attendance exports.
Improvements:
TL-16958 Updated language strings to replace outdated references to system roles
This issue is a follow up to TL-16582 with further updates to language
strings to ensure any outdated references to systems roles are corrected
and consistent, in particular changing student to learner and teacher to
trainer.
Bug fixes:
TL-6476 Removed the weekday-textual and month-textual options from the data source selector for report builder graphs
The is_graphable() method was changed to return false for the
weekday-textual and month-textual, stopping them from being selected in the
data source of a graph. This will not change existing graphs that contain
these fields, however if they are edited then a new data source will have
to be chosen. You can still display the weekday or month in a data source
by using the numeric form.
TL-15037 Fixed name_link display function of the "Event name" column for the site log report source
The Event name (linked to event source) column in the Site Logs reporting
source was not fully restoring the event data.
TL-17387 Fixed managers not being able to allocate reserved spaces when an event was fully booked
TL-17471 Fixed Google reCAPTCHA v2 for the "self registration with approval" authentication plugin
TL-17485 Stopped irrelevant instructions being shown on some of the plan component detail pages
The plan header includes instructions about the component and adding a new
one. For objectives, competencies, and programs, the instructions were
being shown on both the main page, which lists the component items, and the
detail page for each item. These instructions were confusing and irrelevant
on the details pages so they have been removed.
TL-17487 Fixed the completion progress bar not updating the percentage correctly in the "Record of Learning: Courses" report
TL-17509 Fixed the time assigned column for program and certification report sources
The time assigned column for the program completion, program overview,
certification completion, and certification overview sources previously
displayed the data for timestarted, this patch has two main parts:
1) Changes the default header of the current column to "Time started" to be
consistent with what it displays
2) Adds a new column "Time assigned" to the report source that displays the
expected data
This means that any existing sites that have a report based on one of the
affected sources may want to edit the columns for the report and either add
or switch over to the new time assigned column.
TL-17522 Fixed inconsistent styling on the "Add new objective" button in learning plans
The padding on the "Add new objective" button was inconsistent with the
same button in other components. The missing class has been added to make
the styling consistent.
TL-17528 Removed some duplicated content from the audience member alert notification
TL-17534 Stopped time being added by the Totara form utc10 date picker
TL-16921 introduced the date time pickers of the utc10 totara form element.
As an unintended consequence, the time was being added by the input element
that caused validation to fail. This patch stops the time being added by
the date picker
TL-17535 Fixed hard-coded links to the community site that were not being redirected properly
Contributions:
* Marcin Czarnecki at Kineo UK - TL-17387
Release 9.20 (14th May 2018):
Security issues:
TL-17382 Mustache str, pix, and flex helpers no longer support recursive helpers
A serious security issue was found in the way in which the String, Pix
icon, and Flex icon Mustache helpers processed variable data.
An attacker could craft content that would use this parsing to instantiate
unexpected helpers and allow them to access context data they should be
able to access, and in some cases to allow them to get malicious JavaScript
into pages viewed by other users.
Failed attempts to get malicious JavaScript into the page could still lead
to parsing issues, encoding issues, and JSON encoding issues. Some of which
may lead to other exploits.
To fix this all uses of these three mustache helpers in core code have been
reviewed, and any uses of them that were using user data variables have
been updated to ensure that they are secure.
In this months Evergreen release and above the API for these three helpers
has been revised. User data variables can no longer be used in Mustache
template helpers.
We strongly recommend all users review any customisations they have that
make use of Mustache templates to ensure that any helpers being used don't
make use of context data variables coming from user input.
If you find helpers that are using variables containing user data we
strongly recommend preparing new pre-resolved context variables in PHP or
JavaScript and not passing that information through the helpers.
TL-17436 Added additional validation on caller component when exporting to portfolio
TL-17440 Added additional validation when exporting forum attachments using portfolio plugins
TL-17445 Added additional validation when exporting assignments using portfolio plugins
TL-17527 Seminar attendance can no longer be used to export sensitive user data
Previously it was possible for a site administrator to configure Seminar
attendance exports to contain sensitive user data, such as a user's hashed
password. User fields containing sensitive data can no longer be included
in Seminar attendance exports.
Improvements:
TL-16958 Updated language strings to replace outdated references to system roles
This issue is a follow up to TL-16582 with further updates to language
strings to ensure any outdated references to systems roles are corrected
and consistent, in particular changing student to learner and teacher to
trainer.
Bug fixes:
TL-6476 Removed the weekday-textual and month-textual options from the data source selector for report builder graphs
The is_graphable() method was changed to return false for the
weekday-textual and month-textual, stopping them from being selected in the
data source of a graph. This will not change existing graphs that contain
these fields, however if they are edited then a new data source will have
to be chosen. You can still display the weekday or month in a data source
by using the numeric form.
TL-15037 Fixed name_link display function of the "Event name" column for the site log report source
The Event name (linked to event source) column in the Site Logs reporting
source was not fully restoring the event data.
TL-17387 Fixed managers not being able to allocate reserved spaces when an event was fully booked
TL-17471 Fixed Google reCAPTCHA v2 for the "self registration with approval" authentication plugin
TL-17528 Removed some duplicated content from the audience member alert notification
TL-17535 Fixed hard-coded links to the community site that were not being redirected properly
Contributions:
* Marcin Czarnecki at Kineo UK - TL-17387
Release 2.9.32 (14th May 2018):
Security issues:
TL-17436 Added additional validation on caller component when exporting to portfolio
TL-17440 Added additional validation when exporting forum attachments using portfolio plugins
TL-17445 Added additional validation when exporting assignments using portfolio plugins
TL-17527 Seminar attendance can no longer be used to export sensitive user data
Previously it was possible for a site administrator to configure Seminar
attendance exports to contain sensitive user data, such as a user's hashed
password. User fields containing sensitive data can no longer be included
in Seminar attendance exports.
Improvements:
TL-16958 Updated language strings to replace outdated references to system roles
This issue is a follow up to TL-16582 with further updates to language
strings to ensure any outdated references to systems roles are corrected
and consistent, in particular changing student to learner and teacher to
trainer.
Bug fixes:
TL-6476 Removed the weekday-textual and month-textual options from the data source selector for report builder graphs
The is_graphable() method was changed to return false for the
weekday-textual and month-textual, stopping them from being selected in the
data source of a graph. This will not change existing graphs that contain
these fields, however if they are edited then a new data source will have
to be chosen. You can still display the weekday or month in a data source
by using the numeric form.
TL-17387 Fixed managers not being able to allocate reserved spaces when an event was fully booked
TL-17535 Fixed hard-coded links to the community site that were not being redirected properly
Contributions:
* Marcin Czarnecki at Kineo UK - TL-17387
:
TL-17389
Release 2.7.40 (14th May 2018):
Security issues:
TL-17436 Added additional validation on caller component when exporting to portfolio
TL-17440 Added additional validation when exporting forum attachments using portfolio plugins
TL-17445 Added additional validation when exporting assignments using portfolio plugins
TL-17527 Seminar attendance can no longer be used to export sensitive user data
Previously it was possible for a site administrator to configure Seminar
attendance exports to contain sensitive user data, such as a user's hashed
password. User fields containing sensitive data can no longer be included
in Seminar attendance exports.
Bug fixes:
TL-6476 Removed the weekday-textual and month-textual options from the data source selector for report builder graphs
The is_graphable() method was changed to return false for the
weekday-textual and month-textual, stopping them from being selected in the
data source of a graph. This will not change existing graphs that contain
these fields, however if they are edited then a new data source will have
to be chosen. You can still display the weekday or month in a data source
by using the numeric form.
TL-17387 Fixed managers not being able to allocate reserved spaces when an event was fully booked
TL-17535 Fixed hard-coded links to the community site that were not being redirected properly
Contributions:
* Marcin Czarnecki at Kineo UK - TL-17387
Release 2.6.57 (14th May 2018):
Security issues:
TL-17436 Added additional validation on caller component when exporting to portfolio
TL-17440 Added additional validation when exporting forum attachments using portfolio plugins
TL-17445 Added additional validation when exporting assignments using portfolio plugins
TL-17527 Seminar attendance can no longer be used to export sensitive user data
Previously it was possible for a site administrator to configure Seminar
attendance exports to contain sensitive user data, such as a user's hashed
password. User fields containing sensitive data can no longer be included
in Seminar attendance exports.
Bug fixes:
TL-17535 Fixed hard-coded links to the community site that were not being redirected properly
Release 2.5.64 (14th May 2018):
Security issues:
TL-17436 Added additional validation on caller component when exporting to portfolio
TL-17440 Added additional validation when exporting forum attachments using portfolio plugins
TL-17445 Added additional validation when exporting assignments using portfolio plugins
TL-17527 Seminar attendance can no longer be used to export sensitive user data
Previously it was possible for a site administrator to configure Seminar
attendance exports to contain sensitive user data, such as a user's hashed
password. User fields containing sensitive data can no longer be included
in Seminar attendance exports.
Bug fixes:
TL-17535 Fixed hard-coded links to the community site that were not being redirected properly
Release 2.4.63 (14th May 2018):
Security issues:
TL-17436 Added additional validation on caller component when exporting to portfolio
TL-17440 Added additional validation when exporting forum attachments using portfolio plugins
TL-17445 Added additional validation when exporting assignments using portfolio plugins
TL-17527 Seminar attendance can no longer be used to export sensitive user data
Previously it was possible for a site administrator to configure Seminar
attendance exports to contain sensitive user data, such as a user's hashed
password. User fields containing sensitive data can no longer be included
in Seminar attendance exports.
Bug fixes:
TL-17535 Fixed hard-coded links to the community site that were not being redirected properly
Release 2.2.67 (14th May 2018):
Security issues:
TL-17436 Added additional validation on caller component when exporting to portfolio
TL-17440 Added additional validation when exporting forum attachments using portfolio plugins
TL-17445 Added additional validation when exporting assignments using portfolio plugins
Bug fixes:
TL-17535 Fixed hard-coded links to the community site that were not being redirected properly